The Internet giant Amazon was sentenced to a fine of 746 million euros in Luxembourg for a breach of the GDPR. We have analyzed the ruling and the background in detail.
The Luxembourg data protection authority CNPD (Commission Nationale pour la Protection des Données) has imposed a fine of almost three quarters of a billion euros on the US corporation. The decisive factor is said to be a violation of the GDPR that has not yet been officially explained. The Grand Duchy of Luxembourg is the headquarters of Amazon’s European subsidiary, which also gives rise to the authority’s jurisdiction.
Background to the ruling
The current ruling was triggered by a class action lawsuit initiated more than three years ago by the activists of the French organization La Quadrature du Net. More than 10,000 French residents joined the lawsuit. In a blog post dated July 30, 2021, the organization welcomes the decision and sees itself finally vindicated by the current ruling: targeted advertising on Amazon is not based on the free consent of the user and therefore violates the GDPR.
What exactly is Amazon accused of?
- Products and services searched for in the stores
- Downloaded, streamed or displayed content
- Images, videos and other files uploaded or streamed on Prime Photos, Amazon Drive or other Amazon services
- Logins, email addresses, and passwords
- IP addresses
- URL clickstream, i.e., sequence of pages viewed, including date and time, and interaction between pages (e.g., scrolling, clicking, mouse-overs)
According to the indictment, the collection and further processing of this data is neither covered by legitimate interests nor a necessity in the course of contract performance. In addition, Amazon did not obtain explicit consent from the user for ad tracking.
With this ruling, the Luxembourg data protection authority has now confirmed that Amazon is unlawfully processing personal data. The original complaint of May 28, 2018 is available on the website of La Quadrature du Net as a download in French .
Who is La Quadrature du Net?
La Quadrature du Net was founded in 2008 by five French activists and has its roots in opposition to copyright legislation in France. On its website, the organization presents itself as a “defender of fundamental freedoms in the digital world.” Its goal, it says, is to fight against “censorship and surveillance, both from statist and private companies” and to work for a “free, decentralized and empowering Internet.”
Amazon contradicts the allegations
The decision was made public by Amazon itself, in a quarterly report to the Securities and Exchange Commission (SEC). There, under the heading “Legal Proceedings”, you will find a few lines on the facts of the case. In addition to the amount of the fine, July 16, 2021 is mentioned as the date for the ruling. It is also briefly noted that, in addition to the payment, a corresponding practice revision is also part of the conditions. The exact nature of the breach remains largely unclear here as well, it is only mentioned that the allegations are about the processing of personal data not being in compliance with the GDPR.
La Quadrature du Net has also commented on this in the aforementioned blog post: the complaint is also not about occasional violations of security standards, but about the system of targeted advertising itself .
Record payment possible
If Amazon is unsuccessful with its appeal, it would be the highest fine ever paid by a company for a breach of the GDPR. Around 15 times more than the 50 million euros to which Google was sentenced in 2019.
But you also have to put the sum of 746 million euros in the overall context and look at the possible range of penalties. According to the GDPR, fines can amount to up to four percent of annual turnover, and that was around $380 billion for Amazon in 2020. 746 million euros would correspond to just 0.22 percent.
The data protection activists from La Quadrature du Net, at any rate, are celebrating the decision, saying the fine is historic and strikes directly at the heart of the “predatory system of big tech.” At the same time, they criticize the Irish Data Protection Authority for failing to bring any of its other complaints against Facebook, Microsoft, Apple and Google to a conclusion in three years.
Ultimately, it remains exciting to see how the tussle between data protectionists and tech giants will play out in the future. Even higher penalties are quite likely.