The Luxembourg Data Protection Authority (the “Commission Nationale pour la Protection des Données” or “CNPD”) has issued the largest GDPR financial penalty to date against Amazon.com Inc. Amazon disclosed the $888 Million fine in a July 29, 2021 regulatory filing. Prior to this ruling, the largest GDPR penalty was against Google in the amount of $57 Million.1
At the time of this writing, it’s not entirely clear what specific violations triggered the record-breaking penalty. As reported by hipaajournal.com: “CNPD has not publicly disclosed the exact nature of the alleged violations and issued a statement saying it is against Luxembourg law to comment on individual legal cases.”
We do know that the penalty arises from a 2018 complaint filed by privacy watchdog La Quadrature du Net on behalf of approximately 10,000 individuals. La Quadrature du Net stated in a public post that “the targeted ad system that Amazon forces onto us is not based on free consent, which is a violation of the GDPR.”
Amazon has disputed the ruling and stated that CNPD’s decision is without merit. As reported by the Wall Street Journal, Amazon further stated “The decision relating to how we show customers relevant advertising relies on subjective and untested interpretations of European privacy law, and the proposed fine is entirely out of proportion with even that interpretation”.
The GDPR provides two tiers of financial penalties. The first tier, for less severe infringements, allows for penalties of up to €10 Million or 2% of an undertaking’s worldwide annual revenue. The second tier, for infringements of core privacy principles (such as the basic principles for data processing and obtaining individual consent) may result in penalties of up to €20 Million or 4% of an undertaking’s worldwide annual revenue.
Using these percentages against Amazon’s actual 2020 revenue, the maximum GDPR penalty could have exceeded $15 Billion.