by Rocco Panetta Big tech is under the scrutiny of European authorities. After taking action with incredible timing on the WhatsApp affair, the Italian Data Protection Authority (the “Garante”) recently ordered the blocking of the social network TikTok, and subsequently opened a file on two other platforms. Further up north in Europe, while the Norwegian Data Protection Authority (Datatilsynet) announced that it might impose a fine of 100 million Norwegian kroner (about 10 million euro) on a dating app, the Irish Data Protection Commission, according to some rumours, seems ready to impose a significant fine of up to 50 million euro. This is very important news and is probably only the tip of an iceberg that will slowly emerge in the coming months. That is why I think it is important to shed some light on some of the aspects of privacy law involved in these events and on the "weapons" in the hands of the European authorities, which are not limited to sanctions but include instruments that could have even more deterrent power. GDPR and foreign companies Very commonly, large internet platforms are based in the United States or China. This circumstance alone does not rule out the obligation to comply with European privacy legislation and to escape the consequent sanctions in the event of non-compliance. The General Data Protection Regulation (GDPR), in fact, innovating with respect to the previous legislative framework, provides that a data controller (or a data processor) that is not established in the European Union must comply with the rules of the Regulation if it processes personal data of data subjects located in the EU, when the processing activities concern the offering of goods or services to such data subjects in the EU or the monitoring of their behaviour to the extent that such behaviour takes place within the EU (the reference is to Article 3.2 of the GDPR, enriched by recitals 23 and 24). The amount of the sanctions The Norwegian Supervisory Authority has decided to propose a fine of approximately EUR 9 million. This is based on the provisions of the GDPR, which - after requiring supervisory authorities to ensure that the administrative fines imposed are effective, proportionate and dissuasive in each individual case (Article 83.1) - provides that the amount of such fines, taking into account the criteria given by the Regulation itself (Article 83. 2), can be up to 10 million euros, or for companies, up to 2% of the total annual worldwide turnover in the preceding business year, whichever is the greater, for a number of infringements (Article 83.4), with the values rising to 20 million and 4% for others (Article 83.5). The emergency procedure Taking the Tik Tok case as a reference, with the decision of the last 22nd January, the Garante has ordered "[...