Europe’s GDPR Fines Against US Firms Are Unfair and Disproportionate
One of the key principles of President Trump’s “America First” trade policy is to inject reciprocity into trade practices with partner nations. In other words, the United States should treat other countries the way they treat the United States. However, this policy requires looking beyond top-line tariff rates, as many countries use non-tariff barriers to penalize U.S. companies—especially in the digital economy.
The Trump administration has recognized this problem and issued an executive order in February on “Defending American Companies and Innovators From Overseas Extortion and Unfair Fines and Penalties.” The memo rightly notes that “foreign governments have increasingly exerted extraterritorial authority over American companies, particularly in the technology sector, hindering these companies’ success and appropriating revenues that should contribute to our Nation’s well-being, not theirs.” It goes on to denounce “regulations governing digital services that are more burdensome and restrictive on United States companies than their own domestic companies.”
The European Union has been one of the biggest offenders with a host of digital regulations, such as the Digital Markets Act and the Digital Services Act, which have carefully crafted rules for “gatekeepers” and “very large online platforms” that, to the surprise of nobody, mostly target American companies, not European ones. Indeed, President Trump’s top trade advisor, Peter Navarro, recently called out “the use of ‘lawfare’ in places like the EU to target America’s largest tech firms.”
But perhaps the most egregious example of the EU’s disproportionate obsession with American tech companies is in the fines it has levied against U.S. companies under the General Data Protection Regulation (GDPR). As of March 2025, EU national data protection authorities had issued €5.65 billion in fines since the law went into effect in May 2018. Out of this total, U.S. companies have been subject to 83 percent of the fines—a total of €4.68 billion. No other country even comes close.
Figure 1: Annual GDPR fines for U.S. companies 2018–2024 (€billions)
The magnitude of the total fines against U.S. companies is extraordinary. To put the amount in perspective, it is roughly the same as the GDP of Fiji. It could cover the cost of sending five rovers to explore Mars. It would be enough to build two new football stadiums in Washington, DC. It could even pay for every household in America to buy six dozen eggs.
These fines have not been a one-time event, as shown in Figure 1. Between 2021 and 2024, U.S. companies have paid an average of €1.15 billion annually in GDPR fines. In 2023, U.S. companies paid €1.61 billion in GDPR fines. This amount is more than 10 EU member states contributed to the EU’s annual budget that year. It would be enough to cover the salary of more than 6,000 American workers earning $200,000 per year.
No other country even comes close to the amount that U.S. companies have paid, as shown in Figure 2. The country with the next highest level of fines is China, with a total of €360 million (6 percent of total GDPR fines), reflecting an enforcement action against TikTok. (TikTok is expected to receive another GDPR fine of €500 million this year.)
Figure 2: Cumulative GDPR fines for China, the EU, United Kingdom, and the United States, 2018–2024 (€billions)
All EU member states together account for €529 million in GDPR fines, or 9 percent of the total. As shown in Figure 3, Italy makes up the bulk of these fines, €212 million (40 percent of the EU total). Spain comes in second at €72 million (13 percent of the EU total), and France and Sweden tie at third with approximately €55 million each (10 percent of the EU total).
Figure 3: GDPR fines paid by firms in EU/EEA countries, 2018–2024
European policymakers often deny the charge that they are unfairly penalizing U.S. firms. For example, Henna Virkkunen, the European Commission vice-president responsible for tech sovereignty (whose job title should provide a clue as to their ultimate goal), recently defended the EU against accusations that its rules target American companies, stating in an interview, “We are not specially targeting certain companies.” But the facts speak for themselves.
The large fines against U.S. companies cannot simply be dismissed by the fact that the United States has a large tech sector. The GDPR applies to all companies processing data about individuals in the EU, not just those in the tech sector. But even looking at only the tech sector, it is clear U.S. companies have received a disproportionate share of fines.
In 2021, the EU imported €228 billion in ICT services. Of that amount, only €23 billion (10 percent) came from the United States. The majority, €124 billion (54 percent), was intra-EU trade, and the remainder, €81 billion (36 percent), was with the rest of the world. If the €5.65 billion in GDPR fines to date had been similarly distributed, U.S. companies would have paid €570 million (instead of €4.68 billion), and EU companies would have paid €2 billion (instead of €529 million).
Moreover, companies in other parts of the world would have also been subjected to more of these fines. The EU has virtually ignored firms in other countries. To date, firms in Australia have only paid €15,000 in GDPR fines, respectively. Maybe EU regulators did not notice that Atlassian, the Australian company behind popular productivity apps like Jira, Confluence, and Trello, has suffered multiple data breaches. Companies in India have only paid €1,000 in GDPR fines, despite an annual €20 billion in trade in digital services. It is inconceivable that all the Indian tech companies subject to the GDPR have a nearly flawless track record at regulatory compliance when the leading U.S. companies have spent millions to adhere to the same rules are constantly told they have not measured up.
Aside from the fines against TikTok, the EU has also paid little attention to China. China is home to many major tech companies. While some of these companies operate primarily in China, many of them, including Tencent, Alibaba, PDD, JD.com, Trip.com, and Baidu, have a global presence and process data about individuals in the EU. However, EU regulators have given relatively scant attention to data transfers to China, despite laws allowing government access to data stored by Chinese companies and their previous fixation on the risks of data transfers to the United States.
The EU has recently announced plans to simplify the regulatory burden of the GDPR, implicitly acknowledging that the law has negatively impacted EU competitiveness and innovation. But, unsurprisingly, none of that relief will be targeted at large U.S. firms. Instead, as explained by EU Commissioner Michael McGrath, “we will be examining what ways in which we can ease the burden on smaller organizations.” In other words, the EU will continue to claim that it is applying the law equally, while writing it in a way that targets U.S. companies disproportionately.
The EU shows no sign of easing up on its enforcement actions against the United States. Earlier this year, Italy’s data protection agency issued a €15 million fine against OpenAI, an amount the company noted is 20 times the revenue it earned in Italy during the relevant timeframe. These types of penalties against U.S. firms redirect funds that could be going to R&D to fines—putting the United States at a strategic disadvantage compared to our geopolitical rivals.
The Trump administration is entirely correct to call out these unequal and unjust practices, and it should continue to fight back against EU laws, regulations, and enforcement actions that treat U.S. firms unfairly.
