E-commerce giant Amazon reported in its financial statements at the end of last month that the Luxembourg data protection authority had imposed on it a fine totaling EUR 746 million. The fine appears to have been laid on Amazon for its use of users’ personal data for targeted advertising, in violation of the EU’s General Data Protection Regulation (GDPR). This is the highest fine imposed to date under the GDPR, and by a huge margin from the EUR 50 million fine imposed on Google, which, until now, held the record for the highest GDPR fine.
Amazon has appealed the fine and may succeed in lowering it. However, the fine has already achieved its dissuasive effect, in that it exposes the GDPR’s enormous “bite”. Until now, it appeared authorities were reticent about exercising the tremendous power vested with them under the GDPR, but that no longer seems to be the case.
The fine imposed on Amazon sends a crystal clear message to companies that make use of people’s personal data. Companies must ensure, without delay, their compliance with the requirements of the privacy protection legislation that applies to them. Privacy protection laws around the world have become more sophisticated and have armed the authorities enforcing them with more aggressive enforcement tools in instances of violations.