Amazon.com has been slapped with a record-breaking €746 million ($888 million) GDPR penalty for allegedly violating the EU’s stringent data protection law. In addition to the fine, Amazon is required to implement corresponding practice revisions to prevent further violations of the requirements of the General Data Protection Regulation.
All companies and individuals doing business with EU residents are required to comply with strict privacy regulations, which place restrictions on the collection, processing, and use of data subjects’ personal data.
Amazon.com has an EU base in Luxembourg. As such, investigations into potential violations of GDPR are dealt with by the Luxembourg Data Protection Authority, the National Commission for Data Protection (CNPD). On July 16, 2021, CNPD issued a decision about Amazon.com stating the online retailer is alleged to have violated the requirements of the GDPR in relation to how customers are targeted with advertising. The GDPR fine was recently disclosed by Amazon.com in a 10-Q filing with the Securities and Exchange Commission.
Under the GDPR, companies can be fined up to €20 million for violations of the GDPR, or 4% of global annual turnover for the previous financial year. In 2020, Amazon’s global annual revenue was €186.70 billion ($221.60 billion), so while the €746 million is considerable, it falls well short of the maximum possible financial penalty.
While financial penalties for GDPR violations have been issued when businesses experience data breaches, in this case Amazon suffered no data breach and no customer information was disclosed to any third party. The decision is based on how customers are targeted with advertising, with the company investigated following a complaint made in 2018 by French privacy rights group La Quadrature du Net over its business practices. CNPD has not released a statement about the fine to date and has not publicly disclosed exactly which aspects off the GDPR have been violated.
“The decision relating to how we show customers relevant advertising relies on subjective and untested interpretations of European privacy law, and the proposed fine is entirely out of proportion with even that interpretation,” said Amazon.com in a statement. “We believe the CNPD’s decision to be without merit and intend to defend ourselves vigorously in this matter.”
If the fine is upheld, it will be the largest ever GDPR financial penalty imposed in the 3 years since the GDPR took effect. Amazon.com could even face a further financial penalty. Amazon has been subject to considerable antitrust scrutiny and has been investigated over its use of data from sellers on its platform and is alleged to be using those data to benefit its own retail business by unfairly promoting its own retail products over those of sellers that use the platform, which are its competitors. If the complaints are found to have merit, Amazon could be fined 10% of its annual global revenue.