The Data Protection Authority of Luxembourg, Commission Nationale pour la Protection des Données (CNPD), has penalized Amazon.com with €746 million ($886 million) to settle its EU General Data Protection Regulation (GDPR) violations.
Since May 25, 2018, the GDPR has been in effect giving EU citizens legal rights regarding their personal data and put limitations on entities and companies conducting business with EU citizens with respect to using and disclosing their personal data.
In 2018, La Quadrature du Net, a French privacy advocacy group, submitted to CNPD a complaint about Amazon’s supposed GDPR violations. CNPD has jurisdiction because Amazon’s European headquarters are located in Luxembourg. Paying the financial fine will take care of that complaint, though Amazon is considering making an appeal regarding the fine and that procedure will most likely take a couple of months or years.
The complaint is about the way Amazon gets permission from clients to utilize their personal information for sending targeted ads. CNPD hasn’t publicly revealed the precise nature of the supposed violations and gave a statement mentioning that the Luxembourg laws do not allow commenting on specific legal cases.
The penalty was charged to Amazon on July 16, 2021 and was shared by Amazon in its July 30 Q2 Securities and Exchange Commission (SEC) submission. Amazon stated that the fine has no merit and that it is going to rigorously defend itself with regard to this issue. The retail giant strongly argues the CNPD’s judgment and has the intention to appeal it. The judgment pertaining to the way Amazon presents relevant advertisements to customers depends on subjective and unproven interpretations of European privacy regulation, and the offered fine is completely disproportionate with that presentation, stated Amazon.com.
The GDPR violation charges is high, but it may have been much greater. The max fine for a GDPR violation is €20 million, or 4% of global yearly income for the past year, whichever is greater. In 2020, Amazon produced $386 billion in income worldwide, therefore the highest possible financial penalty is $15.4 billion.
Although huge financial charges are likely for egregious GDPR violations, in the three years of enforcing GDPR compliance, there were some big fines. In 2020, the prior record shows the €50 million ($59.4 million) penalty imposed on Google by the French Data Protection Authority, then the €35 million ($41.6 million) penalty imposed on the apparel merchant H&M (Germany), and the €27.8 million ($33 million) penalty imposed on the Italia (Italy) Telecom.