$888 million! Now, that’s what you’d call a ‘proper’ GDPR breach fine - and the ‘lucky’ recipient is Amazon, courtesy of the Luxembourg National Commission for Data Protection (CNPD).
It’s the largest GDPR fine levelled to date by a European Union (EU) body, one that makes the €50 million ($56.6 million) thrown at Google look (even more) like peanuts by comparison. (British Airways was fined more than $254 million in 2019, but that fine was reduced to about $30 million on appeal.) The Google fine was slapped on as a result of the firm not correctly obtaining consent when processing user data.
The Amazon penalty comes on the back of…well, it’s not explicitly clear as despite the landmark size of the fine, no-one’s particularly ready to open up about the ins and outs at the moment. News of the fine, which was imposed in the middle of last month, only slipped into the public domain via Amazon’s latest regulatory 10Q filing with the US Securities and Exchange Commission, where it was cited among the ongoing legal actions in which the firm is involved:
On July 16, 2021, the Luxembourg National Commission for Data Protection (the “CNPD”) issued a decision against Amazon Europe Core S.à r.l. claiming that Amazon’s processing of personal data did not comply with the EU General Data Protection Regulation. The decision imposes a fine of €746 million and corresponding practice revisions. We believe the CNPD’s decision to be without merit and intend to defend ourselves vigorously in this matter.
For its part, the CNPD confirmed that it issued the decision but insisted that it could not comment on individual cases as it is “bound by professional secrecy.” In addition, it stated:
The publication of our decisions is considered as a supplementary sanction. Therefore, we cannot publish any decision before the deadline for appeals has expired.
And Amazon, of course, has every intention of appealing as it further confirmed in prepared media statements:
Maintaining the security of our customers’ information and their trust are top priorities. There has been no data breach, and no customer data has been exposed to any third party. These facts are undisputed. We strongly disagree with the CNPD’s ruling, and we intend to appeal. The decision relating to how we show customers relevant advertising relies on subjective and untested interpretations of European privacy law, and the proposed fine is entirely out of proportion with even that interpretation.
Wake-up call for data authorities?
What appears to have happened is that this is the outcome of a complaint made by French privacy group La Quadrature du Net back in 2018. The group, which acts in the interests of Europeans to counter misuses of data by Big Tech, filed a collective complaint - here - on behalf of 10,000 others.
The group was more open about the backdrop to date in its own blog posting late last week:
The decision, revealed by Bloomberg, suffers from no ambiguity: the targeted ad system that Amazon forces onto us is not based on free consent, which is a violation of the GDPR. As such, the corporation is fined to the tune of €746 million. Amazon’s reaction to this historic sanction is to complain to Bloomberg, pretending to not understanding what is at stake: “There has been no data breach, and no customer data has been exposed to any third party”. Rightly so: it is the system of targeted advertising itself, and not merely occasional security breaches, that our legal action attacked. This historic fine hits straight to the heart of Big Tech’s predatory system, and should be celebrated as such.
It’s a landmark fine, argues La Quadrature du Net, and one that should be seen as a warning shot for data protection authorities around the EU to do their jobs in enforcing GDPR and protecting user rights:
This decision breaks a three-year silence which had started to make us expect the worst...This “party is over” sanction puts in even starker contrast the blatant abdication of the Irish Data Protection Agency who, in three years, was not able to close a single one of the four other actions we lodged against Facebook, Apple, Microsoft and Google.
The Luxembourgish authority’s position is also a cold shower for the French CNIL who, for a long time, stood as the data protection champion in the European landscape. Today, the CNIL is but a shadow of its former self: our collective actions were initially lodged before it and would have given it a perfect opportunity to take the reigns of enforcing the GDPR against the systemic violations of personal data and privacy, which lie at the heart of the business model of the Web Giants.
And it warned both Big Tech and regulators alike that this penalty has given the group a shot in the arm:
Just as we were starting to fear that any useful legal action against Big Tech had become impossible, hope came from Luxembourg (not something we had anticipated!), taking our motivation back to our 2018 levels. Business models based on domination and exploitation of our privacy and our free consent are disturbingly illegitimate and go against the values that our democratic societies claim to defend.
Undoubtedly many people will smile at the thought of Amazon being hit by some big number fines - although it’s still pretty small potatoes for such a global behemoth - but the firm still has recourse to appeal, so let’s not comment too much on that until due process is complete.
Of more interest to me is the point made by La Quadrature du Net about the responsibilities of local data protection authorities to step up to the mark and use the powers that are at their disposal to support and protect end user interests. Again there’s ongoing legal actions to be factored in here that limit commentary, but without being specific, there are a number of historic incidents of that not happening in practice as well as suspicions of passing the buck to others, presumably for wider political or commercial national interests. There’s no point in having a big stick if you’re not prepared to pick it up and use it from time to time.