We were promised huge fines, and GDPR has finally delivered. Last week Amazon’s financial records revealed that officials in Luxembourg are fining the retailer €746 million ($883 million) for breaching the European regulation.
The fine is unprecedented: It’s the biggest GDPR fine issued to date and is more than double the amount of every other GDPR fine combined. The financial penalty, which Amazon is appealing, comes at a time when GDPR is feeling the strain of lax enforcement and measly fines. Experts say companies are allowed to get away with abusing people’s privacy as GDPR investigations are too slow and ineffective. Some people even want GDPR to be ripped up entirely.
But Luxembourg’s action against Amazon stands out for two reasons: First, it shows the potential power of GDPR; second, it exposes cracks in how inconsistently such regulations are applied across the EU. And for both of these reasons it is arguably the most important GDPR decision issued.
“With so many large cases piling up in front of regulators, we were really waiting for one of those cases to be resolved to show that the GDPR basically has teeth,” says Estelle Massé, the global data protection lead at nonprofit internet advocacy group Access Now. La Quadrature du Net, the French civil liberties group that originally made the complaint against Amazon, said that regulators had given it “hope” that legal action could be brought “against Big Tech.”
Despite the headline-grabbing fine, little is really known about the details of what Amazon has been fined for. The case was taken on by officials in Luxembourg because the country acts as Amazon’s main base in Europe. The tiny nation has historically been labeled as a tax haven—although accusations of Amazon avoiding tax in the country have been rejected by the European courts. But by fining Amazon, Luxembourg’s National Commission for Data Protection has, at least for the short term, launched itself into the pro-privacy spotlight.
La Quadrature du Net’s original May 2018 complaint, which was filed on behalf of 10,000 people, claimed that Amazon’s advertising system isn’t based on “free consent.” But that’s about all we know. The Luxembourg regulator says it issued a decision against Amazon on July 15 but it hasn’t published any more details. A spokesperson for the authority says that “professional secrecy” laws in Luxembourg mean it can’t publish any details until an appeal process has been completed. And Amazon—which is incredibly data hungry—says it will appeal the fine.
“There has been no data breach, and no customer data has been exposed to any third party,” an Amazon spokesperson says. That’s all well and good, but companies don’t need to have suffered a data breach to break GDPR rules. The spokesperson goes on to claim that the ruling in Luxembourg, which is based on how the company shows customers “relevant advertising,” is based on “subjective and untested interpretations of European privacy law, and the proposed fine is entirely out of proportion with even that interpretation.”
Amazon may have a point. It’s possible that any appeal process or negotiation may bring the fine down—last year the UK data protection regulator’s fine against British Airways dropped from £184 million ($256 million) to just £20 million ($28 million). Another, against hotel group Marriott, was reduced from £99 million ($137 million) to £18 million ($25 million).
The €746 million Amazon fine is far bigger than anything that’s come before—a €50 million fine against Google holds the current record. While GDPR allows potentially huge fines to be issued, the reality is that it was always unlikely regulators would issue them. Up to the start of 2021, a total of €272 million ($322 million) in GDPR fines had been issued by all of Europe’s regulators combined, according to analysis from law firm DLA Piper. Italy’s data protection body, which had issued €69.3 million in fines, has led the way. Germany (€69 million), France (€54 million), and the UK (€44 million) follow.