Amazon faces £637 million fine over GDPR violations

Amazon is facing a potential €746 million (approximately £637 million) fine for the unlawful processing of personal data, following a GDPR ruling by Luxembourg’s data protection regulator.

The ruling was initially made on 15 July but only became public knowledge when mentioned as part of Amazon's latest quarterly earnings report. If it goes ahead, the fine would be the largest data protection penalty in industry history.

This €746 million fine would represent a sum that’s more almost 15-times greater than the €50 million penalty that French data regulator CNIL administered against Google in 2019.

Amazon didn’t explain the specific basis for such a relatively large penalty in its legal filing, nor has the Luxembourg National Commission for Data Protection (CNPD) made the details around the case public.

The regulator confirmed with IT Pro, however, that the decision was made on the basis of the one-stop-shop principle set out in Article 60 of GDPR.

This means Luxembourg was nominated as the lead supervisory authority in a case against Amazon based on alleged violations that occurred across borders and in several EU territories. The CNPD was chosen to investigate Amazon because the firm’s European headquarters is based in Luxembourg.

The CNPD claims the nation’s own local data protection laws have bound the authority to “professional secrecy” when taking regulatory action. According to these laws, details about the case cannot be published - or publicised - until Amazon’s deadline for appeals expires.

Amazon said the regulator’s decision has been made without merit, and that it plans to defend itself “vigorously”. Although the firm is able to appeal the decision, the regulator didn’t indicate how long this process might take.

Despite such a large fine cited, there’s also every chance that it can be drastically lowered over the course of regulatory proceedings. For example, the UK’s Information Commissioner’s Office (ICO) had initially issued a notice of intent to fine BA and Marriott £183 million and £99 million respectively in July 2019. This was eventually watered down to £20 million and £18.4 million in October 2020, with the ICO citing a number of mitigating circumstances, including the economic effects of the pandemic.

Prior to GDPR coming into force, many businesses widely expected the new data protection laws to usher in an era of massive, eye-watering fines that would cripple businesses found to have fallen foul of the rules. This was based on the provision that an organisation can face a fine of up to €20 million or 4% annual turnover, whichever is higher.

In practice, however, such fines have been a rarity, despite a high volume of cases.

The Irish data protection regulator too, which is itself the lead supervisory authority in a number of cases against big tech giants, hasn’t yet worked through a lengthy backlog of legal challenges. So far, the Irish Data Protection Commission (DPC) has issued a €450,000 fine against Twitter, alongside a provisional decision in January 2021 to fine WhatsApp €50 million, although this is subject to legal review.