Doron Goldstein, Katten Muchin Rosenman

Facebook Inc. received one of its biggest regulatory slaps last week when European antitrust regulators fined it $122 million for providing misleading statements about its 2014 purchase of WhatsApp.

The fine is relatively small compared to Facebook’s annual profits—the Menlo Park, California-based social media giant pulled in more than $10 billion in profit in 2016—but it does signal a more aggressive regulatory environment in the region. The same week Facebook received its European Commission fine, French and Dutch regulators claimed the company broke local data protection rules. French regulators levied a much smaller fine to the company of 150,000 euros, or about $167,000 at Tuesday’s rate of exchange.

Doron Goldstein, partner at Katten Muchin Rosenman and co-head of the firm’s privacy, data and cybersecurity practice, spoke with reporter David Ruiz about what the European Commission’s fine means for American companies, private practice lawyers and corporate expansion into Europe. He also spoke about how Europe’s new General Data Protection Regulation (GDPR)—data protection rules currently rolling out across the several member-states—plays a role in more aggressive enforcement efforts.

The following interview has been edited for clarity and length.

Q: What are your main takeaways when looking at this fine against Facebook?

A: There are two interesting lessons from this. One interesting piece is that it came from the competition office, not from the privacy office, so it shows the interaction between [the two offices]. It shows the concern the European Commission has for privacy issues that this actually became a big enough issue within the competition bureau to levy this type of fine. That interaction is interesting. The second is that it shows a very clear trend on the part of the European Commission to very actively enforce privacy-related issues and to start going for aggressive fines. I think it’s an interesting example, and I think it’s something worth noting in light of what the GDPR allows, when that comes into effect, in terms of the size of the fines. In this case, the commissioners could have imposed an even larger fine on Facebook. They made it somewhat smaller than the maximum they were entitled to, because Facebook cooperated. But it, again, does show that the commission is likely to be aggressive.

Q: What does a more aggressive European Commission mean for American companies with international headquarters already in Europe?

A: This is essentially consistent with the message that privacy professionals in the U.S. and in Europe have been saying for years, in particular, since the GDPR was passed. Europe has a very different perspective on privacy and on data protection and we have to take that into account as companies plan how to interact with residents of Europe—with their customers, their clients, the parties they deal with in Europe. The commission is aggressive and has a very different perspective [on privacy] and it looks at it purely from a consumer perspective, from an individual perspective. Earlier that week, the French and Dutch data protection authorities also had claims against Facebook. The fine from [Commission Nationale de L'informatique et des Libertés], which is the French authority, was 150,000 euros. It was a very small fine, but again, these [claims] are for failure to properly disclose. The lessons that come out of this are, one, you have to think about what the expectation is from a European perspective. The second—and this is consistent with the U.S. as well—is that your disclosures have to be clear and complete.

Q: Has this always been the understood bargain for companies looking to expand to Europe—that they trade market expansion for a stricter regulatory environment?

A: To some degree yes. To some degree no. The difference has been, until recently, that the enforcement by the European Commission has been relatively light. There have been a few, but the enforcement has not been very strong and the fines have been small, in relative terms. The example of fining Facebook 150,000 euro, that’s a very different fine from $122 million [110 million euro]. There’s a scale difference that goes into the expectation going forward that there are now going to be real fines. Part of that comes with the authority that the GDPR has granted in terms of data protection, for fines up to 20 million euro or 4 percent of global turnover, and it’s the greater of those two. Those are real fines they have the ability to impose.

Q: Do you think these changes will make companies reconsider setting up shop in Europe?

A: I don’t think so. Europe is obviously a large market. Obviously, companies make those business determinations every day as to whether going into a particular market makes sense, because there are a whole series of issues that go into that. Language is one. Do you want to translate everything into local languages? There are a lot of reasons that go into it. Do I think [regulatory enforcement] will be a factor that goes into it? Yes. But I assume it, to some degree, always was. Will it be a greater factor? Probably. I think it will be given a somewhat greater weight and it may delay some European rollouts as companies try to make sure that their policies and practices are consistent with what is required.

Q: How does this affect private practice?

A: It’s important. It means that operating even just in the U.S., we have to be able to take those things into account, and we have to prepare our clients for the fact that if they want to do things that have an external U.S. element, they have to plan early. That’s particularly true with [information technology] projects of any kind, whether a website or an app they’re developing or some kind of service being offered. If there’s a likelihood that is going to be crossing the ocean at some point, that it will go into Europe, it’s something that we have to raise now, right at the start of the process. As opposed to the way I think historically things have been done, which is, you think about countries as you go into them. It’s now become a much earlier part of the thought process. The concept of privacy by design has now expanded to some degree, when I talk with clients, into privacy and EU compliance by design. You’re thinking about those two things at the same time, because re-engineering after you have developed the system, developed the service, implemented the project, is much more difficult than considering those points at the beginning.