On July 16, 2021, the Luxembourg National Commission for Data Protection (CNDP) issued the biggest fine so far for the violation of the General Data Protection Regulation (GDPR) in the amount of €746 million ($888 million) to Amazon Europe Core S.a.r.l. for non-compliance with general data processing principles.
With this fine, GDPR finally delivered more than just a slap on the wrist, and just in time to put a stop to remarks and criticism on the EU enforcement system.
Amazon’s fine surpassed what was the biggest GDPR fine for two years- the €50 million penalty issued by France’s CNIL to Google.
Having that in mind, comparing those two fines can be an indication of how GDPR is inconsistently applied throughout the EU and may bring this issue to a discussion in the future.
How did Amazon slip?
The fine was issued as a result of a complaint filed by 10,000 people against Amazon in May 2018, through a French privacy rights group that promotes and defends fundamental freedoms in the digital world- La Quadrature du Net.
The CNDP opened an investigation into how Amazon processes personal data of its customers and found infringements regarding Amazons’ advertising targeting system that was carried out without proper consent.
There are certain requirements for compliant consent that need to be met in order to stay in line with the GDPR, like using clear, plain language and explaining how data is going to be used, why and by whom.
However, specifics of the case have not been publicly disclosed or commented on by the CNDP since local laws bind the Luxembourg DPA to professional secrecy until an appeal process is completed. Although La Quadrature du Net did issue a statement available in French.
Amazon has strongly disagreed with the CNPD’s decision and announced they plan to appeal since they find the decision unfounded, adding “there has been no data breach, and no customer data has been exposed to any third party.”
However, the argument that Amazon put forward may not be as bulletproof as they might think.
GDPR focuses not only on data security but also on the data privacy aspects– how companies use personal data, if the company is transparent, and if the processing is lawful. So whether a data breach occurred or not, may not be crucial in this case.
Estelle Massé, the global data protection lead at non-profit internet advocacy group Access Now, stated:
“With so many large cases piling up in front of regulators, we were really waiting for one of those cases to be resolved to show that the GDPR basically has teeth”.
If the fine holds its ground, this could be a groundbreaking fine that could shatter the already fragile Amazon’s reputation when it comes to personal data processing.