Luxembourg’s data protection authority (CNPD) fined Amazon a record €746 million for not complying with EU’s privacy rules, according to the company’s latest filings.
The decision was taken on July 16, and the regulator ruled that “Amazon’s processing of personal data did not comply with the EU General Data Protection Regulation.”
The data protection authority is also asking for “practice revisions,” which are not detailed in the document.
“We believe the CNPD’s decision to be without merit and intend to defend ourselves vigorously in this matter,” the company said in the filing. The CNPD did not respond to a request for comment and has previously said it is unable to comment on individual cases, or even confirm receipt of a complaint, according to local law.
The penalty is by far the highest sought under the 2018 GDPR and comes after a POLITICO investigation in February revealed that poor management practices could have placed the data of millions of people at risk.
Luxembourg’s data protection commission, which oversees Amazon because the retailer is based in the Grand Duchy, slapped the online retailer with the penalty following a 2018 complaint by French digital rights group La Quadrature du Net which targeted the way Amazon obtains consent to target adverts.
“It’s really good news,” said Bastien Le Querrec, of La Quadrature du Net. “This is a really huge number.”
A statement from the French NGO said it had not yet seen the decision, but that the size of the penalty indicated that it was “unambiguous” that Amazon’s advertising targeting system does not obtain users freely-given, in violation of the GDPR.
The previous highest GDPR penalty, a €50 million fine for Google, also originated from a complaint from the French group, whose members were included in the POLITICO Tech 28 list of the most influential figures on the European tech scene.
Asked about the ruling, an Amazon spokesperson said: “We strongly disagree with the CNPD’s ruling, and we intend to appeal. The decision relating to how we show customers relevant advertising relies on subjective and untested interpretations of European privacy law, and the proposed fine is entirely out of proportion with even that interpretation.”
The fine is significantly higher than the $425 million (around €357 million) previously reported.