Record-breaking €746 million GDPR fine against Amazon
On July 16, 2021, The Luxembourg National Commission for Data Protection (Commission nationale pour la protection des donées, “CNPD”)) imposed a record-breaking fine on Amazon Inc., the company published a regulatory filing revealing the decision.
Unprecedented GDPR fine issues by Luxembourg Data Regulator against tech)giant for alleged privacy violations
The CNPD issued a draft decision fining the tech giant an eye-watering €746 million ($888 million) for alleged breach of EU data protection rules. With Amazon’s EU headquarters based in Luxembourg, the company is regulated by the CNPD which acts asAmazon’s lead supervisory authority in the EU for the purposes of the General Data Protection Regulation (“GDPR”). This gives the CNPD amongst other powers, the power to enforce the GDPR rules, launch investigations and most importantly can impose fines hefty fines.
Indeed, the CNPD has ordered Amazon to revise certain of its practices in relation to processing personal data of its customers and found that Amazon’s advertising targeting system was flawed for failing to provide valid consent. With consent forming a key pillar of the philosophy GDPR one can easily acknowledge the extent to which Amazon’s practices are infringing basic privacy rights.
The fine is said to be linked to a class complaint against Amazon filed by 10,000 citizens dating back to May 2018 led by French privacy rights group La Quadrature du Net which promotes and defends fundamental freedoms in the digital world.
According to sources, Amazon has already expressed its discontent with the CNPD decision and have stated that “there has been no data breach, and no customer data has been exposed to any third party”.
What is the significance of the Amazon fine? Possible domino effect?
While the full details of the decision have not been publicly disclosed by the CNPD since local laws bind the Luxembourg DPA to professional secrecy, La Quadrature du Net did issue a statement available in French applauding the decision.
Why is this big news? It goes without saying that the draft is currently outweighing all previous GDPR fines with the largest being issued by the French Data Protection Authority CNIL at a mere €50 million to Alphabet’s Google.
Amazon has already issued a statement to discredit the CNPD decision by claiming that “the decision relating to how we show customers relevant advertising relies on subjective and untested interpretations of European privacy law, and the proposed fine is entirely out of proportion with even that interpretation”.
Amazon’s stance has indicated indicated that it will likely appeal the decision.
The draft decision by the Luxembourg regulator would also have to be agreed by the EU’s other national regulators, which could result in any penalty being reduced or increased. If the fine holds ground after the opposition by Amazon this could be a ground-breaking fine that could shatter already fragile Amazon reputation when it comes to privacy practices and transparency.
Google, Facebook Inc, Apple Inc and Microsoft Corp have all been scrutinized by the authorities and made a point about prioritising user privacy in Europe.
In contrast, this potentially record-breaking sanction makes even more glaring the ineptitude of the Irish data protection authority which is famously the appointed EU watchdog for major tech companies. In three years, has not been able to close any of the other four complaints we have brought against Facebook, Apple, Microsoft. and Google.
The CNPD’ bold move against Amazon will also send shock waves to the CNIL in France which, for a long time, was a leader in Europe for data protection. Today, the CNIL is no more than a shadow of itself, while our collective complaints, initially brought before it, offered it the ideal opportunity to be the spearhead of the GDPR against systemic violations of personal data at the heart of GAFAM's business model.
As always, should you have any questions or queries regarding this topic or your latest business undertakings, please do not hesitate to contact us!
Article by Anthi Pesmazoglou @ Gerrish Legal, August 2021
Sources :
https://www.natlawreview.com/article/luxembourg-dpa-fines-amazon-746-million-euros-gdpr-violations
https://dataprivacymanager.net/luxembourg-dpa-issues-e746-million-gdpr-fine-to-amazon/
https://gafam.laquadrature.net/wp-content/uploads/sites/9/2018/05/amazon.pdf