top of page

Privacy Enforcement in Action: EU Regulators and US Attorneys General Take on Big Tech

By: Benjamin Wade

In the twenty first century, it is impossible to avoid using internet capable devices and programs in our everyday lives. As a result, significant amounts of personal data have become more accessible than ever before, putting the privacy of countless people at risk. To protect user privacy, companies providing services must limit the accessibility of personal data and comply with existing data privacy and protection laws. If they fail to do so, regulators and law enforcement agencies must ensure proper compliance.

In the European Union (EU) and throughout the United States, vastly different regulatory regimes for combatting privacy violations exist. However, this has not inhibited European and American regulators from bringing enforcement actions to curb privacy violations of big tech companies.[1]

With the EU’s adoption of the General Data Protection Regulation (GDPR) in 2016, companies going forward had to be “clear and up front about how they use customer data” of European citizens.[2] The GDPR also gave European privacy regulators the power to “levy harsh fines against those who violate its privacy and security standards, with penalties reaching into the tens of millions of [dollars].”[3] Accordingly, European privacy regulators did not hold back, issuing “$1.25 billion in fines over breaches of the [GDPR by the end of] 2021.”[4]

For example, in 2018, the Luxembourg National Commission for Data Protection (CNPD) received a privacy complaint against Amazon from La Quadrature du Net, a “French privacy rights group.”[5] After conducting an investigation, the CNPD fined Amazon $887 million in 2021, as their “processing of personal data [with regard to advertising] did not comply with the [GDPR].”[6] While Amazon claimed there was “no data breach, and no customer data ha[d] been exposed to any third party,” the CNPD ordered Amazon “to revise certain undisclosed business practices.”[7]

Additionally, in 2021, Ireland’s Data Protection Commission (DPC) fined WhatsApp $267 million for not “tell[ing] Europeans how their personal information is collected and used, as well as how WhatsApp shares data with Facebook.[8] The DPC subsequently ordered WhatsApp to “tweak its privacy policies and how it communicates with users so that it complies with [the GDPR].[9] This will likely force WhatsApp to “expand its privacy policy, which some users and companies have already criticized for being too long and complex.”[10]

While the GDPR produced a standardized regime to combat privacy violations in all EU countries, such a regime is nonexistent in the United States.[11] To date, no American federal law sets forth data privacy and protection rules equivalent to those under the GDPR.[12] Additionally, only five American states have “comprehensive data privacy laws on the books,” including California, Colorado, Connecticut, Utah, and Virginia.[13] However, this did not stop “a coalition of forty [state] attorneys general” from taking action to protect the privacy of their states’ citizens.[14]

In 2018, the Associated Press reported that Google “record[ed] users’ movements ‘even when [people] explicitly t[old them] not to.”[15] This subsequently triggered “an investigation into Google’s location tracking practices” by multiple states.[16] According to Connecticut Attorney General William Tong, the investigation revealed that Google “continued to collect [personal location] information” of users without their consent.[17] To end this practice, a coalition comprised of “[t]he attorneys general of Oregon, New York, Florida, Illinois and three dozen other states” sued Google.[18] This enforcement action alleged that Google “violated state consumer protection laws by misleading people about the scope and operation of its location tracking practices since at least 2014.”[19] In the end, this coalition “reached a historic $391.5 million settlement with Google to resolve [these] allegations.”[20] Google also “agreed to a series of provisions designed to ‘give consumers more transparency into Google's location data collection practices.’”[21]

Despite having different regulatory regimes for combatting privacy violations, EU regulators and American attorneys general don’t hesitate to act when their citizens’ privacy is at risk. With the increasing sophistication of privacy comprising technologies, these enforcement agencies must continue to keep a watchful eye on big tech.

Benjamin Wade is a Staff Editor at CICLR.

[1] Ryan Browne, Fines for Breaches of EU Privacy Law Spike Sevenfold to $1.2 Billion, as Big Tech Bears the Brunt, CNBC (Jan. 17, 2022), []; Allison Grande, Google Makes Record $391.5M Privacy Deal with State AGs, LAW360 (Nov. 14, 2022), [] [2] 2016 O.J. (L 119) (hereinafter GDPR); Sam Shead, WhatsApp is Fined $267 Million for Breaching EU Privacy Rules, CNBC (Sept. 2, 2021), []. [3] What is GDPR, the EU’s New Data Protection Law? GDPR.EU, []. [4] Browne, supra note 1. [5] Sam Shead, Amazon Hit with $887 Million Fine by European Privacy Watchdog, CNBC (July 30, 2021), []. [6] Id. [7] Id. [8] Shead, supra note 2. [9] Id. [10] Id. [11] A Comprehensive Guide to the US State Privacy Laws, DataGrail (Oct. 11, 2022),,California []. [12] Id. [13] Id. [14] Attorney General James and Multistate Coalition Secure $391.5 Million from Google for Misleading Millions of Users about Location Data Tracking, N.Y.S Off. Att’y. Gen. (Nov. 14, 2022), []. [15] Grande, supra note 1; Ryan Nakashima, AP Exclusive: Google Tracks Your Movements, Like it or Not, The Associated Press (Aug. 13, 2018), []. [16] Grande, supra note 1. [17] Id. [18] Id. [19] Id. [20] Id. [21] Id.


bottom of page