Amazon is reportedly facing the largest GDPR fine on record – an eye-watering €350m (£301m) – following an investigation by the Luxembourg data protection authority into how the online giant is using customer data without consent.
According to The Wall Street Journal, Luxembourg’s National Commission for Data Protection (Commission Nationale pour la Protection des Données) has circulated a draft decision on the fine, although it is claimed that some member states believe the penalty should be increased.
The investigation was conducted in Luxembourg as Amazon’s European HQ is based in the country. It investigated whether Amazon was using customer data to inform targeted advertising without their permission through its online shopping site.
While the €350m would dwarf the current record – the French authority’s €50m (£43m) fine against Google’s – it would still represent just 2% of Amazon’s global annual turnover. Under GDPR, regulators can fine a company up to 4% of its global annual turnover, or €20m, whichever number is larger.
However, Luxembourg’s regulator has not exactly taken to GDPR enforcement with gusto. So far, it has only issued four fines, totalling just €7,900 (£6,790) and all those were announced on a single day last month.
According to a recent analysis, there have been 648 GDPR penalties issued across the EU over the past three years, totalling €283,673,083, with the Italians leading the way on over €70m in penalties.
The study, carried out by the Atlas VPN team, is based on the CMS.Law GDPR Enforcement Tracker and is an update on an analysis by Decision Marketing, published in October last year.
Last week it emerged that the UK Competition & Markets Authority is planning to kick off a formal investigation into Amazon.
Brussels is already investigating Amazon and how the company is using data to advance its own products to the potential detriment of rivals. This probe is in its advanced stages but it could still run for another year or longer. The UK investigation is likely to cover similar ground.
Related stories
Now Amazon faces full-scale CMA probe into data abuse
Tech giants face tailored rules – and fines – in CMA plan
New Digital Markets Unit ‘to bring tech giants to heel’
Tech firms must face AI curbs, says Govt advisory body
GDPR fines near €300m as Italian stallions lead way
GDPR three years on: ‘The aperitif to a cookieless world’
Irish DPC faces new showdown as MEPS vote for action