IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Amazon faces £637 million fine over GDPR violations

If confirmed, the penalty would be almost 15-times larger than the current record fine

Amazon is facing a potential €746 million (approximately £637 million) fine for the unlawful processing of personal data, following a GDPR ruling by Luxembourg’s data protection regulator.

The ruling was initially made on 15 July but only became public knowledge when mentioned as part of Amazon's latest quarterly earnings report. If it goes ahead, the fine would be the largest data protection penalty in industry history.

This €746 million fine would represent a sum that’s more almost 15-times greater than the €50 million penalty that French data regulator CNIL administered against Google in 2019.

Amazon didn’t explain the specific basis for such a relatively large penalty in its legal filing, nor has the Luxembourg National Commission for Data Protection (CNPD) made the details around the case public.

The regulator confirmed with IT Pro, however, that the decision was made on the basis of the one-stop-shop principle set out in Article 60 of GDPR.

This means Luxembourg was nominated as the lead supervisory authority in a case against Amazon based on alleged violations that occurred across borders and in several EU territories. The CNPD was chosen to investigate Amazon because the firm’s European headquarters is based in Luxembourg.

The CNPD claims the nation’s own local data protection laws have bound the authority to “professional secrecy” when taking regulatory action. According to these laws, details about the case cannot be published - or publicised - until Amazon’s deadline for appeals expires.

Amazon said the regulator’s decision has been made without merit, and that it plans to defend itself “vigorously”. Although the firm is able to appeal the decision, the regulator didn’t indicate how long this process might take.

Despite such a large fine cited, there’s also every chance that it can be drastically lowered over the course of regulatory proceedings. For example, the UK’s Information Commissioner’s Office (ICO) had initially issued a notice of intent to fine BA and Marriott £183 million and £99 million respectively in July 2019. This was eventually watered down to £20 million and £18.4 million in October 2020, with the ICO citing a number of mitigating circumstances, including the economic effects of the pandemic.

Related Resource

The controversial CLOUD Act

The effect on data protection and data security in Germany and the EU

A magnifying glass with a background of 1s and 0s - whitepaper from IONOSDownload now

Prior to GDPR coming into force, many businesses widely expected the new data protection laws to usher in an era of massive, eye-watering fines that would cripple businesses found to have fallen foul of the rules. This was based on the provision that an organisation can face a fine of up to €20 million or 4% annual turnover, whichever is higher.

In practice, however, such fines have been a rarity, despite a high volume of cases.

The Irish data protection regulator too, which is itself the lead supervisory authority in a number of cases against big tech giants, hasn’t yet worked through a lengthy backlog of legal challenges. So far, the Irish Data Protection Commission (DPC) has issued a €450,000 fine against Twitter, alongside a provisional decision in January 2021 to fine WhatsApp €50 million, although this is subject to legal review.

Featured Resources

Join the 90% of enterprises accelerating to the cloud

Business transformation through digital modernisation

Free Download

Delivering on demand: Momentum builds toward flexible IT

A modern digital workplace strategy

Free download

Modernise the workforce experience

Actionable insights and an optimised experience for both IT and end users

Free Download

The digital workplace roadmap

A leader's guide to strategy and success

Free Download

Recommended

Amazon signs launch deals with Arianespace, Blue Origin and United Launch Alliance for Project Kuiper
broadband

Amazon signs launch deals with Arianespace, Blue Origin and United Launch Alliance for Project Kuiper

6 Apr 2022
AWS to invest £1.8bn in UK data centres and other cloud infrastructure
Cloud

AWS to invest £1.8bn in UK data centres and other cloud infrastructure

18 Mar 2022
AWS launches carbon tracking tool for its cloud customers
cloud computing

AWS launches carbon tracking tool for its cloud customers

2 Mar 2022
How to think like a Digital CFO
Whitepaper

How to think like a Digital CFO

13 Jan 2022

Most Popular

Raspberry Pi launches next-gen Pico W microcontroller with networking support
Hardware

Raspberry Pi launches next-gen Pico W microcontroller with networking support

1 Jul 2022
Universities are fighting a cyber security war on multiple fronts
cyber security

Universities are fighting a cyber security war on multiple fronts

4 Jul 2022
Hackers claim to steal personal data of over a billion people in China
data breaches

Hackers claim to steal personal data of over a billion people in China

4 Jul 2022