Amazon may have to pay out millions for a record EU data privacy fine, the retailer has disclosed.
The fine was revealed in a filing to the US Securities and Exchange Commission
and reported by Reuters.
According to the Amazon filing, the Luxembourg National Commission for Data Protection (CNPD) has issued a decision against Amazon’s EU business, Amazon Europe Core S.à.r.l. asserting that Amazon’s processing of personal data did not imply with the EU General Data Protection Regulation (GDPR). The decision meant a fine of €746m (£636m) and required the company to alter its practices. Amazon said in the filing: “We believe the CNPD’s decision to be without merit and intend to defend ourselves vigorously in this matter.”
However, the decision does not appear on the CNPD’s website. Wouter Seinen, head of law firm Pinsent Mason’s Amsterdam office, says in a blog post that the decision has been confirmed to it by the CNPD but that details cannot be published because of strict privacy afforded under Luxembourg law for ongoing cases. Pinsent Masons says that if confirmed, the amount of the fine would set new records.
Seinen says: “The unconfirmed reports of the origins of this decision highlight the increased risks businesses face from complaints raised by private individuals and interest groups. We have already seen a rise in data protection-related litigation in Europe and now this case of the CNPD’s in Luxembourg against Amazon shows their potential influence in driving enforcement action by data protection authorities. This case is unlikely to be the last of this kind.”
Commenting, Ilia Kolochenko, founder of ImmuniWeb and a member of the Europol Data Protection Experts Network, says: “Contrasted to the common misconception, Article 83 of GDPR is very specific about its penalties: security-related incidents are fined by up to 2% of the annual turnover, while violations such as lack of consent or unlawful data processing are punished more severely by a fine going up to 4%. Thus, Amazon’s statement that no data breach has occurred is probably not very relevant to the case. In view of the recent GDPR-related litigation in the EU and available jurisprudence, the fine, however, indeed seems to be excessive and will likely be significantly reduced on appeal. Amazon will undoubtedly endeavor to win the case in court on appeal.
“The outcome of this case will likely be influenced by politics, as such punitive actions by the EU may strongly discourage American companies doing business in Europe. Furthermore, it may motivate US states, that are now rapidly implementing state privacy laws, to retaliate by imposing mirrored penalties upon European companies. The long-awaited federal privacy law in the US should hopefully harmonize data protection regimes and finally bring a peace of mind both to consumers and businesses on the two sides of the pond.”