Amazon’s financial records have revealed that the Luxembourg data protection supervisory authority, the Commission Nationale pour la Protection des Données (“CNPD”), is fining the retailer’s European arm (Amazon Europe Core S.à.r.l.) an eyewatering 746 million euros (£636m or $838m) for breaches of the EU’s General Data Protection Regulation (“GDPR”).
When the GDPR was introduced in May 2018, the potential for huge financial sanctions grabbed many headlines: it gives European supervisory authorities the power to impose fines of up to 20 million euros or 4% of annual global turnover (whichever is greater) for breaches of the GDPR. There have been some undeniably sizeable fines issued under the GDPR in the last three years. But the level of this particular fine is extraordinary: it’s the largest GDPR fine issued to date by a considerable margin. The second largest fine ever imposed under the GDPR was a comparatively paltry 50 million euros, levied against Google by CNIL (the French supervisory authority) in early 2019 (which you can read about here).
The fine against Amazon originates from a 2018 complaint made to CNIL by French privacy rights group La Quadrature du Net, an advocacy group that promotes digital rights and freedoms of citizens. CNPD has handled the investigation because the GDPR contains a mechanism for one EU authority to act as “lead supervisory authority” in relation to complaints and investigations for organisations that operate in several EU countries. This is known as the “One-Stop-Shop” mechanism (the UK authority, the Information Commissioner’s Office (“ICO”), sits outside that mechanism now that the UK has left the EU, which adds a layer of complexity for businesses operating in both the EU and UK). As Luxembourg is Amazon’s main European base, and Amazon had selected CNPD as its lead supervisory authority, CNPD acted as the lead authority on the investigation, with CNIL’s assistance.
Amazon disclosed the fine in a regulatory filing to the US Securities and Exchange Commission, commenting that the decision is “without merit”, and indicating its firm intention to appeal. Dramatic reductions to GDPR fines on appeal are far from unheard of – last year, the ICO reduced a fine issued to British Airways in respect of a data breach from £184m to just £20m. An Amazon spokeperson commented that “[t]here has been no data breach, and no customer data has been exposed to any third party.” This is reassuring for Amazon customers, but it’s important for all businesses to be aware that fines can be issued under GDPR for countless reasons other than data breaches.
So what has Amazon been fined for? We know very little about the specifics. The CNPD’s decision and the rationale for it are not publicly available, because under Luxembourg’s professional secrecy laws, details can’t be released into the public domain until any available appeals process is exhausted. We can, however, say with a reasonable degree of certainty that the fine relates to Amazon’s advertising practices. La Quadrature du Net’s original complaint to CNIL claimed that Amazon’s advertising system is not based on “free consent” – i.e. that Amazon lacks the necessary lawful basis under the GDPR for presenting personalised advertisements to users. This sounds distinctly reminiscent of the basis for the fine levied against Google by CNIL in January 2019. This vastly differing levels of the two fines may indicate that different supervisory authorities take differing approaches.
Luxembourg is a small country, and it has, in the past, faced accusations from the European Commission of granting Amazon undue tax benefits amounting to “illegal state aid”, although the General Court of the European Union rejected this contention earlier this year. This unprecedented move by the CNPD indicates a strong pro-privacy stance, which may surprise some.
Since Amazon intends to dispute the fine vigorously, and previous cases suggest it could be reduced significantly on appeal, it’s clear that this is far from the last we will hear about CNPD v. Amazon.