The two towers of the European Court of Justice in Luxembourg showing GDPR fine for Amazon

Proposed GDPR Fine on Amazon Stems From Mystery Allegations Out of Luxembourg

Amazon is facing what would be the biggest fine to date under the EU’s General Data Protection Regulation, but it’s not yet clear to the general public exactly what the allegations are. The GDPR fine has been proposed by Luxembourg’s data protection commission, which has submitted a draft decision to the data protection authorities of the other EU member states. A confidential source that spoke to the Wall Street Journal said that the decision is related to Amazon’s privacy and data collection practices, but does not involve the Amazon Web Services (AWS) cloud computing service.

GDPR fine would set a record

Anonymous sources have told the Wall Street Journal that the Luxembourg National Data Protection Commission (CNPD) has proposed a $425 million GDPR fine. That would greatly exceed the current GDPR fine record, a $​56.6 million penalty on Google in France for its data consent policies.

The CNPD is taking point on regulating Amazon in the EU as the international retail giant has its regional headquarters in Luxembourg. The proposed GDPR fine will have to be approved by other EU national regulators, a process that has taken a very long time to hash out in the past (particularly with cases involving big tech and large fine amounts). The process also involves debate over the terms of the penalty, which could mean a reduced fine amount in the end; this is what happened with Twitter’s eventual GDPR fine in late 2020, which was substantially reduced after two years of back-and-forth among regulators.

Amazon has declined to comment on the proposed GDPR fine thus far. The Wall Street Journal’s sources were not specific about what exactly Amazon is being fined for, only saying that it was a matter of collection and use of personal data under GDPR rules. It does not appear to involve Amazon AWS at this time.

Though the amount would set a record for GDPR fines, it is far below the maximum of 4% of global turnover allowed by the privacy bill’s rules. The proposed amount totals out to about 0.1% of Amazon’s annual $386.1 billion in revenue. This new case illustrates a pattern of regulators taking it relatively easy on big tech, and often reducing large initial propositions after long periods of deliberation. Some critics have cast this as an intentional pattern that favors tech companies, pointing to more proportional fines for other industries. Whatever the purpose and intent, even the biggest GDPR fines on big tech to date have been relative scratches that have been very easy to recover from given the companies’ massive incomes. Even the current proposed “record setting” fine would likely be brushed off by Amazon with no real pain.

In some part due to perception of this favoritism for big tech, these companies will soon be under the terms of the European Commission’s Digital Services Act and its Digital Markets Act. This new set of rules, aimed specifically at tech companies, ups potential fines to 10% of global turnover and increases the level of responsibility over the content that online platforms host. While there has yet to be strong indication that most EU nations are willing to go to the ceiling rather than the floor of these sorts of fines, the acts also create the ability for regulators to directly sanction social media and commerce platforms that are used by at least 10% of the EU’s population.

Other GDPR complaints on data collection and transfer

Amazon is already facing larger problems in the EU, with the European Commission having filed an antitrust complaint against it in November of last year. Under a different set of competition laws, Amazon could be looking at a loss of up to 10% of its global revenue as a consequence of this case (about $28 billion for the maximum fine). The case hinges on Amazon’s use of data collected from the third-party sellers on its platform to develop, choose and market its own brands of products that were in direct competition with the sellers it was harvesting valuable market data from. The complaint was upgraded to a formal investigation last week. Amazon has also been under investigation in Italy for the same reason since 2019.

The current data privacy case may be related to a recent lawsuit filed in Germany against Amazon, which asserts that the company is in breach of GDPR rules due to its data transfers to the United States. The Schrems II decision of 2020 invalidated the Privacy Shield transfer agreement that allowed the personal data of EU citizens to be moved to the US, arguing that US law subjects it to government seizure at any time. The German lawsuit asserts that Amazon continued to use the Privacy Shield framework into late 2020 at minimum, months after companies were told that the new Schrems II terms were enforceable.