In July 16 decision, the Luxembourg National Commission for Data Protection (CNDP) issued the biggest fine ever for the violation of the General Data Protection Regulation (GDPR) in the amount of €746 million ($888 million) to Amazon Europe Core S.a.r.l. for non-compliance with general data processing principles.
The fine was issued as a result of a complaint filed by 10,000 people against Amazon in May 2018, through a French privacy rights group that promotes and defends fundamental freedoms in the digital world- La Quadrature du Net.
The CNPD opened an investigation into how Amazon processes personal data of its customers and found infringements regarding Amazons’ advertising targeting system that was carried out without proper consent.
However, specifics of the case have not been publicly disclosed or commented on by the CNPD since local laws bind the Luxembourg DPA to professional secrecy. Although La Quadrature du Net did issue a statement available in French.
Bloomberg was first to report on the fine announcing that Amazon strongly disagrees with the CNPD’s decision and announced they plan to appeal since they find the decision unfounded, adding “there has been no data breach, and no customer data has been exposed to any third party.”
GDPR prescribes fines up to €20 million, or up to 4 % of their total global turnover of the preceding fiscal year, whichever is higher.
The biggest fine to date was a €50 million euro penalty issued by France’s CNIL to Google. If the fine holds its ground after this could be a groundbreaking fine that could shatter already fragile Amazon reputation when it comes to personal data processing.