Why is it important: The previous record holder for the highest fine received for violating the GDPR was Google, which received a € 50 million fine. However, Amazon was recently fined € 746 million, which shows that breaking EU privacy rules becomes much more expensive over time.
Amazon seems to be doing well under its new leadership, but the company’s growth is slowing and the shortened paths used to reach its gigantic size are biting again. The retail giant was fined a whopping 746 million euros ($ 885 million) after the Luxembourg National Data Protection Commission (CNPD) discovered that the company violated GDPR rules when handling personal data.
Amazon noted in its filing that CNPD asked it to review its advertising practices, but the company did not disclose any details about the proposed changes. In any case, Amazon is unhappy with the fine and believes that “the decision about how we serve customers relevant ads is based on a subjective and unverified interpretation of European privacy law.”
The company plans to appeal the decision in court and argues that the proposed fine is “completely disproportionate.” The GDPR rules allow for a fine of € 20 million, or 4 percent of a company’s annual global revenue, whichever is greater. Back in June, the Wall Street Journal saw a CNPD bill that set a $ 425 million fine, but that amount more than doubled after other EU regulators spoke out on the matter.
Last year, the European Commission released the results of a separate investigation into how Amazon is promoting its own products in the region. Specifically, EU commissioners found that Amazon was using third-party vendor data from its marketplace to support its own products.
Amazon could face fines of up to $ 28 billion, depending on the results of the investigation.
GDPR enforcement seems to be taking a turn after privacy advocates have repeatedly criticized the European Commission for being too slow and applying small fines that do little to dissuade companies with big pockets. For a company like Amazon, $ 885 million is still a small change, but that’s more than an order of magnitude more than the $ 57 million Google had to pay for violating GDPR rules.