Amazon appeals $865 million fine

Luxembourg's data protection authority becomes the first to issue a GDPR fine of this size. Now it's the tech giant's turn to defend itself.

Amazon has filed an appeal in the Luxembourg’s Administrative Tribunal on Friday, October 15, contesting a record fine of 846 million euros ($865 million) imposed by the Luxembourg’s data protection authority (CNPD) in July 2021. This challenge comes after the CNPD imposed a penalty on Amazon for allegedly breaching the EU’s General Data Protection Regulation (GDPR) through the improper processing of personal data.

On July 16, the CNPD issued an opinion on a collective complaint of more than 10,000 complainants, filed by the French NGO, La Quadrature du Net, against Amazon and its advertisement practices. The complaint alleged that the targeted ad system that Amazon uses is not based on free consent, which makes the processing of personal data unlawful and therefore, in violation of Article 6 of the GDPR. Although the ruling of the Luxembourg’s supervisory authority is not made public, other sources have reported that the fine is based on a more general claim about Amazon’s privacy practices and handling of personal data, and not related to its cloud computing division Amazon Web Services.

The implications resulting from this record fine show that Luxembourg, the seat of Amazon’s European headquarters, is betting more on upholding the EU’s data protection laws in comparison to its light-tax environment for global corporations. Moreover, the CNPD is now leading the charts in the highest penalty issued, surpassing the previous record-holder of 50 million Euros against Google by the French data protection authority (CNIL) in 2019.

Furthermore, Amazon has stated that it will appeal the fine and that it strongly disagrees with the CNPD’s ruling, which shows that appeals against GDPR-related fines are becoming more common. The appeals are decided by national courts where the supervisory authority that issued that fine is based in. Moreover, the EU’s Court of Justice added to the equation by ruling that supervisory authorities from EU member states without jurisdiction can pursue cases against tech giants even though they are not the ‘main’ supervisory authority. This could help pursue cases where one data protection authority has been slower in investigating GDPR breaches and issuing penalties in response.

Amazon declined to comment on the appeal, but it referred to its statement when the penalty was issued that there has not been any data breach and that no customer has been exposed to any third party. The appeal came to light when Amazon filed its second quarter earnings with the SEC.

There is a trend forming (if not already cemented) that comes from member states’ supervisory authorities with regard to global tech giants. With the GDPR’s high-penalty margins (20 million euros or 4% of global turnover, whichever is higher), the local data watchdogs are sending signals that companies need to address privacy concerns more seriously. The common check-the-box consent or convoluted privacy notices are not sufficient any longer. Data processing justification, grounds for collection, storage issues and many more data-related concerns must be addressed with the utmost attention and made easily accessible to consumers.