On July 16, 2021, the CNPD, Luxembourg’s data protection authority, leveled a decision to fine Amazon a record €776M ($888M) for processing personal information in a manner that violates the GDPR.
Not much is known surrounding the nature of these alleged violations. However, Amazon representatives stated in their SEC filing that the fine was “without merit,” and they will “defend [themselves] vigorously.” Amazon also commented to Bloomberg, “There has been no data breach, and no customer data has been exposed to any third party,” and that “these facts are undisputed. We strongly disagree with the CNPD’s ruling.”
This decision can be tied to a collective complaint from 10,000 people filed by the privacy rights group La Quadrature du Net (LQDN). Due to Luxembourg law, the decision is not public. However, through sources including Bloomberg, the LQDN became aware of the decision and responded via a press release stating that “the decision seems unambiguous: the advertising targeting system imposed by Amazon is carried out without free consent.”
The decision highlights the existing ambiguity surrounding the lawful bases under the GDPR and where they can be applied. Further, consent and legitimate interests appear to be the easiest lawful bases to achieve and operate from, when in reality, the opposite is true. This case should provide guidance around the application of lawful basis under the GDPR, which is much-needed in the data privacy space.
Amazon is also under scrutiny from the European Commission surrounding a breach of EU antitrust rules for “distorting competition in online retail markets,” and online tracking and advertising could also be tied to this inquiry.
As a reminder, fines can be up to 4% of a company’s global turnover. Amazon’s revenue was $386B in 2020, and its revenue was $232B in 2018. While this is a large decision and certainly a headline-grabber, the decision amount of $888M is roughly 0.23% of Amazon’s annual revenue in 2020 and 0.38% relative to its 2018 earnings, which coincides with the complaint submission date. This fine highlights the power each data protection authority yields under the GDPR and just how large the penalty amounts can get.