We were promised large fines and GDPR has finally been delivered. Last week Amazon’s financial records revealed that officials in Luxembourg fined the retailer 746 million euros (883 million dollars) for violating European regulations.
The penalty is unprecedented: it is the largest GDPR penalty ever issued and is more than twice as high as any other GDPR penalty combined. The financial penalty, which Amazon is complaining about, comes at a time when the GDPR is feeling the pressure of loose application and miserable penalties. Experts say companies are allowed to abuse people’s privacy because GDPR investigations are too slow and ineffective. Some people even want the GDPR to be completely torn.
But Luxembourg’s action against the Amazon stands out for two reasons: First, it shows the potential power of the GDPR; second, it reveals cracks in the extent to which such regulations are inconsistently applied in the EU. And for both of these reasons, this is probably the most important decision about the GDPR.
“With so many big cases piling up in front of regulators, we were really waiting for one of those cases to be resolved to show that the GDPR basically has teeth,” says Estelle Massé, global data protection leader at the nonprofit internet advocacy group Access Sad. La Quadrature du Net, the French civil liberties group that originally filed a lawsuit against Amazon, said regulators had given it “hope” that a legal lawsuit “against Big Tech” could be launched.
Despite great newspaper headlines, little is known about the details of why Amazon was punished. The case was taken over by officials in Luxembourg because the country is acting as the main Amazon base in Europe. The tiny nation has historically been labeled as tax haven– although there were accusations in the country of Amazon to evade taxes rejected by European courts. But by punishing Amazon, Luxembourg’s National Data Protection Commission has, at least briefly, launched itself into the spotlight for privacy.
La Quadrature du Net’s original appeal from May 2018, filed on behalf of 10,000 people, claimed that Amazon ‘s advertising system was not based on “free consent”. But that’s all we know. The Luxembourg regulator says it made a decision against Amazon on July 15, but did not release more details. A spokesman for the body says the “professional secrecy” laws in Luxembourg mean they cannot release any details until the appeal process is completed. And Amazon – which is amazing data hungry“He says he will appeal the sentence.”
“There was no data breaches, nor was customer data exposed to a third party,” an Amazon spokesman said. That’s all right, but companies don’t have to suffer data breaches to break GDPR rules. The spokesman further argues that the Luxembourg ruling, which is based on how the company presents “relevant advertising” to users, is based on “subjective and unverified interpretations of European privacy law, and the proposed fine is not fully proportionate to even that interpretation.”
Amazon may be right. It is possible that any appeal procedure or negotiation could reduce the fine – last year the fine of the British data protection regulator against British Airways fell from 184 million pounds (256 million dollars) to only £ 20 million ($ 28 million). The second, against the Marriott hotel group, was reduced by £ 99 million ($ 137 million) to £ 18 million ($ 25 million).
Amazon’s € 746 million fine is far higher than anything before – a € 50 million fine against Google holds it current record. Although the GDPR allows for the imposition of potentially large fines, the reality is that it was it is always unlikely that regulators would issue them. By the beginning of 2021, a total of 272 million euros ($ 322 million) of GDPR fines have been imposed by all European regulators together, according to an analysis by the law firm FOR Piper. The Italian data protection authority, which issued 69.3m euros in fines, took the lead. They are followed by Germany (69 million euros), France (54 million euros) and the United Kingdom (44 million euros).