Share this article on:
The Luxembourg Data Protection Authority – Commission Nationale pour la Protection des Données (CNPD) – has slapped Amazon.com with a €746 million ($886 million) financial penalty to resolve alleged violations of the EU General Data Protection Regulation (GDPR).
The GDPR, which took effect on May 25, 2018, gave EU citizens new rights over their personal data and placed restrictions on uses and disclosures of personal data by individuals and companies doing business with EU citizens.
In 2018, the French privacy advocacy group La Quadrature du Net filed a complaint with CNPD over Amazon’s alleged violations of the GDPR. CNPD has jurisdiction as Amazon has its European headquarters in Luxembourg. The financial penalty will close that complaint, although Amazon is planning to appeal the fine and that process is likely to take several months or years.
The complaint related to how Amazon obtains consent from consumers to use their personal data for delivering targeted advertisements. CNPD has not publicly disclosed the exact nature of the alleged violations and issued a statement saying it is against Luxembourg law to comment on individual legal cases.
The fine was imposed on Amazon on July 16, 2021 and was disclosed by the retail giant in its July 30 Q2 Securities and Exchange Commission (SEC) filing. Amazon said the fine is “without merit” and that it will be rigorously defending itself in this matter. “We strongly disagree with the CNPD’s ruling, and we intend to appeal. The decision relating to how we show customers relevant advertising relies on subjective and untested interpretations of European privacy law, and the proposed fine is entirely out of proportion with even that interpretation,” said Amazon.com in a statement.
The GDPR violation penalty is substantial, but it could have been far higher. The maximum penalty for a violation of the GDPR is €20 million, or 4% of global annual revenue for the previous year, whichever is higher. In 2020, Amazon generated $386 billion in revenue globally, so the maximum financial penalty would have been $15.4 billion.
While massive financial penalties are possible for egregious violations of the GDPR, in the three years that compliance with the GDPR has been enforceable there have been few large fines. The previous record, set in 2020, was the €50 million ($59.4 million) fine for Google that was imposed by the French Data Protection Authority, followed by the €35 million ($41.6 million) fine for the clothing retailer H&M (Germany), and the €27.8 million ($33 million) fine for Telecom Italia (Italy).