In the USA, there has long been a tendency, targeted mainly at foreign banks, for there to be an overlap between state and federal action and, as US Presidents often find out, states can take independent or concerted action against them: for those who are not President, the risk is even greater because the states can also take action against companies for the same conduct as if it happened in their jurisdiction alone while Federal prosecutors must find an interstate element.

US companies, and those from elsewhere in the world, are going to get a shock when the first action arises from a breach of the General Data Protection Regulation. GDPR operates in respect of all those who have data activities in the EU. The UK will not leave the GDPR regime when it leaves the EU. Indeed, it has only very recently passed a law to implement it. Americans, in particular, do not understand the EU: they have long imagined that Europe is a country. It isn't. Yes, it has federally agreed laws but those laws require each state to implement them. Yes, there are penalties (in theory, at least) for those that do not implement and enforce them but while the EU makes many laws, it does little to ensure enforcement on the ground. That is left to individual states that do pretty much as they please.

The penalty against Facebook is for GBP500,000. To put that into perspective, the Crown Prosecution Service was ordered to pay GBP325,000 after losing unencrypted recordings of interviews with suspects. Bad as that is, it hardly comes close to the Facebook / Cambridge Analytica scandal which is at the heart of the penalty.

The GDPR moves the goalposts, so to speak. First, action can be taken where the breach takes place or where the data is used or where the harm is suffered. That opens the door to action by the equivalent of the UK's Information Commissioner in each EU state. Under the former UK legislation, GBP500,000 was the maximum penalty. Facebook should consider itself lucky that the ICO regarded the Cambridge Analytica case as a single breach. Under GPDR the maximum penalty is 4% of global turnover. There is no autrefois convict in civil penalties and a single breach can be acted upon, and penalties levied, in more than one jurisdiction. There is no requirement that each jurisdiction acts in concert - a lesson learned from the New York Department of Financial Services. DFS has, in recent years, developed and acted on a policy of going alone despite actions by other states and federal authorities. In this way, a single breach with widespread effect can see multiple cases with the time and reputational damage that involves and multiple penalties each of up to 4% of a company's turnover. There are more than 25 countries in the EU and, therefore, there is the potential (albeit extremely unlikely) for a company to be ordered to pay more than its entire annual turnover (not, note, profit) to various states.

American companies might be chuckling at the puny penalty faced by Facebook but they should be reaching for the Imodium.