The Commission Nationale pour la Protection des Données (“CNPD”) of the Grand-Duché of Luxembourg – Luxembourg’s data protection authority – issued a decision imposing a €746 million fine for violations of the General Data Protection Regulation (“GDPR”) against Amazon’s main European entity, Amazon Europe Core S.à r.l. This is the largest fine ever proposed for alleged GDPR violations – over double the amount of all such fines to-date combined. The CNPD’s decision has not yet been published, pending exhaustion of the legal process in Luxembourg, but the proposed fine came to light in a regulatory filing from Amazon published on July 30, 2021 and from statements published by the Commission Nationale Informatique & Libertés of France (“CNIL”). Amazon has expressed the intention to appeal the CNPD’s decision, stating in its regulatory filing, “We believe the CNPD’s decision to be without merit and intend to defend ourselves vigorously in this matter.”
The decision stems from a complaint originally brought by a French consumer advocacy group (La Quadrature du Net) against Amazon at the CNIL in May 2018. The complaint alleged that Amazon violated GDPR by not obtaining users’ consent for its targeted advertising practices. As Amazon’s European operations are headquartered in Luxembourg, the CNIL referred the matter to the CNPD.
According to the letter CNIL sent to La Quadrature du Net, in addition to payment of the €746 million fine, Amazon must take additional steps to bring its targeted advertising practices into compliance with the GDPR, improve the transparency of its practices, and implement measures to better respond to data subject rights requests. According to this report, Amazon has six months to implement these practices, or the CNPD will impose a fine of €746,000 for every subsequent day of non-compliance.
While the reasoning behind the decision is not yet available, the CNPD must have determined that the alleged violations were serious. The GDPR provides that when deciding on the amount of a fine, due regard shall be given to “the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them.”