Amazon.com Inc. faces the biggest ever European Union privacy fine after leading privacy watchdog hit it with a 746 million-euro ($888 million) penalty for violating the bloc’s signature privacy law for data protection rules. On July 16, 2021, the Luxembourg National Commission for Data Protection (the “CNPD”) issued a decision against Amazon. CNPD accused the online retailer of processing personal data in violation of the EU’s General Data Protection Regulation (GDPR). The fine came following an investigation into the way Amazon processes customer data and was revealed in a regulatory filing by the company.
The decision concludes a probe which started in 2018 by the French privacy group, La Quadrature du Net. The group claims it represents the interests of thousands of Europeans to ensure their data isn’t used by big tech companies to manipulate their behavior for political or commercial purposes. The French privacy group which cautiously welcomed the decision against Amazon didn’t immediately respond to the request for comment. Bastien Le Querrec, a member of La Quadrature’s litigation team says “It’s the first step to see a fine that’s dissuasive, but we need to remain vigilant and see if the decision also includes an injunction to correct the infringing behavior.” The CNPD has not publicly committed to its decision, and Amazon didn’t specify what revised business practices the commission is proposing.
Amazon has expressed utmost dissatisfaction and disagreement over the decision, saying the decision is “without merit”. In a statement, the online retailer insists “There has been no data breach, and no customer data has been exposed to any third party,” adding that it plans to appeal and vigorously defend itself. “These facts are undisputed. We strongly disagree with the CNPD’s ruling,” says Amazon. The decision by CNPD imposes a fine of €746 million and converts to about $887 million, and would be the largest fine ever under Europe’s data protection law.
In a statement in The Wall Street Journal, Amazon insists, “the proposed fine is entirely out of proportion with even that interpretation.” The WSJ mentioned that GDPR (General Data Protection Regulation) regulations allow for fines of up to 4 percent of a company’s revenue, with the released number amounting to about 4.2 percent of Amazon’s reported $21.3 billion income for 2020. EU commissioners in November 2020 announced that it was their belief Amazon’s retail business misused non-public data to compete with other sellers in France and Germany.
The fine marks the latest example of European regulators zeroing in on Big Tech. Officials in Europe and the UK have increasingly been scrutinizing the business practices of companies including Amazon, Apple, Facebook, and Google amid allegations they have harmed competition and abused consumer privacy. GDPR, or the General Data Protection Regulation, seeks to rein in how digital platforms use consumer data and regulate data breaches. In a further statement, Amazon maintains customer information had not been leaked or exposed. The statement says “Maintaining the security of our customers’ information and their trust are top priorities,” it further explains “There has been no data breach, and no customer data has been exposed to any third party.”