Luxembourg’s National Commission for Data Protection (CNPD) has imposed an unprecedented fine of €746 million (£636 million) on Amazon after finding the company guilty of not acting in compliance with the GDPR.
Even though CNDP, Luxembourg’s National Commission for Data Protection, has not officially announced the imposition of the record-breaking fine, the news came to light through Amazon’s recent filing with the U.S. Securities and Exchange Commission in which the company declared its financial results.
In the SEC filing, Amazon said the fine was imposed after CNDP came to the conclusion that the company’s processing of personal data was not in compliance with the GDPR. Aside from imposing a fine of £636 million, CNDP has also asked the company to revise its data processing practices.
“On July 16, 2021, the Luxembourg National Commission for Data Protection (the “CNPD”) issued a decision against Amazon Europe Core S.à r.l. claiming that Amazon’s processing of personal data did not comply with the EU General Data Protection Regulation.
“The decision imposes a fine of €746 million and corresponding practice revisions. We believe the CNPD’s decision to be without merit and intend to defend ourselves vigorously in this matter,” Amazon said.
The fact that Amazon was about to face a major GDPR fine in Europe first leaked out in June this year. The Wall Street Journal reported then that Luxembourg’s National Commission for Data Protection was planning to impose a fine of €350 million on Amazon after discovering various data protection failings on part of the company.
CNDP reportedly sent copies of its draft decision to data protection authorities in other EU countries so as to arrive at a decision that reflected the views of all the authorities. WSJ learned that some data protection authorities were not happy with the €350 million figure and wanted CNDP to impose a much larger fine to Amazon.
Commenting on the GDPR fine imposed on Amazon, Ilia Kolochenko, the founder of ImmuniWeb, says that Article 83 of GDPR is very specific about its penalties: security-related incidents are fined by up to 2% of the annual turnover, while violations such as lack of consent or unlawful data processing are punished more severely by a fine going up to 4%. Thus, Amazon’s statement that no data breach has occurred is probably not very relevant to the case.
“In view of the recent GDPR-related litigation in the EU and available jurisprudence, the fine, however, indeed seems to be excessive and will likely be significantly reduced on appeal. Amazon will undoubtedly endeavor to win the case in court on appeal.
“The outcome of this case will likely be influenced by politics, as such punitive actions by the EU may strongly discourage American companies doing business in Europe. Furthermore, it may motivate US states, that are now rapidly implementing state privacy laws, to retaliate by imposing mirrored penalties upon European companies. The long-awaited federal privacy law in the US should hopefully harmonize data protection regimes and finally bring peace of mind both to consumers and businesses on the two sides of the pond,” he added.