Amazon might be in line for Europe’s largest fine for privacy violations, with a penalty seven times the size of Google’s record €50 million hit.
The online retailer—whose European headquarters are based in Luxembourg—could be fined more than $425 million (€350 million) under the EU’s General Data Protection Regulation (GDPR) over the way it collects personal data and uses it for marketing purposes, according to the Wall Street Journal.
Amazon’s cloud services—currently under investigation by the European Data Protection Supervisor, the office that oversees GDPR compliance in EU institutions—are apparently not part of the complaint.
As the case applies to citizens throughout the European Union, the Luxembourg data protection authority (DPA) has sent its draft decision to the EU’s other 26 DPAs to review, according to the WSJ.
Luxembourg can then either try to resolve any objections itself or reject them and trigger a debate and vote among all EU privacy regulators at the European Data Protection Board under Article 65 of the GDPR.
“The outcome of the objections process could lead to clarity about whether the data protection regulators across Europe are now closer to agreeing what an appropriate penalty should be. And, if they are closer, it could provide a good signal to the approach to the level of fines in future cases.”
Adam Chapman, Partner, Kingsley Napley
Amazon could theoretically face a separate investigation and fine on similar grounds in the United Kingdom since the Information Commissioner’s Office is no longer part of the “one-stop shop” mechanism.
The Luxembourg DPA has not made any public announcement. A spokesperson for the regulator said it “does not comment on specific cases.”
Amazon also declined to comment.
Experts say the proposed fine would show regulators firmly have Big Tech companies—and their practices—in their crosshairs.
Howard Freeman, managing director at consultancy Fortis DPC, says the decision “will be the biggest test of GDPR enforcement to date,” adding “many of the tech giants will watch with great interest.”
However, Freeman notes the proposed fine is “tiny” in comparison to Amazon’s global revenues of $386 billion and “sends a mixed message.” Depending on whether the alleged offenses qualify for the 2 percent or 4 percent tariff, Amazon could have faced fines worth either $7.72 billion or $15.4 billion.
“This fine is small and may become smaller yet. The EU is prepared to fine businesses that breach the regulation, but not to the maximum,” says Freeman. “This is reminiscent of the old U.K. Data Protection Act 1998, where businesses found it cheaper to budget for fines than to actually comply with the law.”
Adam Chapman, partner at law firm Kingsley Napley, says the size of the proposed penalty is “striking.”
“What is really significant is what happens next,” he adds, referring to the consultative process taking place among EU DPAs.
Previous experience suggests agreement is not straightforward. Some DPAs will want a larger fine, some a lesser one. To complicate matters further, some DPAs—Denmark and Estonia—have laws that prevent administrative fines and might not agree to the penalty at all. The WSJ report suggests Luxembourg’s regulator has received a handful of objections to its draft decision, with at least one DPA saying the fine should be higher.
With December’s Twitter fine, Ireland initially proposed a low-end fine of €135,000 that was less than a third of the eventual €450,000 penalty (U.S. $547,000). Germany had pushed for a fine worth between €7.3 million and €22 million.
“The outcome of the objections process could lead to clarity about whether the data protection regulators across Europe are now closer to agreeing what an appropriate penalty should be,” says Chapman. “And, if they are closer, it could provide a good signal to the approach to the level of fines in future cases.”
Even if EU DPAs agree on a suitable penalty, few expect the process to be quick, with several lawyers predicting Amazon will likely appeal any decision.
Indeed, Amazon’s revenues and legal spend dwarf the meager annual budget of €6.7 million (U.S. $8.1 million) the Luxembourg DPA has at its disposal. The country’s track record on GDPR enforcement is also patchy.
According to the GDPR Enforcement Tracker, Luxembourg’s highest penalty to date under the law is €18,000 against an unspecified company that failed to appoint a data protection officer. Its other four fines have been €2,600 or less for minor, noncompliance offenses.
All five penalties were issued last month—three years after the regulation came into effect.