Online retail giant, Amazon is facing a fine for breaching the European Union’s General Data Protection Regulation (GDPR) to the tune of €425m, the highest amount ever sanctioned against company.
Amazon was investigated in relation to the way that it gathers the personal data of its account holders and then uses that information in its marketing campaigns. GDPR requires companies to seek people’s consent before using their personal data or face steep fines.
If Amazon is found guilty and the highest possible GDPR penalty is applied, it could total more than $425 million (€350 million), seven times more that the previous highest figure which was sanctioned against Internet giant Google.
As Amazon EU headquarters is located in Luxembourg, the National Data Protection Commission (CNPD) in that jurisdiction has collated a draft decision that is currently being considered by the 26 other DPAs within the EU. When feedback is submitted by these 26 DPAs, Luxembourg can choose to address these or reject any objections which would result in a vote being taken by all EU privacy regulators as per GDPR Article 65. To date the Luxembourg DPA has not opted to issue any public comment in relation to the case.
Amazon has not released any public statement in relation to the case either. However, in the past the group has claimed that it gathers and reviews behavioral data in order to enhance the user experience, and established guidelines related to what its staff can do in relation to any personal data gathered. There have previously been accusations levelled at Amazon that it uses the data it gathers to gain an unfair advantage in the marketplace.
This latest investigation places Amazon under the magnifying glass within the EU once again where it is facing a number of antitrust investigations in relation to how it uses data from retailers on its platform and whether it unfairly favors its own products. In Germany alone there are multiple investigations being conducted into how Amazon conducts its business.
The GDPR complaint was submitted in 2018 by a French privacy rights group, La Quadrature du Net. This group claims to be representing over 10,000 customers and has been campaigning against the “behavioral analysis and targeted advertising” conducted by Amazon. It has called for a GDPR penalty that is as “high as possible” due to the “massive, lasting and manifestly deliberate nature” of the alleged violations without the consent of its users.
Bastien Le Querrec, a member of La Quadrature du Net’s litigation team said that the group has not been made aware of CNPD ruling “It’s good to see that after three years of silence, something is happening.”
There is also potential for an additional fine to be sanctioned by the United Kingdom’s Information Commissioner’s Office (ICO) as it is no longer included in the EU’s ‘one-stop shop’ process.