A judgment with force: Luxembourg draws the line on data protection
746 million euros - that's how much Amazon has to pay for data protection violations. This has now been finally decided by the Administrative Court in Luxembourg. And that is a real exclamation mark: Even the really big players on the Internet are not allowed to do what they want - especially not with our data.
What's behind this? Luxembourg's national data protection authority (CNPD) had already asked Amazon to pay up in 2021. The accusation: the company had processed user data for targeted advertising - without obtaining the express consent of users. This violates the European General Data Protection Regulation (GDPR) in several ways.
Advertising without consent? Not with the GDPR!
The CNPD found during its investigation: Amazon had not only violated the rules on consent, but also transparency obligations. Users were not sufficiently informed about what happens to their data - and this is a clear violation according to the GDPR.
According to the court, Amazon has also violated important user rights, such as the right to information about what data is stored and the right to erasure. For many, this sounds abstract - but at its core, it's about something very concrete: anyone who uses the internet should be able to decide for themselves what happens to their own data. Period.
Amazon had originally contested the fine and claimed that no personal data had been misused or passed on. The penalty was excessive. However, the Luxembourg Administrative Court took a different view: the judges upheld the data protection authority's decision in full. The company must not only pay, but also implement measures to rectify the data protection deficiencies.
And what about Meta? The list of data protection offenders is growing
Interesting fact: Despite this high sum, Amazon is not the frontrunner when it comes to GDPR penalties. This title is currently held by Meta (formerly Facebook). In 2023, the tech giant was fined even more by the Irish data protection authority - 1.2 billion euros. This also involved data processing without a legal basis.
The case shows that Europe is serious about data protection. Anyone who processes the personal data of millions of users must adhere to clear rules - no matter how big the company is.
What does that mean for us?
For consumers, the ruling is a strong signal: our data is not a self-service store. Companies must explain what they do with our information - and we must give our consent before anything happens. This is exactly what the GDPR wants. The fact that a company as powerful as Amazon is now losing in court shows that Data protection is more than just a fig leaf. It is a fundamental right.
It remains to be seen whether Amazon will take further action against the ruling. An appeal to the Luxembourg Supreme Court would be possible. But one thing is clear: the European data protection landscape has changed. The time when you could simply do whatever you wanted is over.
