Euro watchdog will try to extract $900m from Amazon for breaking data privacy laws

Amazon says a European Union privacy watchdog has mustered the temerity to demand a $885m fine for failing to comply with data privacy rules.

“On July 16, 2021, the Luxembourg National Commission for Data Protection (CNPD) issued a decision against Amazon Europe Core S.à r.l. claiming that Amazon’s processing of personal data did not comply with the EU General Data Protection Regulation,” the web goliath said in a financial filing accompanying its Q2 2021 earnings report [PDF] on Thursday.

“The decision imposes a fine of €746m [$885m] and corresponding practice revisions.”

Amazon said the CNPD decision has no merit and that it plans to challenge the ruling.

“Maintaining the security of our customers’ information and their trust are top priorities,” Amazon said in a statement emailed to The Register. “There has been no data breach, and no customer data has been exposed to any third party. These facts are undisputed. We strongly disagree with the CNPD’s ruling, and we intend to appeal.”

“The decision relating to how we show customers relevant advertising relies on subjective and untested interpretations of European privacy law, and the proposed fine is entirely out of proportion with even that interpretation.”

The €746m fine is the largest penalty under the 2018 GDPR to date, surpassing the previous top penalty of €50m assessed by the French National Commission on Informatics and Liberty (CNIL) against Google in 2019 by almost 15x. In fact, Amazon’s fine is more than twice the sum of all previous GDPR penalties combined (€303m).

The ruling follows from the CNPD’s investigation of a May 28, 2018 complaint [PDF] by La Quadrature du Net, a French privacy group. The complaint contends that Amazon subjects website visitors to behaviorally targeted ads but fails to disclose this practice in its terms of use and fails to seek consent to use personal information to deliver targeted ads.

The privacy group assailed Amazon’s public statement about the absence of a data breach as a non sequitur, stating that the CNPD decision is a consequence of invasive ads rather than a database intrusion.

“It is the system of targeted advertising itself, and not merely occasional security breaches, that our legal action attacked,” the group said in a statement on its website. “This historic fine hits straight to the heart of Big Tech’s predatory system, and should be celebrated as such.”

The privacy group also took the opportunity to contrast the massive CNPD fine with the failure of both the Irish Data Protection Authority and the CNIL to translate the group’s complaints against Facebook, Apple, Microsoft and Google into meaningful penalties. And it celebrated the CNPD decision for restoring its faith in regulatory intervention.

“Business models based on domination and exploitation of our privacy and our free consent are disturbingly illegitimate and go against the values that our democratic societies claim to defend,” the group said.

Elsewhere in its 10-Q filing, Amazon reported $113.1bn in sales and an operating profit of $7.7bn for the quarter.