European Union imposes record fine on Amazon over alleged violations of GDPR privacy law relating to advertising data, as company says it will challenge decision
The European Union data has fined Amazon 746 million euros (£637m), or approximately $886.6m, in what is by far the largest penalty to date under EU data protection laws.
The fine was issued by Luxembourg’s National Commission for Data Protection, or CNPD, which alleged Amazon’s processing of personal data broke the EU’s GDPR data protection rules, which are also implemented in UK law.
The fine was levied on 16 July and Amazon disclosed it in a Securities and Exchange Commission (SEC) filing on Friday.
The company said it believes the penalty is “without merit” and plans to defend itself “vigorously” in court.
Amazon emphasised that the alleged violation is not related to a data breach but didn’t give details of the EU’s allegations.
The company did say that the CNPD had taken issue with the way it uses customers’ data for advertising purposes.
The GDPR requires companies to obtain users’ informed consent before making use of their personal data, and authorises steep fines for violations.
However, the largest fine to date under the 2018 law was a 50m euro fine imposed on Google in 2019.
British Airways, H&M and Marriot Hotels have also faced large fines under the GDPR, but all were in the tens, rather than hundreds of millions, indicating the EU considers Amazon’s breach to be a significant one.
“We believe the CNPD’s decision to be without merit and intend to defend ourselves vigorously in this matter,” Amazon said in a statement.
In early June the CNPD reportedly circulated a draft of its sanction of Amazon’s privacy practices to the EU’s 26 other data-protection authorities, proposing a fine of more than $425m.
At least one of the other regulators are reported to have pushed for a higher fine.
National authorities are meant to take into account the gravity, duration and character of the infringement when deciding on a penalty.
Amazon acknowledged the decision was related to its use of data to personalise advertising, and argued the fine was “out of proportion” and was based on “subjective and untested” interpretations of the GDPR.
“The decision relating to how we show customers relevant advertising relies on subjective and untested interpretations of European privacy law, and the proposed fine is entirely out of proportion with even that interpretation,” Amazon said.
Regulators around the world have faced increasing pressure to act against large technology multinationals in recent years, which have been accused of exercising “monopoly power”, of abusing their control over users’ data and of failing to rein in misinformation and illegal online content.
Previous EU concerns have revolved around Amazon’s use of commercial data relating to the third-party sellers that make use of its platform.
In November, for instance, the European Commission charged Amazon with abusing its dominant position in online retail to gain an unfair competitive advantage.