Amazon GDPR fine

Amazon GDPR fine: the biggest on record

September 21st, 2021 Posted in Compliance, Data Protection

Last month, was issued the biggest fine ever in the history of General Data Protection Regulation (“GDPR”). The penalty, from the Luxembourg privacy watchdog, totals a huge 746 million euros.  

The fine isn’t set in stone just yet. Amazon has a right to appeal and they have stated their intention to do so. 

Read on to find out more about what Amazon’s fine is about, why it’s so high and how your company can avoid landing in the GDPR hot seat 

The story so far

While this fine is new to the headlines, the complaint that started it all goes way back to 2018. At the time, the French privacy rights group, La Quadrature du Net, launched a complaint about Amazon to CNIL – France’s data protection authority. For context, CNIL is France’s equivalent to the UK’s Information Commissioner’s Office (“ICO”).  

As a result of the cooperation procedures between countries under the GDPR, the complaint to CNIL was transferred to the Luxembourg data protection authority: CNPD. The reason for this complaint landing in Luxembourg is due to Amazon’ headquarters being based there, meaning its lead supervisory authority is Luxembourg. 

While the case was put in Luxembourg’s hands, there’s no doubt that CNPD will have collaborated and consulted with all regions impacted – particularly France, where the complaint was levied from.  

After a lengthy deliberation process – which may have been further slowed down by disruptions caused by the pandemic – CNPD came to its conclusion about the complaints on July 16th and stated its intention to issue the fine to Amazon for breaching the GDPR. However, as noted above, Amazon is appealing the fine, with its regulatory filing stating that the decision is “without merit.” 

Amazon further went on to say that:  

There has been no data breach, and no customer data has been exposed to any third party. These facts are undisputed. We strongly disagree with the CNPD’s ruling.

It’s clear from Amazon’s challenge to the ruling that this case is not going to be clear cut – but nor are all the details we have so far.  

What’s the fine for exactly?

That’s a good question and, despite speculation, the public doesn’t have the full picture quite yet. Because of the way Luxembourg’s legal system works, the CNPD is bound to professional secrecy until a decision is finitely made. This means that, aside from announcing the intent to fine Amazon for violations of the GDPR, not much else is readily available about this fine. 

However, from looking at the CNIL’s commentary and other documents from La Quadrature du Net, we can gather a few details… 

In its initial complaint, La Quadrature du Net signposted some potential violations – all of which centred around unfair digital advertising practices. As the complaint notes, Amazon’s “behavioural analysis and targeted advertising” lacks “free consent”. The privacy body also believes that Amazon’s unfair ad practices are of a “massive, lasting and manifestly deliberate nature.” 

Given the recent fines from CNIL against Google for poor cookie practices, it’s unsurprising to see another e-commerce giant in the spotlight for similar offences. Because of Amazon’s dominance and intense digital marketing strategy, it’s also not a stretch to imagine that their behavioural advertising practices could conflict with data protection law – and impact EU citizens en masse.  

This complaint explicitly mentions a lack of free consent. For context, under the GDPR, for the processing of personal data to be lawful, a lawful basis must be identified. Consent is one such lawful basis and for consent to be valid, it must be “freely given, specific, informed and unambiguous and must be given by a clear affirmative action.” This means that it must be clear to the individual exactly what they are consenting to, and they are under no pressure to agree. Further details are set out within Article 7 and recital 32 of the GDPR. 

Could the cost of the fine go down, as it did for Marriott and British Airways in the United Kingdom?

Again, context plays a huge role here. In the case of both Marriott and British Airways, the fines were to do with cyber-attacks, rather than failing to obtain valid consent, as appears to be the case here.  

Moreover, Marriott was able to reduce its fines because the company took steps to mitigate the impacts of the data breach. The ICO also accepted that its own internal procedure (then in draft) for determining the level of the fine to be applied was flawed, meaning the calculation reached was incorrect. Finally, account was taken for the impact of Covid-19 on Marriott’s business.  

The situation with Amazon is clearly different, then, and the reduction in fines in the UK (to Marriott and BA) should be seen as entirely unrelated (rather than precedent). Having said this, the GDPR remain a new law and the grounds for appeal and the likely success of that appeal will turn on the facts (which are not well known) and the approach taken by the CNPD in determining the level of the fine.  

Why is the fine so high?

This fine is an interesting one because, while it’s the largest fine dished out by a data protection body so far, it’s actually not that large within the context of Amazon.  

Under the GDPR, fines can be up to 4% of a company’s total global turnover or 20 million Euros, whichever is the greater. In 2020, Amazon made $386 BILLION. For the fine to be 4% of their annual turnover, it would need to reach at least $15 billion. Comparatively, the current fine equates to just 0.1% of their global turnover. So – although the penalty looks big on paper – contextually, it doesn’t represent that much of a dent to Amazon. 

Fines have their own rules under the GDPR, which regulators must follow. Broadly speaking, the fine should be effective, proportionate, and dissuasive so that the organisation is put off from ever making the same error, or taking the same action, again.  

As well as meeting these criteria, regulators are encouraged to look at fines circumstantially, rather than applying blanket rulings. For example, what an organisation did, how long they did it for, how many people were impacted, whether the incident was intentional, reckless or accidental, and how the company cooperated with the relevant regulator are all factors that are taken into consideration.

What does it mean that Amazon is appealing the fine?

No organisation wants to admit falling foul of the GDPR – particularly when it comes to claims of failing to obtain valid consent for handling people’s personal data. Because of this, it’s not a surprise that Amazon is appealing – aka challenging – the fine against them.  

Furthermore, if they are found to be processing personal data in breach of the GDPR, they may have to completely overhaul parts of their EU marketing strategy. For example, they may have to change how they gather people’s personal information, obtain and update consent and possibly even change their marketing approach. This would be a real headache for any company.  

In terms of how likely the appeal is to be successful, it’s hard to say right now. The GDPR is new law – brought in only three years ago. Because of this, there aren’t many – if any – comparative cases for the fines that are given out. As a result, elements of the law are untested, and Amazon may argue that there is ambiguity within the GDPR around consent. In other words, they could get off on a technicality.  

Similarly, because technology is advancing so rapidly, it’s hard for data protection law to keep up. This creates grey areas where companies may think they are on the right side of the law but are misinterpreting it and putting themselves at risk of a compliance failure. We see this frequently in the Real-Time Bidding arena, which we’ve written a blog post about here 

Need help?

If you need help with meeting your data protection obligations, we can assist. Contact us to find out how.  

Sandra May

Written by Sandra May

Sandra is an experienced senior data protection consultant and is a designated DPO for Evalian™ clients. Sandra spent much of her career as a litigation lawyer and over the last ten years has been focusing on specialising in data protection. Sandra's qualifications include BCS Practitioner Certificate in Data Protection, ISEB Certificate in Data Protection, as well as being a FCILEx (Fellow of the Chartered Institute of Legal Executives).