Amazon fined record £636 million for GDPR breaches

In June 2021, we reported that Amazon was facing a possible fine of around £300 million for alleged GDPR breaches. This followed a draft decision issued by Luxembourg’s National Commission for Data Protection (the CNPD). The proposed fine was significantly higher than any previous fine issued by EU authorities for data protection breaches but needed to be agreed between the EU authorities.

However, after consultations with the other data protection authorities within the EU 27, the CNPD has more than doubled the fine to £636 million. The CNPD has not officially announced the fine, which Amazon revealed in its regulatory filing on Friday 30 July 2021.

The CNPD has not published details of the alleged breaches but reports at the time of the draft decision suggest that they concern Amazon's privacy practices and the way that personal data is collected and used for marketing purposes. Amazon strongly denies any wrongdoing. It says that the fine is “without merit” and that “there has been no data breach, and no customer data has been exposed to any third party”. It also says it intends to appeal the decision.

The CNPD has not commented since issuing the fine. 

Comment 

The decision to increase the fine after proposing a lower figure in the draft decision demonstrates the growing confidence of Data Protection Authorities to exercise the powers given to them by the GDPR.  Under the GDPR, they can issue a fine of up to £20m or 4% of a company’s annual global turnover (whichever is higher). Data Protection Authorities must consider the seriousness, duration and nature of a breach when deciding to issue a penalty. It remains to be seen what prompted the higher figure in this case, but it is possible that reported calls for a larger fine from some of the other EU privacy regulators may have prompted this.

Although this is not the end of the matter, with Amazon’s appeal still to be heard, it does highlight the potential penalties that await companies who do not comply with their GDPR responsibilities. 

In the UK, the ICO significantly reduced proposed fines against both British Airways and Marriott from the figure set out in the original notices of intent to fine.  In the case of British Airways, the fine went down from a proposed £183.39 million to £20 million. In the case of Marriott, it went down from £99.2 million to £18.4 million. In both cases, the ICO took into account the economic impact of Covid-19 on the travel and hospitality industries when finalising the penalty. Of course, Covid-19 would not have been a relevant factor for Amazon as its business has thrived during the pandemic.