On July 16, 2021, the Luxembourg National Commission for Data Protection (CNPD) made its final decision on an appropriate penalty for Amazon to resolve alleged violations of the EU General Data Protection Regulation (GDPR). As we previously reported in June, a financial penalty was expected for Amazon after the CNPD investigated and substantiated a complaint about advertising-related privacy violations, with the expected penalty believed to be around $425 million. The decision was taken to more than double the fine, which has been set at €746 million ($887 million).
The precise nature of the GDPR violations was not disclosed by the CNPD, which declined all requests for comment as it does not disclose information about ongoing cases. The amount of the financial penalty was actually disclosed by Amazon in its latest filing with the Securities and Exchange Commission (SEC). Amazon also said that in addition to the financial penalty, the CNPD called for corresponding practice revisions to correct the violations moving forward.
Amazon provided further details on the nature of the alleged GDPR violations and confirmed that there has been no data breach and no unauthorized disclosures of the data of EU citizens to any third party. Amazon said the decision was related to “how we show customers relevant advertising.” Amazon also said it strongly disagrees with the CNPD ruling, claiming the decision was “without merit” and that it “relies on subjective and untested interpretations of European privacy law.”
Amazon will appeal the decision and financial penalty which it says is “entirely out of proportion” with the CNPD’s interpretation of the requirements of the GDPR.
The CNPD investigation was launched following a complaint submitted by La Quadrature du Net, a French privacy rights group, on behalf of 10,000 others. In the complaint, La Quadrature du Net said the method used by Amazon to provide targeted advertising was being conducted without free user consent. Under the GDPR, consent must be freely obtained before the personal data of EU data subjects can be used.
“It is the targeted advertising system itself that our complaints intend to wipe out as a whole, and not a few occasional security breaches,” said La Quadrature du Net. “This historic sanction strikes at the heart of the GAFAM predation system and should be applauded as such.”
The appeal process is likely to take some time – potentially even years. If the appeal fails and the financial penalty remains as is, it will be the largest ever GDPR fine imposed to date, and by some margin. The previous record fine was for Google, which was fined €50 million ($57 million) by the French Data Protection Authority (Commission nationale de l’informatique et des libertés) in 2019.