The largest ever financial penalty for GDPR violations has been handed to Amazon by the Luxembourg Data Protection Authority – Commission Nationale pour la Protection des Données (CNPD). The fine eclipses the previous highest GDPR fine of €50 million by 1,392%, which was imposed on Google by the French Data Protection Authority in 2020.
The €746 million (USD 886 million) financial penalty was imposed for violations of the EU General Data Protection Regulation, which sets strict rules covering uses and disclosures of the personal data of EU citizens. CNPD has not announced the financial penalty and has not provided any details about the alleged violations that the financial penalty resolves. CNPD said it is against Luxembourg law to comment on individual legal cases.
The CNPD’s intention to fine the online retail giant was announced by Amazon in its quarterly report, filed on July 30, 2021 with the U.S. Securities and Exchange Commission (SEC). While the exact nature of the violations is not known, what is known is the fine concerns Amazon.com – not Amazon Web Services – and Amazon’s business practices related to the use of consumer data for delivering targeted advertising.
The CNPD has jurisdiction over Amazon’s European operations, as Amazon’s European headquarters are located in Luxembourg. CNPD launched an investigation into Amazon following a 2018 complaint from the French privacy advocacy group La Quadrature du Net. The complaint related to how Amazon obtains consent from consumers to use their personal data to provide targeted advertisements.
In its SEC filing, Amazon.com said the CNPD’s decision to impose a financial penalty was “without merit” and that the company is planning a rigorous defense. “We strongly disagree with the CNPD’s ruling, and we intend to appeal. The decision relating to how we show customers relevant advertising relies on subjective and untested interpretations of European privacy law, and the proposed fine is entirely out of proportion with even that interpretation,” said Amazon.com in a statement.
While the financial penalty is substantial, it is just a drop in the ocean for a company that generated annual revenue of $386 billion in 2020. Under the GDPR, violations carry a maximum financial penalty of €20 million or 4% of global annual revenue for the previous financial year, whichever is higher. That means the maximum financial penalty would have been $15.4 billion.
The appeals process is unlikely to be quick. It could take several months or even years for the fine to be appealed and a final decision to be made on the financial penalty, but what the CNPD has shown is it is willing to impose substantial penalties on companies found to have violated the GDPR, and Amazon’s GDPR fine could well be the first of some massive financial penalties for GDPR privacy violations.