Internet giant Amazon has been fined 746 million euros in Luxembourg for violating the GDPR. We have analyzed the verdict and the background in detail.
The Luxembourg data protection authority CNPD(Commission Nationale pour la Protection des Données) has imposed a fine of almost three quarters of a billion euros on the US company. The decisive factor is said to be a breach of the GDPR that has not yet been officially explained. The Grand Duchy of Luxembourg is home to Amazon's European subsidiary, which also gives rise to the authority's jurisdiction.
Background to the judgment
The current ruling was triggered by a class action lawsuit initiated more than three years ago by activists from the French organization La Quadrature du Net. More than 10,000 French residents joined the lawsuit. In a blog post dated 30 July 2021, the organization welcomes the decision and sees itself finally confirmed by the current ruling: targeted advertising on Amazon is not based on the free consent of the user and therefore violates the GDPR.
What exactly is Amazon accused of?
In its privacy policy, Amazon lists examples of information that is processed when using its services. These include(amazon.de privacy policy as of 04.12.2020):
Searched products and services in the stores
- Downloaded, streamed or displayed content
- Images, videos and other files that are uploaded or streamed to Prime Photos, Amazon Drive or other Amazon services
- Logins, email addresses and passwords
- IP addresses
- URL clickstream, i.e. sequence of pages accessed, including date and time, as well as interaction between pages (e.g. scrolling, clicking, mouse-overs)
According to the indictment, the collection and further processing of this data is neither covered by legitimate interests nor by a necessity in the course of fulfilling the contract. Furthermore, Amazon does not obtain explicit consent for ad tracking from the user.
With this ruling, the Luxembourg data protection authority has now confirmed that Amazon is processing personal data unlawfully. The original complaint dated May 28, 2018 is available for download in French on the website of La Quadrature du Net .
Who is La Quadrature du Net?
La Quadrature du Net was founded in 2008 by five French activists and has its roots in opposition to copyright legislation in France. On its website, the organization presents itself as a "defender of fundamental freedoms in the digital world". The aim is to fight against "censorship and surveillance, both by the state and by private companies" and to work for a "free, decentralized and empowering Internet".
Amazon refutes the allegations
The decision was made public by Amazon itself in a quarterly report for the Securities and Exchange Commission (SEC). It contains a few lines on the facts of the case under the heading "Legal Proceedings". In addition to the amount of the fine, the date of the ruling is given as July 16, 2021. It is also briefly noted that, in addition to the payment,corresponding practice revisions are also part of the conditions. The exact nature of the infringement also remains largely unclear here, with the only mention being that the allegations relate to the processing of personal data in non-compliance with the GDPR.
La Quadrature du Net has also commented on this in the aforementioned blog post: the complaint is not about occasional violations of security standards, but about the system of targeted advertising itself.
Record payment possible
If Amazon's appeal is unsuccessful, it would be the highest fine ever imposed on a company for a breach of the GDPR. Around 15 times more than the 50 million euros that Google was fined in 2019.
However, the sum of 746 million euros must also be placed in the overall context and the possible range of penalties considered. According to the GDPR, fines can amount to up to four percent of annual turnover, which was around 380 billion dollars for Amazon in 2020. 746 million euros would correspond to just 0.22 percent.
Data protection activists from La Quadrature du Net are celebrating the decision, saying that the fine is historic and goes straight to the heart of the "Big Tech predatory system". At the same time, they criticize the Irish Data Protection Authority, which has not managed to bring any of its other complaints against Facebook, Microsoft, Apple and Google to a conclusion in three years.
Ultimately, it remains exciting to see how the struggle between data protectionists and tech giants will play out in the future. Even higher penalties are quite likely.
