we were promised huge fines and GDPR finally delivered. Last week from amazon Financial records have revealed that Luxembourg authorities are fining the retailer 746 million euros ($ 883 million) for violating European regulations.
The fine is unprecedented: it is the largest GDPR fine imposed to date and is more than double the amount of all other GDPR fines combined. The financial penalty, which Amazon is appealing, comes at a time when GDPR is feeling the pressure of lax enforcement and trivial fines. Experts say companies are allowed to abuse people’s privacy because GDPR investigations are too slow and inefficient. Some people even want the GDPR to be fully torn.
But Luxembourg’s action against Amazon stands out for two reasons: first, it shows the potential power of the GDPR; secondly, it reveals flaws in the inconsistency in the application of these regulations in the EU. And for both of these reasons, this is arguably the most important GDPR decision ever made.
“With so many important cases piling up before regulators, we were really waiting for one of these cases to be resolved to show that the GDPR fundamentally has teeth,” said Estelle Massé, global head of data protection at of the non-profit Internet advocacy group Access. Now. La Quadrature du Net, the French civil liberties group behind the complaint against Amazon, said regulators had given it “hope” that legal action could be taken “against Big Tech.”
Despite the headline-grabbing fine, little is known about the details for which Amazon was fined. The case was taken up by Luxembourg officials because the country is Amazon’s main base in Europe. The small nation has historically been labeled as a Fiscal paradise– although charges of Amazon tax evasion in the country have been rejected by European courts. But by fining Amazon, the Luxembourg National Commission for Data Protection has, at least in the short term, launched into the pro-privacy spotlight.
La Quadrature du Net original complaint of May 2018, which was filed on behalf of 10,000 people, claimed that Amazon’s advertising system is not based on “free consent.” But that’s about all we know. The Luxembourg regulator says it issued a ruling against Amazon on July 15, but has not released further details. A spokesperson for the authority said that Luxembourg’s “professional secrecy” laws mean it cannot publish any details until an appeal process is completed. And Amazon, which is incredibly data hungry– said he will appeal the fine.
“There was no data breach and no customer data was exposed to a third party,” an Amazon spokesperson said. That’s fine, but businesses don’t need to have suffered a data breach to break GDPR rules. The spokesperson goes on to say that the ruling in Luxembourg, which is based on how the company shows customers “relevant advertising”, is based on “subjective and untested interpretations of EU law on the protection of privacy, and the proposed fine is totally disproportionate with even this interpretation.
Amazon may be right. It is possible that any appeal process or negotiation will reduce the fine. Last year, the UK data protection regulator’s fine on British Airways was increased from £ 184million ($ 256million) to only £ 20million ($ 28 million). Another, against the Marriott hotel group, was reduced by 99 million pounds ($ 137 million) to 18 million pounds ($ 25 million).
Amazon’s fine of 746 million euros is far greater than anything that has happened before – a 50 million euro fine against Google owns the current record. Although the GDPR allows the imposition of potentially huge fines, the reality is that it has been still unlikely to be issued by regulators. Until early 2021, a total of 272 million euros ($ 322 million) in GDPR fines had been imposed by all European regulators combined, according to law firm analysis FOR Piper. Italy’s data protection agency, which fined € 69.3 million, has led the way. Next come Germany (69 million euros), France (54 million euros) and the United Kingdom (44 million euros).