Amazon faces £637 million fine over GDPR violations

If confirmed, the penalty would be almost 15-times larger than the current record fine

Amazon is facing a potential €746 million (approximately £637 million) fine for the unlawful processing of personal data, following a GDPR ruling by Luxembourg’s data protection regulator.

The ruling was initially made on 15 July but only became public knowledge when mentioned as part of Amazon's latest quarterly earnings report. If it goes ahead, the fine would be the largest data protection penalty in industry history.

This €746 million fine would represent a sum that’s more almost 15-times greater than the €50 million penalty that French data regulator CNIL administered against Google in 2019.

Amazon didn’t explain the specific basis for such a relatively large penalty in its legal filing, nor has the Luxembourg National Commission for Data Protection (CNPD) made the details around the case public.

The regulator confirmed with IT Pro, however, that the decision was made on the basis of the one-stop-shop principle set out in Article 60 of GDPR.

This means Luxembourg was nominated as the lead supervisory authority in a case against Amazon based on alleged violations that occurred across borders and in several EU territories. The CNPD was chosen to investigate Amazon because the firm’s European headquarters is based in Luxembourg.

The CNPD claims the nation’s own local data protection laws have bound the authority to “professional secrecy” when taking regulatory action. According to these laws, details about the case cannot be published - or publicised - until Amazon’s deadline for appeals expires.

Amazon said the regulator’s decision has been made without merit, and that it plans to defend itself “vigorously”. Although the firm is able to appeal the decision, the regulator didn’t indicate how long this process might take.

Despite such a large fine cited, there’s also every chance that it can be drastically lowered over the course of regulatory proceedings. For example, the UK’s Information Commissioner’s Office (ICO) had initially issued a notice of intent to fine BA and Marriott £183 million and £99 million respectively in July 2019. This was eventually watered down to £20 million and £18.4 million in October 2020, with the ICO citing a number of mitigating circumstances, including the economic effects of the pandemic.

Related Resource

The controversial CLOUD Act

The effect on data protection and data security in Germany and the EU

A magnifying glass with a background of 1s and 0s - whitepaper from IONOSDownload now

Prior to GDPR coming into force, many businesses widely expected the new data protection laws to usher in an era of massive, eye-watering fines that would cripple businesses found to have fallen foul of the rules. This was based on the provision that an organisation can face a fine of up to €20 million or 4% annual turnover, whichever is higher.

In practice, however, such fines have been a rarity, despite a high volume of cases.

The Irish data protection regulator too, which is itself the lead supervisory authority in a number of cases against big tech giants, hasn’t yet worked through a lengthy backlog of legal challenges. So far, the Irish Data Protection Commission (DPC) has issued a €450,000 fine against Twitter, alongside a provisional decision in January 2021 to fine WhatsApp €50 million, although this is subject to legal review.

Featured Resources

Modern governance: The how-to guide

Equipping organisations with the right tools for business resilience

Free Download

Cloud operational excellence

Everything you need to know about optimising your cloud operations

Watch now

A buyer’s guide to board management software

Improve your board’s performance

The real world business value of Oracle autonomous data warehouse

Lead with a 417% five-year ROI

Download now

Recommended

How to think like a Digital CFO
Whitepaper

How to think like a Digital CFO

13 Jan 2022
Amazon faces allegations it "brazenly" underreported COVID-19 cases in its warehouses
business management

Amazon faces allegations it "brazenly" underreported COVID-19 cases in its warehouses

2 Dec 2021
AWS and IBM join forces to reduce data barriers in the energy industry
Software

AWS and IBM join forces to reduce data barriers in the energy industry

15 Nov 2021
In praise of the early adopters
Hardware

In praise of the early adopters

2 Nov 2021

Most Popular

Dell XPS 15 (2021) review: The best just got better
Laptops

Dell XPS 15 (2021) review: The best just got better

14 Jan 2022
Sony pulls out of MWC 2022
Business operations

Sony pulls out of MWC 2022

14 Jan 2022
Synology DiskStation DS2422+ review: A cube of great capacity
network attached storage (NAS)

Synology DiskStation DS2422+ review: A cube of great capacity

10 Jan 2022