It’s been one year since online retailer Amazon announced it was on the receiving end of the largest fine so far under the European Union’s punitive privacy legislation, but details about the decision—as well as the actual complaint—remain sketchy.
In a regulatory filing the company submitted to the U.S. Securities and Exchange Commission on July 30, 2021, Amazon said the Luxembourg National Commission for Data Protection (CNPD) issued a decision against Amazon Europe claiming the company’s processing of personal data did not comply with the General Data Protection Regulation (GDPR).
Amazon disclosed the decision imposed a fine of 746 million euros (U.S. $758 million), as well as unspecified “practice revisions.” The company added it believed the CNPD’s decision to be “without merit” and said it intended to appeal.
In a statement issued Aug. 8, the CNPD confirmed—as Amazon’s lead supervisory authority—it issued the company a decision notice following cooperation with other EU data protection authorities (DPAs) using Article 60 of the GDPR.
However, the regulator added “national law on data protection binds the CNPD to professional secrecy (Article 42) and prevents it from commenting on individual cases.”
Under Luxembourgish law, the CNPD is unable to publish any details of a decision before the deadlines for appeals have expired—some three months later. The regulator could publish the details of a decision once the case is finalized.
Sources with knowledge of the Amazon case say the appeal process is still ongoing through the court system in Luxembourg, as opposed to any internal appeals system with a regulator, which is why further details have not been forthcoming.
It is up to the discretion of DPAs if they want to publish the decisions they make—it is not mandatory. Some DPAs that do publish have expressed frustration with those that do not, claiming the lack of disclosure leads to a lack of transparency and confusion about how individual EU states interpret and enforce the GDPR.
The CNPD did not respond to a request for comment.
The Amazon case stems from a collective legal action raised in 2018 by La Quadrature du Net on behalf of over 10,000 complainants alleging Amazon lacks the necessary lawful basis for presenting personalized ads to users, according to the French digital rights organization.
If the fine stands, it will be the highest imposed by any DPA to date under the GDPR—more than triple the Irish Data Protection Commission’s €225 million (then-U.S. $267 million) penalty against WhatsApp announced in September.
Reached for comment, Amazon reiterated its initial statement: “Maintaining the security of our customers’ information and their trust are top priorities. There has been no data breach, and no customer data has been exposed to any third party. These facts are undisputed. We strongly disagree with the CNPD’s ruling, and we intend to appeal. The decision relating to how we show customers relevant advertising relies on subjective and untested interpretations of European privacy law, and the proposed fine is entirely out of proportion with even that interpretation.”