Amazon Meets with GDPR Troubles on the Eve of Covid-19

Various industry specialists, including Adobe Analytics, have reported that increasing consumer concern, and indeed shop closures, following the worldwide COVID-19 outbreak is already influencing our online shopping behaviour in a significant manner.

While traditional retailers are suffering greatly, there has been, perhaps inevitably, an enormous surge in online shopping, as customers seek to protect themselves from the virus or simply find a necessary alternative given that many shops have temporarily closed.

It is in this context that a recent complaint against Amazon, the world’s biggest online retailer, raises particularly interesting and topical questions for web security.

In February 2020 NOYB, a non-profit group headed by the Austrian privacy activist Max Schrems, stated that it had lodged a complaint against Amazon with the German data protection authority. It has suggested that the case could lead to fines running into billions. The complaint was filed under the European General Data Protection Regulation (GDPR) and alleges that Amazon’s internal email security is poor. It is claimed that the system lacks the ability to encrypt emails sent between Amazon’s 3rd-party sellers and its customers.

Schrems is an experienced and well-known privacy campaigner who notably took legal action against the social media giant Facebook in 2011 when he was still a student. That famous case ended in 2015 in what legal professionals labelled a “bombshell” judgement, a judgement which caused somewhat of an international crisis, and brought down Safe Harbour, the data-transfer mechanism that was used by many thousands of companies.

The number of email security violations on a per-person basis could mean that the case might be extremely costly for Amazon; under GDPR rules a fine could total up to 4% of a company’s global annual turnover. Amazon’s turnover totalled $280 billion (or €250.7bn) in 2019.

The alleged problem with email security
The NOYB case alleges that the e-retail giant’s email servers, which route mail between 3rd-party merchants and clients without either side having to provide a personal email address if they do not wish to do so, fail to permit baseline encryption. This violates GDPR email security rules demanding verifiable transport layer security (TSL) version 1.2, or more recent, must be used in said situations.

In a statement, the activist group said that it had submitted a complaint to the supervisory authority of the German state of Hessia on behalf of an Amazon seller. Schrems clarified that this was because the seller was located in that German state.

Somewhat unusually, Germany does not have a national, centralised Data Protection Authority but rather a number of different regional authorities for each of the sixteen German states (Länder).
Nonetheless, rules are enforced with a certain uniformity throughout the country and a German authority imposed one of the largest fines to date (€9,550,000) against the call center giant 1&1 Ionos in December 2019. Germany has been particularly active in early GDPR enforcement, but industry specialists have noted that the magnitude of fines has risen quite dramatically in recent months.
Luxembourg, which has never previously imposed a fine under the General Data Protection Regulation, could also become an interested party given that Amazon’s European Union headquarters are located there.

Prior GDPR complaints made by NOYB
Approximately twelve months ago, NOYB filed a volley of complaints under the GDPR that targeted the biggest tech companies, Amazon was one of them. The last batch of complaints focused on the automated systems that a large number of European companies use to deal with replies to requests seeking personal information. NOYB discovered that eight of these companies either neglected to provide all of the data required under the regulations, or simply failed to respond to the requests at all. A majority did not furnish the raw collected data that the regulations require them to, nor did they sufficiently disclose the reasons for the data processing or the sources receiving it.

This was in the wake of NOYB’s 2018 campaign that had targeted what it referred to as “forced consent” policies employed by the larger names in IT. The non-profit group argued that Facebook, Android, WhatsApp and Instagram among other services failed to provide the user with an explicit choice to opt out of the use of their data for targeted advertising. The said companies were still using an “implied consent” model that worked on the basis that consent was assumed, provided that the user continued using the services.

Could NOYB win its case against Amazon?
A large part of the procedure for fines under GDPR is based on precedent. A first data authority seemingly has to be prepared to take the leap by imposing a big fine before others will do likewise. Thus far, fines have mostly targeted data breaches and violations of the requirements concerning advertising; there is little dealing with particular email security cases that might relate to the present GDPR complaint that NOYB has brought against Amazon.

In early 2019, the data protection authority in the German province of North Rhine-Westphalia did establish that, as a minimum, emails are required to be encrypted during transport. Nonetheless, legally speaking the opinion is restricted to this particular supervisory authority. Other German authorities, and indeed those throughout the EU, retain the right to define their own standards regarding email security.

There are no significant developments at this stage other than NOYB’s publication of the details of its own GDPR complaint, although it does appear to be quite strong. The complaint states that attempted Transport Layer Security (TLS) connections are refused by Amazon’s servers, and that this email type is transmitted via the insecure Simple Mail Transfer Protocol (SMTP) which relays in plain text. As well as exposing the apparently anonymized email addresses of the parties, such messages may of course contain sensitive information detailed under the GDPR; e.g. IP addresses, names with postal addresses, together with additional purchase details.

Should NOYB’s complaint be upheld, the size of an Amazon fine would be assessed by how many of the compromised messages included sensitive -personal information. For the purposes of GDPR, the following is considered to be sensitive personal information;
-personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs:
-trade-union membership;
-genetic data, biometric data processed solely to identify a human being;
health-related data;
-data concerning a person’s sex life or sexual orientation.

The fine could, therefore, potentially be enormous. In theory every email ever transmitted through the system (and this is certainly the position that Schrems’ group is taking) could fall under the scope of the complaint. No matter what the eventual outcome is, the case serves as a well-timed wake up call regarding email security fundamentals for any company or organization (but particularly for those trading in European Union member states).

Given the current Covid-19 pandemic, this is all, perhaps, an even more timely reminder of GDPR responsibilities for other online retailers specifically. In the short-term, it would seem somewhat probable that the upturn in business for said companies, while undoubtedly a welcome development for them, will also attract increased attention and scrutiny from activists, authorities and the media. Given the very nature of online trading, web security and GDPR compliance should already have been a top priority for the industry, and the Coronavirus may well serve to underline that fact even further.

About Eoin Campbell 19 Articles
Eoin P. Campbell is an honours law graduate (LL.B) from Queen's University Belfast and is a qualified solicitor. Eoin has moved from practicing law to teaching. Eoin is currently lecturing in law at two universities in Lyon, France, including a master's degree course in cyberlaw. Eoin provides commentary with a legal perspective on cybersecurity and data protection.