One year has passed since online retailer Amazon announced it had been hit with the largest fine to date under the harsh privacy laws of the European Union, but information about the ruling—as well as the actual complaint—remains hazy.
Amazon claimed that the Luxembourg National Commission for Data Protection (CNPD) issued a decision against Amazon Europe, finding that the company's processing of personal data did not adhere to the General Data Protection Regulation, in a regulatory filing the company made to the U.S. Securities and Exchange Commission on July 30, 2021. (GDPR).
Amazon stated that the ruling came with a 746 million euro ($758 million) fine and undefined "practice revisions." The business added that it thought the CNPD's ruling was "without merit" and declared its intention to appeal.
According to a statement released on August 8 by the CNPD, which serves as Amazon's primary supervisory authority, the company received a decision notice after working with other EU data protection authorities (DPAs) in accordance with GDPR Article 60.
The regulator clarified, however, that "national law on data protection binds the CNPD to professional secrecy (Article 42) and prevents it from commenting on individual cases."
According to Luxembourgish law, the CNPD is prohibited from disclosing any information about a decision before the appeals deadlines have passed—roughly three months later. Once the case has been resolved, the regulator may publish the specifics of the ruling.
Further information has not been provided, according to sources with knowledge of the Amazon case, because the appeals process is still ongoing through the Luxembourgian court system rather than through any internal appeals procedures with a regulator.
DPAs are not required to publish the decisions they make; it is entirely up to them whether or not to do so. The lack of disclosure, according to some DPAs that do publish, results in a lack of transparency and uncertainty regarding how various EU states interpret and apply the GDPR.
A request for comment from the CNPD received no response.
According to the French digital rights organization La Quadrature du Net, the Amazon case is the result of a collective legal action brought in 2018 on behalf of more than 10,000 complainants who claimed Amazon lacked the necessary legal justification for showing users personalized ads.
If the fine is upheld, it will be the highest fine imposed by a DPA under the GDPR to date, more than tripling the €225 million ($267 million at the time) fine against WhatsApp that the Irish Data Protection Commission announced in September.
When contacted for comment, Amazon reaffirmed its initial statement, saying that "maintaining the security of our customers’ information and their trust are top priorities. There has been no data breach, and no customer data has been exposed to any third party. These facts are undisputed. We strongly disagree with the CNPD’s ruling, and we intend to appeal. The decision relating to how we show customers relevant advertising relies on subjective and untested interpretations of European privacy law, and the proposed fine is entirely out of proportion with even that interpretation."
By fLEXI tEAM