A new European General Data Protection Regulation (GDPR) complaint against Amazon, filed by a privacy activist organization, could cost the e-commerce giant quite a bit of money if it holds up. The complaint alleges that Amazon’s internal email security is lax, lacking the ability to encrypt emails sent between the platform’s third-party sellers and their customers.
Given the raw amount of email security violations this would involve on a per-person basis, the complaint could be very costly for Amazon – up to 4% of the company’s annual global turnover, which was $280 billion in 2019. But how strong is the case?
Amazon’s alleged email security issue
The GDPR complaint was brought by the privacy advocacy group NOYB, which is headed up by activist Max Schrems. Schrems, a lawyer by trade, has a history of privacy actions of this nature dating back to 2011. Then a law student, he was able to get Facebook’s data collection practices audited in the European Union. This campaign of action culminated in the 2015 dissolution and rebuild of the US-EU Safe Harbor framework. Since the GDPR went into effect, NOYB has been aggressive in filing complaints against other tech giants such as Apple Music, Netflix, Spotify and YouTube.
The GDPR complaint states that Amazon’s email servers, which route mail between third-party marketplace sellers and customers without either party having to reveal a personal email address if they do not want to, fail to allow baseline encryption. This would violate GDPR email security rules requiring verifiable transport layer security (TSL) version 1.2 or newer to be used in these situations.
NOYB filed the email security complaint in Germany, which recently levied one of the largest fines to date (€9,550,000) against call center giant 1&1 Ionos. Germany has been one of the most active enforcers of the GDPR in its early years, but these have tended to be smaller fines until recently.
Luxembourg, which has yet to issue its first fine under the GDPR, might also become involved as Amazon has its EU headquarters there.
Previous GDPR complaints from NOYB
NOYB filed a barrage of GDPR complaints about a year ago that were targeted at the largest tech companies, Amazon included. The last wave of complaints addressed the automated systems that many EU companies are using to manage responses to requests for personal information. NOYB found that eight of these companies either did not provide all of the data that regulations require, or simply did not respond at all. Most did not provide the raw collected data that the GDPR requires them to, nor did they adequately disclose the purposes of data processing or the sources receiving it.
This followed a major 2018 campaign by the company that targeted “forced consent” policies among the bigger names in tech. NOYB argued that Android, Facebook, Instagram and WhatsApp among other services did not give the user a specific choice to opt out of the use of their collected data for ad targeting. These companies were still running on an “implied consent” model that assumed consent so long as the user continues making use of the services, something that the GDPR leaves little room for.
Is there a case against Amazon?
Much of the GDPR fine process is based on precedent. One data authority seemingly has to be willing to pull the trigger on a large fine before others will follow suit. Fines to date have largely centered on data breaches and violations of advertising requirements; there is little for specific email security cases that relate to the current GDPR complaint that NOYB is bringing against Amazon.
One of Germany’s data protection authorities (North Rhine-Westphalia) did establish in early 2019 that emails must at minimum be encrypted while in transport. However, this opinion is limited to this specific supervisory authority. Other DPAs in Germany, let alone throughout Europe, have room to stake out their own positions on email security.
There are no real developments at this point beyond NOYB’s publishing of the details of its own GDPR complaint, but it at least appears to be solid. The complaint notes that attempted TLS connections are rejected by Amazon’s servers, and that this email type is sent over the insecure Simple Mail Transfer Protocol (SMTP) which transmits in plain text. In addition to exposing the supposedly anonymized email addresses of each party, these messages can contain sensitive information covered by the GDPR such as IP addresses, full names with home addresses, and other purchase details.
If the GDPR complaint is upheld, an Amazon fine would be determined by how many of these exposed messages contained sensitive personal information. This could potentially be massive, perhaps even every email ever sent through the system (which is certainly the position that NOYB is taking). Regardless of the eventual outcome, the case serves as an apt reminder of email security fundamentals for any organization (but particularly those doing business in the EU).