Amazon faces record GDPR fine

The Luxembourg data protection regulator, the Luxembourg National Commission for Data Protection (CNPD), has issued a decision imposing a €746 million fine on Amazon in relation to its processing of personal data and compliance with data protection laws. The details of the fine were submitted in Amazon’s quarterly earnings report to the US Securities’ and Exchange Commission (SEC) and the fine relates to a 16 July decision by the CNPD.

There are limited details available and the CNPD has not commented on the case however the enforcement action is likely linked to a complaint made by French digital rights group ‘La Quadrature du Net’ in 2018 which targeted the way Amazon obtains consent to target adverts. News reports suggest that the decision may relate to how data is used to show customer’s personalised ads. Amazon has stressed that there has been no data breach and no personal data has been exposed to a third party but that ‘the decision [relates] to how we show customers relevant advertising [and] relies on subjective and untested interpretations of privacy law, and the proposed fine is entirely out of proportion with even that interpretation’.

Amazon has stated in its report to the SEC that it intends to challenge the fine. If confirmed, this fine would be the largest fine imposed by a European data protection authority since the GDPR came into effect in 2018, vastly exceeding the current record: a €50 million fine against Google in France in 2019. The $5 billion fine imposed by the Federal Trade Commission against Facebook in 2019 would remain, by some distance, the highest globally. It will be interesting to see whether the scale of the fine against Amazon is ultimately reduced – following the same pattern as seen in the UK in relation to British Airways and Marriot International, both of whose fines were initially disclosed as a result of those companies’ financial reporting requirements and subsequently drastically reduced by the ICO.

If you found this interesting, there's a lot more comment you may find helpful on UpData, which provides regular updates on contentious, criminal and insurance risks relating to data, from cyber-attacks to regulatory enforcement.