What Amazon’s €746 million GDPR fine means for the future of data protection regulation

Last month, Amazon was hit with a €746 million (about £630 million) fine for violating the GDPR (General Data Protection Regulation) – an astronomical figure by data protection regulation, or indeed most, standards.

It is by far the biggest fine issued under the GDPR, surpassing the €50 million penalty that Google received in 2019.

In fact, the scale of this penalty – dished out by Amazon’s EU supervisory authority, the Luxembourg-based National Data Protection Commission – is so large that it is almost double every other GDPR fine issued combined.

So what did Amazon do wrong to warrant such a fine? And how will it affect GDPR compliance in the future?

What did Amazon do wrong?

Frustratingly, few details have emerged about what Amazon’s GDPR fine relates to. The investigation began following a complaint in May 2018 – the month that the GDPR took effect – from La Quadrature du Net.

The French advocacy group, representing 10,000 people, claimed that Amazon’s advertising system isn’t based on “free consent”.

That is to say, the GDPR requires that consent must be sought using clear, plain language containing specific details about what the information will be used for.

Moreover, organisations cannot rely on inactivity as a means of consent, and they must ensure that there are no negative impacts on the user if they refuse to provide consent.

It’s not clear which of these rules, if any, Amazon is alleged to have violated, with a spokesperson for the Luxembourg data protection regulator saying that “professional secrecy” laws in the country mean details can’t be published until an appeal process has been completed.

Amazon responded by stating: “There has been no data breach, and no customer data has been exposed to any third party”. It confirmed that it will be appealing the penalty.

However, even if Amazon hasn’t suffered a data breach – and the complaint doesn’t appear to claim that it has – this doesn’t admonish the tech giant.

The GDPR relates as much to data privacy and the appropriate use of individuals’ information as much as it does to preventing unauthorised use of their details. If Amazon is found to have violated the Regulation’s requirements about how it obtained personal data, it can still be penalised.

Whether that penalty will €746 million is another matter. An Amazon spokesperson said that the penalty is based on “subjective and untested interpretations of European privacy law, and the proposed fine is entirely out of proportion with even that interpretation”.

It’s hard to argue with that, given how much larger this fine is in comparison to any that has previously been levied. And it wouldn’t be the first time a regulator had reduced the size of a fine following an appeal.

Last year, the ICO (Information Commissioner’s Office) decreased its penalty against British Airways from £183.4 million to £20 million. It followed testimony from the airline regarding the way it handled its data protection requirements, and took into account the economic damage caused by COVID-19.

A month later, the ICO also slashed its proposed £99.3 million penalty levied against Marriott down to £18.4 million.

Whether Luxembourg’s data protection authority will show the same leniency as the British regulator remains to be seen. However, what is for sure is that organisations have received a wake-up call regarding their GDPR compliance practices.

As Estelle Massé, the global data protection lead at non-profit internet advocacy group Access Now, said: “With so many large cases piling up in front of regulators, we were really waiting for one of those cases to be resolved to show that the GDPR basically has teeth”.

La Quadrature du Net, the group that made the original complaint against Amazon, said that regulators had given it “hope” that legal action could be brought “against Big Tech”.

Subscribe to our Weekly Round-up