Free Consultation

Amazon Fined $888M For GDPR Violations

Posted on March 12, 2023/Domonic Grande

The Largest GDPR Fine To Date

In July of 2021, the largest GDPR fine yet was handed down to an Amazon company in Luxembourg. The fine, $888m for GDPR violations stems from a collective complaint in 2018 filed by a French data privacy group (LQDN). The complaint was filed with the French data protection authorities (CNIL), alleging Amazon Europe Core violated the data privacy rights of thousands of Europeans. The details of this ruling are not yet public but certainly of interest. An Amazon spokesman made it clear that Amazon intended to appeal the ruling in articles published by Bloomberg and CNET. The Amazon spokesman said

“There has been no data breach, and no customer data has been exposed to any third party. These facts are undisputed.”

“The decision relating to how we show customers relevant advertising relies on subjective and untested interpretations of European privacy law, and the proposed fine is entirely out of proportion with even that interpretation.”

A complaint that started in France will be decided in Luxembourg?

Key Parties And Definitions Involved

One of the important aspects of this ruling is how it progressed through the supervisory authorities, the requirements for cooperation and which authority is considered “competent” according to the GDPR. Below is a brief description of the parties involved and key definitions.

Parties

  • National Commission for Data Protection (CNPD) – This is the data protection commission in Luxemburg where Amazon Europe Core is established.
  • La Quadrature du Net (LQDN) – LQDN is a data privacy advocacy group located in France.
  • National Commission for Computing and Liberties (CNIL) – The CNIL is the French data protection authority. The CNIL is known to be among the strictest authorities in Europe.

Definitions

  • CompetenceIn this context, competent means each country’s supervisor has authority in their member state. Where more than one member state is involved, a lead (competent) authority is established and the other concerned authorities work in conjunction with the lead authority.
  • Main Establishment – The place in the EU where decision making is made by a controller about data processing. The main establishment of data processing should be its place of central administration in the EU. If the controller does not have central administration in the EU (e.g. A company based in the U.S with data processing in the EU), the main establishment should be the primary location of data processing.
  • (Data) Controller – The person, company, authority or agency which determines the purposes and means of processing of personal data. Basically, whoever makes the decision of how data is used and for what purpose.
  • (Data) Processor – The person, company, authority or agency which processes data on behalf of a (data) controller. An example of this would be a service provider who does data centric work like analytics or payroll.

Luxembourg DPA Fines Amazon $888m for GDPR Violations?

If a French data privacy group (LQDN) complained to French data protection officials (CNIL), why is the fine coming from Luxembourg’s supervisory authority (CNPD)? Great question. The answer starts around Article 56 of the GDPR requiring the establishment or a lead supervisory authority.

Lead Supervisory Authority

Article 62(1)(2) says supervisory authorities, where appropriate, shall conduct joint operations and investigations for enforcement measures with other interested member states. It goes on to say that where controllers or processors are established in more than one member state or a significant number of data subjects are involved, each member state has a right to participate in the operation. This serves two purposes. First, it allows individuals to lodge a complaint in one place, with their local authority. This prevents individuals from having to contact authorities in different countries and provides an easier path to remedy. Additionally, it allows a company with locations in more than one member state to have a lead authority established (Article 56(1)(4)) where they can better manage a potential violation. In other words, it’s easier for an individual to seek remedy and easier for a company to make something right or defend themselves.

Win Win Of Lead Supervisory Authority
The ability to lodge a complaint locally and manage from a one-stop-shop represents a win-win for both companies and individuals for GDPR compliance.

Conclusion

At the moment, there isn’t a conclusion to the $888m GDPR fine against Amazon Europe Core. We see very clearly that supervisory authorities have an appetite for action against big tech companies, like Amazon. Cooperation between Luxembourg’s authorities and France’s has allowed the complaint to move forward and Amazon to address the matter from a single point. While the final outcome is unlikely to be known for quite some time, this part of the process seems to serve the interests of both the individual and the company.

Recent Posts

Categories

Schedule a Free Consultation

We'll respond within 24 hours to schedule a call with one of our firm's partners. No pressure! We're IT/compliance folks and not pushy — and we like that about us.

FREE CONSULTATION
Scroll to Top