Amazon slapped with biggest GDPR data privacy fine, ever

• It’s the biggest monetary penalty imposed to date in connection with the EU’s three-year-old General Data Protection Regulation
• The decision concludes a probe started by a 2018 complaint from French privacy rights group La Quadrature du Net
• Amazon said it believes the “decision to be without merit” and that it intends to “vigorously defend” itself in the matter

The European Union’s General Data Protection Regulation (GDPR) first came into enforcement three years ago on May 25, 2018, and it didn’t take long for the largest tech companies to feel the sting of litigation. Within minutes of the GDPR going into effect, privacy activists and French digital rights group, La Quadrature du Net, targeted tech giants including Google, Facebook, Apple, Amazon and LinkedIn with lawsuits alleging “forced consent”. 

Years went by and the privacy watchdogs within the 27 country-bloc of the EU have not slowed down. On July 16 2021, the Luxembourg data protection authority, CNPD, slapped Amazon with a record fine after accusing the online retailer of processing personal data in violation of the EU’s GDPR. Amazon disclosed the findings in a regulatory filing on Friday, labelling the decision as “without merit.”

In short, the decision concludes the 2018 probe started by the French privacy rights group. La Quadrature du Net cautiously welcomed the decision, while for violating the bloc’s stringent data protection rules, Amazon was fined US$888 million — the biggest EU privacy fine yet. “There has been no data breach, and no customer data has been exposed to any third party,” Amazon said in a statement, adding that it plans to appeal. “These facts are undisputed. We strongly disagree with the CNPD’s ruling.”

How did Amazon breach EU’s data rules?

On July 16, 2021, the CNPD issued a decision against Amazon Europe Core claiming that “Amazon’s processing of personal data did not comply with the EU General Data Protection Regulation”. In addition to the €746 million fine, the CNPD judgment requires “corresponding practice revisions,” Amazon said.

The rights group also said that the “collective complaint” against Amazon was filed by 10,000 people and the ruling now vindicates their stand that “the advertising targeting system imposed by Amazon is carried out without our free consent, in violation of the GDPR“. It added that the penalty “is the new European record for fines pronounced against a violation of the GDPR”.

The GDPR mandates a company to disclose what data it collects from users and what it does with that data. Companies also must allow users to download a copy of their data and delete any individual’s data on request.

The tech giant also noted that the decision relating to how they show customers relevant advertising relies on subjective and untested interpretations of European privacy law, and “the proposed fine is entirely out of proportion with even that interpretation.” Amazon intends to defend itself “vigorously” as the company “believe(s) the CNPD’s decision to be without merit.”

Before the Amazon fine, the largest penalty slapped on a tech giant was on Google in 2019. The French data privacy watchdog had asked the internet search giant to pay US$57 million, reportedly after finding that the “advertising targeting on its Android operating system does not comply with the general data protection regulations”.

Separately, last fall the European Commission filed antitrust charges against Amazon over alleged misuse of data to use non-public information to favor Amazon’s own retail business over third-party partner merchants. That case could result in Amazon being fined up to 10% of its annual global revenue.