Explainer: Amazon’s €746m fine from Luxembourg’s data regulator

3 Aug 2021

Image: © Oleksandr/Stock.adobe.com

The fine, revealed in the company’s quarterly SEC filing, constitutes the largest penalty under the EU’s GDPR to date.

In a filing with the US Securities and Exchange Commission (SEC) on Friday (30 July), Amazon disclosed that it had been fined €746m ($886m) by Luxembourg’s data protection watchdog, the Commission Nationale pour la Protection des Données (CNPD).

The fine was issued on 16 July and is by far the largest ever issued under the EU’s General Data Protection Regulation (GDPR) since the law came into force in May 2018. The CNPD has lead jurisdiction over Amazon’s operations in Europe because the company’s European headquarters are located in Luxembourg.

What’s the fine for?

Precise details of the charges have not been made public, but the Wall Street Journal reported in June that they concern Amazon’s privacy practices and handling of personal data, and are not related to its cloud computing division Amazon Web Services. As well as issuing a fine, the ruling ordered Amazon to revise certain business practices, which were also not made public.

The CNPD investigation began with a 2018 complaint by French privacy advocacy group La Quadrature du Net concerning the way the company obtains consent for targeted advertisements. The group welcomed the decision in a blog post on Friday, saying it “comes after three years of silence that made us fear the worst”.

“The model of economic domination based on the exploitation of our privacy and free will is profoundly illegitimate and contrary to all the values that our democratic societies claim to defend,” it added.

The blog post also hit out at the “widespread resignation” of Ireland’s Data Protection Commission (DPC), which La Quadrature du Net said has not closed any of its complaints against Facebook, Apple, Microsoft and Google in the past three years.

How has Amazon reacted?

In the SEC filing, the company said it believed the decision by Luxembourg authorities was “without merit” and it intends to “defend ourselves vigorously in this matter”.

In a statement, the company said: “Maintaining the security of our customers’ information and their trust are top priorities.

“We strongly disagree with the CNPD’s ruling and we intend to appeal. The decision relating to how we show customers relevant advertising relies on subjective and untested interpretations of European privacy law, and the proposed fine is entirely out of proportion with even that interpretation.”

The CNPD has yet to comment publicly on its ruling. Bloomberg noted that Luxembourg laws prevent the body from speaking on individual cases.

The SEC filing that revealed the fine was part of Amazon’s second-quarter earnings report, which fell short of Wall Street expectations. It also comes as an officer from the US National Labor Relations Board said the company interfered in a union election at one of its facilities in Alabama.

What does this mean for data protection?

This is the largest fine ever issued under GDPR. The previous record holder was a €50m fine levelled against Google in France in 2019.

The regulation allows for companies to be fined up to €20m or 4pc of their annual worldwide turnover, whichever is larger, for breaches of data protection rules. Amazon’s annual revenue for 2020 was $386bn, meaning the maximum possible fine for the company in this case would have been approximately $15.4bn.

Previous reports in June said the fine could be €357m ($425m), which would still have been record shattering but was less than half of the final figure.

Amazon said it plans to appeal the ruling. Appeals of GDPR decisions by data protection authorities in Europe are increasingly common and are decided by national courts, and many have been successful. However, Google’s appeal of its record €50m fine was dismissed by a French court in June.

In June, the European Court of Justice ruled that national watchdogs can pursue cases against companies even where they lack lead jurisdiction over that company’s EU operations. This may lead to multinationals facing multiple simultaneous investigations from different regulators, especially given the criticism Ireland’s DPC has faced for allegedly dragging its feet in numerous cases against big companies.

It is still unclear if this heralds a new era where tech titans face closer scrutiny and more vigorous enforcement of GDPR, but it could mean Dublin is less likely to be the epicentre of EU data protection news in future. This shift of focus is further cemented by Luxembourg’s bullish enforcement in the Amazon case.

The broader ripples of this ruling and the results of Amazon’s appeal will likely take months, if not years, to emerge based on the usual pace of European regulatory proceedings. Without a doubt, though, this is big news both for the company and for data protection in general.

Jack Kennedy is a freelance journalist based in Dublin

editorial@siliconrepublic.com