General Data Protection Regulation (GDPR) , Governance & Risk Management , Privacy

Amazon Hit With $885 Million GDPR Fine

Online Retailer Plans to Appeal the Decision Handed Down by EU Regulators
Amazon Hit With $885 Million GDPR Fine

Amazon reports that it's been fined 746 million euros ($885 million) under the European Union's General Data Protection Regulation for violating privacy rights in its advertising program.

See Also: The Ultimate PIA and DPIA Handbook for Privacy Professionals

The fine was levied by Luxembourg's data authority, known as the National Data Protection Commission, aka CNPD, on July 16. But the fine wasn't made public until Friday, when Amazon released its second-quarter 2021 financial statement.

"We strongly disagree with the CNPD's ruling, and we intend to appeal," an Amazon spokesperson tells Information Security Media Group. "The decision relating to how we show customers relevant advertising relies on subjective and untested interpretations of European privacy law, and the proposed fine is entirely out of proportion with even that interpretation."

The spokesperson adds: "Maintaining the security of our customers' information and their trust are top priorities. There has been no data breach, and no customer data has been exposed to any third party."

Regulators say Amazon's processing of personal data did not comply with GDPR requirements, and the company acknowledged it has been ordered to change its business practices, CNN reports.

The fine was issued by authorities in Luxembourg because that's the location of Amazon's European headquarters. The CNPD has not yet issued a statement on the fine and did not immediately reply to a request for comment.

"The decision also seems to be based on an assumption that some usage of user personal data in personalized advertising was/is unlawful," tweeted cybersecurity and blockchain expert Michèle Finck, senior research fellow for the Max Planck Institute for Innovation and Competition in Germany. "The decision could thus have considerable implications for personalization practices across the digital economy."

Setting a New Record?

If the fine is upheld, it would be the largest issued under GDPR, surpassing the $56 million fine against Google in January 2019.

GDPR empowers EU data protection authorities to impose fines of up to 20 million euros ($23 million) or 4% of an organization's annual global revenue - whichever is greater.


About the Author

Doug Olenick

Doug Olenick

Former News Editor, ISMG

Olenick has covered the cybersecurity and computer technology sectors for more than 25 years. Prior to his stint as ISMG as news editor, Olenick was online editor for SC Media, where he covered every aspect of the cybersecurity industry and managed the brand's online presence. Earlier, he worked at TWICE - This Week in Consumer Electronics - for 15 years. He also has contributed to Forbes.com, TheStreet and Mainstreet.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.co.uk, you agree to our use of cookies.