Amazon faces £300 million fine for GDPR breaches

Luxembourg’s Data Protection Commission, the CNPD, has proposed fining Amazon more than $425 million, approximately £300 million, for alleged GDPR breaches relating to Amazon’s collection and use of personal data. 

Draft decision issued 

The CNPD has circulated a draft decision to the EU’s 26 national data protection authorities to consider. The CNPD is leading the investigations as Amazon’s regional headquarters are in Luxembourg. The draft will need to be agreed between the authorities before it is finalised.

The CNPD has not published details of the alleged breaches, but according to reports it is believed they concern Amazon's privacy practices and the way it collects personal data and uses it for marketing purposes. The breaches, however, are not believed to include Amazon Web Services (AWS) cloud computing service.

A handful of authorities are believed to have objected to the draft decision with at least one stating that the fine should be higher. These objections will be considered and, if possible, resolved collaboratively between the authorities. However, if the objections are rejected there will be a debate and vote among all EU privacy regulators at the European Data Protection Board to reach agreement.

We will continue to monitor developments.

Comment 

The proposed fine would be the highest GDPR fine to date. The current highest fine is Google’s €50 million fine issued by the French data protection authority, CNIL, relating to Google’s data consent policies (although Google did receive a higher fine of €100 million, split between its Irish and American subsidiaries concerning its unlawful use of cookies under different legislation). However, the proposed fine is still well below the potential maximum of 4% of global turnover, as it only represents around 0.1% of Amazon’s annual sales. 

The progress of the level of fine will be interesting - in the UK, both the proposed fines against British Airways and Marriott were significantly lowered by the ICO after it served the original notice of intent (from £183.39 million to £20 million for British Airways, and £99.2 million to £18.4 million for Marriott). We will need to see if there is a similar outcome here, although it should be noted that while the travel and hospitality sectors have been seriously adversely affected by Covid-19, Amazon’s business has, in contrast, thrived.

The draft decision shows data authorities beginning to tighten their grip on companies that breach GDPR rules. It also signals their greater confidence in using the higher penalties available to them when needed. Big tech companies are clearly on the radar - Ireland’s Data Protection Commission has suggested it expects to issue draft decisions in roughly half a dozen privacy cases involving big tech companies this year.