GDPR = Get the Dollars Properly Returned

GDPR (European Union’s General Data Protection Regulation) is effective since May 25, 2018. All professionals involved at any scale in its implementation know companies who paid huge efforts in a way to be compliant on due time, intending to prevent the risk, and other companies who have developed a more relaxed approach of the question, intending to manage the same risk when it appears, if it appears. One of the main points opposing those who prefer to prevent the risk to those who consider this risk should be managed when required, is with the prospective amount of the penalties.

According to some observers, the amount of the fees may not be that heavy, and the maximal amount (4% of the global annual turnover of the infringing company) should not be so frequent for the companies infringing these new rules.

There is one criterion these observers may not sufficiently take into account, particularly at a time when the United States are igniting commercial wars all over the world.

For the last ten years, the US administration has heavily intensified the use of tools laws enacted during the late 20th century created. From a EU viewpoint, it could be said that all and any opportunity identified to charge foreign companies, and particularly EU companies, has been used by both the Department of Justice (through FCPA, the 1977 Foreign Corruption of Public Agent Act) and the Department of Foreign Trade (through the Office of Foreign Assets Control – OFAC – its branch in charge of the implementation of laws like the 1996 Kennedy-D’Amato Act preventing the use of US dollars or other US assets in “rogue” states).

As a result of these increased investigations operated by the US administration, under the US law, against competitors of US companies, EU companies have been constrained to pay, since 2010, multiple penalties reaching a cumulated amount of at least 32 billion (32,000,000,000) USD. Without any consideration on these companies’ liability, particularly when these companies have, in many cases, agreed on settlements with the US administration, a quick examination of the detail of some of these condemnations appears to be quite interesting:

• Condemnations under FCPA show that the US Department of Justice charges more frequently foreign companies than US ones. Among the 20 highest sanctions made under FCPA since 2010 appear the names of 11 EU companies, for 3 US companies; in the top 10, you find 7 EU companies, for 2 US companies; in the top 3, you find 3 EU companies.
• Sanctions by OFAC are even more illustrative of the differentiated treatment the US administration applies to US companies and EU companies. Since 2010, OFAC sanctioned only two US financial institutions with sanctions higher than 10 million USD (respectively 16 and 83 million USD); in the same period of time, 11 EU financial institutions got sanctioned with fines exceeding 100 million USD, the highest one being for BNP-Paribas, in 2016, with a 8,834,000,000 USD penalty. The average sanction for a US bank amounts 49.5 million USD, when the average sanction for a EU bank is a little bit higher than 2 billion USD (40 times higher).

At a time when commercial wars strike back, the fact the US administration has obtained that up to 4% of the annual EU trade surplus in the USA, for the last eight years, is sent back to the USA, cannot have been unnoticed by the EU commission and the member states.

This is why it would not be surprising that the sanctions inflicted to US companies violating GDPR are quite systematically heavy, in a way to compensate the disadvantage the US administration inflicts to the EU companies in the USA.

Basically, approximately 32 billion dollars have to go back home; a 4% penalty applied on the global turnover of a US company like Apple coincides with the amount BNP-Paribas paid in 2016; and no minister of finance will discard the possibility he would have to say to the tax payers that he found extra billions anywhere else than in their pockets…

This is why considering that the GDPR risk should be managed the day it appears, if it appears, and considering that the upgrade cost should be balanced with the amount of the penalty, are probably poor anticipations. The richer the US company (at least the higher its turn-over), the poorer the anticipations.