In a regulatory filing on Friday, Amazon revealed that Luxembourg’s National Commission for Data Protection (CNPD) has hit the company with a record $746 million euro fine ($887 million). If it stands, it will be the largest penalty ever handed out due to Europe’s data protection rules. Bloomberg reports CNPD issued its decision on July 16th. The group accused Amazon of processing personal data in violation of the EU’s General Data Protection Regulation (GDPR). Of course, this is about more than just a fine. The CNPD is also demanding that Amazon stop the practices that resulted in the alleged violation.
“On July 16, 2021, the Luxembourg National Commission for Data Protection (the “CNPD”) issued a decision against Amazon Europe Core S.à r.l. claiming that Amazon’s processing of personal data did not comply with the EU General Data Protection Regulation,” Amazon explained in its 10-Q filing. “The decision imposes a fine of €746 million and corresponding practice revisions. We believe the CNPD’s decision to be without merit and intend to defend ourselves vigorously in this matter.”
In addition to slapping Amazon with a huge fine, the CNPD also ordered Amazon to revise its business practices. CNPD did not specify which practices Amazon needs to revise, nor would it comment on the decision. As Bloomberg notes, local laws prevent the Luxembourg commission from commenting on any specific cases or confirming receipt of a complaint.
Amazon will appeal the CNPD’s fine
Amazon argues that the case is “without merit” for several reasons. The company noted that hackers have not stolen any data. Additionally, Amazon says that all customer data remains secure. Amazon plans to appeal the decision, which means that it could be quite some time before this resolves.
Amazon provided The Wall Street Journal with the following statement regarding the fine:
Maintaining the security of our customers’ information and their trust are top priorities. There has been no data breach, and no customer data has been exposed to any third party. These facts are undisputed. We strongly disagree with the CNPD’s ruling, and we intend to appeal. The decision relating to how we show customers relevant advertising relies on subjective and untested interpretations of European privacy law, and the proposed fine is entirely out of proportion with even that interpretation.
Currently, Google’s 50 million euro fine is the largest under the GDPR. France’s data watching, the CNIL, issued the fine in 2019. Google lost its appeal in 2020. The CNPD’s fine eclipses that sum, and will be a new record by a wide margin if it stands.