Amazon is facing a $425 million fine—the largest penalty ever imposed under the European Union’s privacy laws—for alleged violations of the EU’s General Data Protection Regulation (GDPR). The National Data Protection Commission (Commission Nationale pour la Protection des Données—CNPD) has circulated a draft decision with the unprecedented fine as a result of Amazon’s collection and use of personal data.
The GDPR came into effect in May 2018, and has formed the basis of a concerted effort by the EU to hold U.S. tech giants accountable under the GDPR for how they use, store, and share information about European customers and employees. Under the GDPR, for example, individuals have the right to obtain information from organizations about how their data is used, and can request certain information be deleted. Another rule requires that organizations disclose data breaches to European regulators within 72 hours of discovery.
As Luxembourg’s data-protection commission, the CNPD is responsible for implementing and supervising observance of the protection of individuals’ personal data both within Luxembourg and the European Union more broadly. The CNPD verifies whether personal data is processed in accordance with the GDPR, and is empowered to investigate any collection, use, or transmission of information of identifiable individuals. The CNPD is Amazon’s lead privacy regulator in the EU because Amazon has its EU headquarters in the Grand Duchy of Luxembourg.
The fine proposed by Luxembourg would represent roughly 2% of Amazon’s reported net income of $21.3 billion for 2020, and 0.1% of its $386 billion in sales. Under the GDPR, regulators can fine up to 4% of a company’s annual revenue. Before the draft decision can become final, it must effectively be agreed to by other EU privacy regulators, a process that could take months and lead to substantive changes, including a higher or lower fine.
The proposed sanction has garnered objections on both sides of the issue. Amazon has previously stated that it complies with all applicable laws in each country where it operates and that the privacy of its customers is a priority. Others have objected to the draft decision on the basis that it is too low, given Amazon’s annual revenue. Regardless of the ultimate amount imposed, the decision sends a clear message that European regulators are willing to use the full range of authority granted under the GDPR to enforce compliance with its data privacy rules.