Amazon is facing a $425 million financial penalty for violations of the EU General Data Protection Regulation (GDPR) related to the alleged unlawful collection and use of personal data. The GDPR came into effect on May 25, 2018 and improved privacy protections for EU residents, gave them important rights over their digital data, and placed new restrictions on how personal data could be collected and used.
Data collectors and processors can face huge financial penalties if they are found to have violated the GDPR, with penalties up to €20 million ($24,194,000) or 4% of global annual turnover possible, whichever is greater. The largest fine to date was the €50 million ($60.5 million) penalty imposed on Google in 2019 by the French data Protection Authority (DPA), with a fine of €35.3 million ($42.7 million) penalty imposed on the clothing retailer H&M. The proposed fine for Amazon dwarfs those penalties.
Amazon was investigated by the Luxembourg data protection authority, the CNPD, over alleged GDPR violations. While Amazon operates in all 27 of the bloc’s countries, the CNPD investigated as Amazon’s EU base is in Luxembourg. The CNPD determined there had been violations of the GDPR and decided on an appropriate penalty.
The financial penalty is much lower than the maximum of 4% of global annual turnover for the previous financial year, representing just 0.1% of its total reported sales for 2020 and 2% of its net income for 2020. The CNPD has received criticism for the proposed fine, with some stating the fine should be far higher.
According to the Wall Street Journal, the CNPD circulated a draft decision relating to privacy violations concerning the use and collection of personal data, although it is unclear exactly which articles of the GDPR have been violated and exactly how personal data is alleged to have been misused.
The proposal of a financial penalty is only one step in the process. Since Amazon operates throughout the EU, all member states must be given the opportunity to review the ruling and comment and will be required to give their approval. Amazon will also be given the opportunity to appeal any final ruling.
The CNPD and Amazon were contacted by the WSJ but declined the opportunity to comment on the story.