Navigating Regulatory Enforcement: Tech Companies in the Government's Watchful Eye

If you work at a "regular" tech company and you're warning your clients of fines that are "up to 4% of annual revenue" for GDPR violations, you're misleading them.

Two friends are in the woods, having a picnic.  They spot a bear running at them.  One friend gets up and starts running away from the bear.  The other friend opens his backpack, takes out his running shoes, changes out of his hiking boots, and starts stretching.

“Are you crazy?” the first friend shouts, looking over his shoulder as the bear closes in on his friend.  “You can’t outrun a bear!”

“I don’t have to outrun the bear,” said the second friend.  “I only have to outrun you.”
– Old joke

"Show me the incentives, and I'll show you the outcomes."

– Charlie Munger

Your CEO or VP of Product will, with 100% certainty, tell you that your job is to "see around corners." They'll say this, often, in response to some new regulation, like the GDPR, or at your job interview. In any case, what they mean is that they don't want to be surprised.

Fair enough. But I want to  tell you that seeing around corners is almost never your job. Instead, your job is to see what's coming on the horizon, from 1,000 miles away, when you're traveling at 2 miles per hour.

This is generally true because, while seemingly random, regulatory attention is predictable. As such, we can see it coming a mile away.

Here's the tl;dr:

  • Regulatory resources are limited.
  • Regulators focus those limited resources on technologies that disrupt entrenched interest groups and ones that receive a lot of publicity.
  • As such, huge and controversial tech companies should expect regulatory attention; all the others shouldn't.
  • Lawyer accordingly.

Regulators' Primary Motivation: Do the Bidding of Large Interest Groups.

Understanding regulatory risk requires understanding regulators' motivations. My thesis: Governments are primarily influenced by powerful interest groups that are harmed by disruptive technology.

A brief survey of enforcement history: Facebook and Google faced regulatory enforcement after disrupting traditional media; Uber, after devaluing the taxi industry; Amazon for disrupting traditional retail; and Twitter, Facebook, TikTok, YouTube, and Snapchat, after enabling social upheaval against political power and giving kids access to harmful content.

Not coincidentally, here are the top 10 GDPR fines as of the time of this post (July 2023, source):

  • Amazon - €746M
  • Meta - €405M
  • Meta - €390M
  • Meta - €265M
  • WhatsApp - €225M
  • Google - €90M
  • Facebook - €60M
  • Google - €60M
  • Google - €50M
  • H&M - €35M

Compare that list with all the other large, successful tech companies you can think of: Microsoft, Spotify, Shopify, Salesforce, Dropbox, Adobe etc.

Government's Secondary Motivation: Punish Some Outliers.

Don't feel too bad for normie tech companies, they can still get some regulatory attention. They just have to try harder to get it.

Here are the next ten companies in the GDPR largest-fine database:

  • TIM (telecommunications operator) - €27.8M
  • British Airways - €22M
  • Marriott International - €20.5M
  • Clearview AI - €20M, €20M, €20M (from 3 different EU regulators)
  • Meta - €17M
  • Wind Tre - €16.7M
  • TikTok - €14.5M
  • Vodafone - €12.2M

First, note how small those fines are relative to the top 10 – it's less than 10% of the fines of the top 10 fines cumulatively.  

There are a bunch of "regular" tech companies here, but they got here by special considerations, not just for operating their businesses. British Airways, for example, suffered a security breach that leaked 77,000 people's credit card information and was the result of "negligent" security practices. Clearview got really bad press about a data model that looks custom-made to breach the GDPR (Clearview also hasn't appeared in the EU to defend themselves or paid those fines, as far as I know, because it has maintained they aren't subject to those laws).

So it's not like it's impossible to incur the wrath of EU regulators if you're a normcore tech company. It's just not easy.

Different Lawyering Required

The different regulatory environments faced by "regular" tech companies and those under close scrutiny have significant implications for in-house legal teams.

For lawyers at "regular" tech companies, lawyering is largely a matter of ticking the right boxes. Sure, it's laborious and complex and meticulous, but it's also deterministic.

For lawyers at scrutinized firms, however, it's the opposite. Their work is more like a high-stakes legal battle against a motivated, unpredictable opponent. That has implications for how you're spending your time–more of it is spent in litigation--like work, such as responding to regulatory inquiries–and also for how much you can predict what will happen.

Like, if you're Facebook, whether the CNIL is happy with your GDPR stance depends in part on whether the head of the CNIL likes Facebook and how they view its social benefits. If you're Evernote, the CNIL just cares if your cookie banner has a sufficiently-prominent opt-out button. If you don't, they'll send you a letter.

Practice Tips:

If you work at a company that disrupts powerful interest groups:

  • become an expert on the specific issues you're confronting.
  • educate your product and executive teams on the challenges they face.

If you work at a "regular" tech company:

  • Don't overreact to enforcement actions against disruptive firms.
  • Beware of getting famous.
  • Don't get complacent about ticking the boxes.
  • If you're warning your teams about fines that are "up to 4% of annual revenue" for GDPR violations, you're misleading them.

If you're unsure which category your company falls into, you work at a "regular" tech company. You'd know if you worked at the other one.