Data protection: Record fine of 746 million euros for Amazon in Luxembourg


Amazon has been fined 746 million euros by the data protection authority in Luxembourg. The world’s largest online retailer gave the penalty already imposed on July 16 in its detailed quarterly report known on Friday night. The reason given by the CNPD is that Amazon has violated the European General Data Protection Regulation GDPR. Amazon denied the allegation and announced an appeal.

“There was no violation of the protection of personal data, and no customer data was disclosed to third parties,” said a spokesman for the German press agency. “In terms of how we display relevant advertisements to customers, this decision by the CNPD is based on subjective and unchecked interpretations of European data protection law, and even with this interpretation the proposed fine is disproportionate.” The European subsidiary of Amazon is based in Luxembourg. The CNPD has not yet commented publicly on the punishment against Amazon.

As the Civil rights activists from the French NGO La Quadrature du Net announced, the punishment was one of them organized Collective complaint on behalf of 10,000 people, which was filed with Luxembourg’s data protection officers against Amazon in May 2018. The complaint was specifically directed against Amazon’s advertising targeting system, which runs without the user’s consent and which violates the GDPR.

La Quadrature said that the CNPD had not received any notification of the decision and only found out about it through a report from the business intelligence service Bloomberg. In view of the massive fine, they welcomed a “groundbreaking punishment” that hit the core of the “predatory system” of the big tech companies. At the same time, they criticized the Irish data protection authority, which in three years had not been able to close one of its four other complaints against Facebook, Apple, Microsoft and Google.

The sentence sets a new record. The highest (not legally binding) GDPR fine to date was imposed by France against Google in December with 60 million euros, because it is said to have used tracking cookies for advertising purposes without the consent of those affected, even contrary to express settings. The most expensive data protection penalty notice from Germany to date is dated September 30, 2020: The Hamburg Commissioner for Data Protection and Freedom of Information has sentenced the textile chain H&M (Hennes & Mauritz) to more than 35 million euros because H&M is said to have spied on hundreds of employees.

[UPDATE: 30.07.2021, 19:00]

Information on previous GDPR penalties added.


To home page