Amazon fined record £636 million for GDPR violations

Luxembourg’s National Commission for Data Protection (CNPD) has imposed an unprecedented fine of €746 million (£636 million) on Amazon after finding the company guilty of not acting in compliance with GDPR.

The CNDP, Luxembourg’s National Commission for Data Protection, has not officially announced the imposition of the record-breaking fine, the news came to light through Amazon’s recent filing with the U.S. Securities and Exchange Commission in which the company declared its financial results.

In the SEC filing, Amazon said the fine was imposed after CNDP concluded that the company’s processing of personal data was not in compliance with the GDPR. Aside from imposing a fine of £636 million, CNDP has also asked the company to revise its data processing practices.

Amazon has issued a public statement that it “believes the CNPD’s decision to be without merit and intend to defend ourselves vigorously in this matter.” Amazon also said that no data breach had occurred.

The CDNP initially intended to fine Amazon €350 million after sending copies of its draft decision to data protection authorities in other EU countries decision was made to increase the fine.  Some commentators have suggested that there is a political element to the decision to increase the fine, but it is standard procedure for the ‘lead authority to share its draft ruling with other regulators under the one-stop shop principle that allows one country to take the lead in these type of international cases.

The penalty is the result of a 2018 complaint by French privacy rights group La Quadrature du Net, a group that claims to represent the interests of thousands of Europeans to ensure their data isn’t used by Big Tech companies to manipulate their behaviour for political or commercial purposes. The complaint, which also targets Apple, Facebook Google and LinkedIn and was filed on behalf of more than 10,000 customers, alleges that Amazon manipulates customers for commercial means by choosing what advertising and information they receive.  According to Vitale, “If the complaint is upheld in the courts (as Amazon is very likely to appeal), it could spell the end for targeted advertising”.

Article 83 of GDPR is very specific about penalties: security-related incidents are fined by up to 2% of the annual turnover, while violations such as lack of consent or unlawful data processing are punished more severely by a fine going up to 4%. So, Amazon’s statement that no data breach has occurred is probably not very relevant in this case.  This may have been published to deter class action litigation.

Despite such a large fine cited, there’s also every chance that it can be radically lowered over the course of regulatory proceedings. For example, the UK’s Information Commissioner’s Office (ICO) had initially issued a notice of intent to fine BA and Marriott £183 million and £99 million respectively in July 2019. This was eventually lowered to £20 million and £18.4 million in October 2020, with the ICO citing a number of mitigating circumstances, including the economic effects of the pandemic.