Online shopping giant Amazon has been hit with a record-breaking €746 million fine by Luxembourg’s Commission Nationale pour la protection des données (CNPD), an independent public agency established to monitor the legality of the collection and use of personal information, for alleged GDPR violations regarding how it performs targeted behavioral advertising.

On July 16, 2021, the Luxembourg National Commission for Data Protection (the “CNPD”) issued a decision against Amazon Europe Core S.à r.l. claiming that Amazon’s processing of personal data did not comply with the EU General Data Protection Regulation. The decision imposes a fine of €746 million and corresponding practice revisions. We believe the CNPD’s decision to be without merit and intend to defend ourselves vigorously in this matter.

The decision comes from a complaint filed by La Quadrature du Net in 2018 against Amazon Europe Core SARL, Amazon EU SARL, Amazon Services Europe SARL and Amazon Media EU SARL, and Amazon Video Limited.

The complaint alleges that Amazon is analyzing users’ behavior to build profiles used for targeted advertising. This creation of these behavioral profiles is being done without a user’s consent and thus violates GDPR.

In a statement given to The Wall Street Journal, Amazon says, “the proposed fine is entirely out of proportion with even that interpretation.” The WSJ notes that GDPR (General Data Protection Regulation) regulations allow for fines of up to 4 percent of a company’s revenue, with the released number amounting to about 4.2 percent of Amazon’s reported $21.3 billion income for 2020.

READ
Twitter To Stop Offering Free Access To Its API From Feb 9

Amazon:

Maintaining the security of our customers’ information and their trust are top priorities. There has been no data breach, and no customer data has been exposed to any third party. These facts are undisputed. We strongly disagree with the CNPD’s ruling, and we intend to appeal. The decision relating to how we show customers relevant advertising relies on subjective and untested interpretations of European privacy law, and the proposed fine is entirely out of proportion with even that interpretation.

This fine is the largest ever issued by the European Union for GDPR violations.