The proposed record-breaking €746m (£636m) GDPR fine against Amazon exposes the risks all businesses face from complaints lodged by individuals and privacy groups and should be a wake-up call to any firm which handles customer data, not just tech giants.
That is the stark warning from one legal expert after Amazon reported that the Luxembourg data regulator planned to issue the penalty, in a regulatory filing the company submitted to the US Securities & Exchange Commission on Friday.
Reports first emerged in June that Luxembourg’s National Commission for Data Protection (Commission Nationale pour la Protection des Données) had circulated a draft decision on the fine to EU member states, although at the time it was said to be for €350m (£301m).
According to The Wall Street Journal, the investigation covered whether Amazon was using customer data to inform targeted advertising without users’ permission through its online shopping site.
However, while the Luxembourg regulator has confirmed the decision is in relation to GDPR, it has not published any details of the case in the public domain.
This is not unusual; it has only issued four fines under GDPR, totalling just €7,900 (£6,790), and no details of these infringements were disclosed either.
In response, Amazon said: “Maintaining the security of our customers’ information and their trust are top priorities. There has been no data breach, and no customer data has been exposed to any third party. These facts are undisputed. We believe the decision to be without merit and intend to defend ourselves vigorously in this matter.
“The decision relating to how we show customers relevant advertising relies on subjective and untested interpretations of European privacy law, and the proposed fine is entirely out of proportion with even that interpretation.”
This would suggest that the fine is based on an adtech breach; an issue which is currently under investigation across the EU as well as in the UK and one that is proving a tough nut to crack for regulators due to the complexity of the market. Any businesses involved in supplying data, however, could also be under threat.
Wouter Seinen, a partner at Pinsent Masons Amsterdam, said: “The unconfirmed reports of the origins of this decision highlight the increased risks businesses face from complaints raised by private individuals and interest groups.
“We have already seen a rise in data protection-related litigation in Europe and now this case of the CNPD’s in Luxembourg against Amazon shows their potential influence in driving enforcement action by data protection authorities. This case is unlikely to be the last of this kind.”
According to a recent analysis, there have been 648 GDPR penalties issued across the EU over the past three years, totalling €283,673,083, with the Italians leading the way on over €70m in penalties.
The current record fine is against Google; a €50m (£44m) penalty for failing to be transparent in its consent policies.
Related stories
Amazon faces mega GDPR fine in war on US tech giants
War on ‘illegal’ adtech RTB heads to the German courts
Now Amazon faces full-scale CMA probe into data abuse
Tech giants face tailored rules – and fines – in CMA plan
New Digital Markets Unit ‘to bring tech giants to heel’
Tech firms must face AI curbs, says Govt advisory body
GDPR fines near €300m as Italian stallions lead way
GDPR three years on: ‘The aperitif to a cookieless world’
Google must ditch ‘forced consent’, French court rules
Google faces defeat in appeal against €50m GDPR fine