Why Amazon’s £636m GDPR fine really matters

We were promised huge fines and GDPR has finally delivered. Last week, Amazon’s financial records revealed that officials in Luxembourg are fining the retailer €746 million (£636m) for breaching the European regulation.

The fine is unprecedented: it’s the biggest GDPR fine issued to date and is more than double the amount of every other GDPR fine combined. The financial penalty, which Amazon is appealing, comes at a time when GDPR is feeling the strain of lax enforcement and measly fines. Experts say companies are allowed to get away with abusing people’s privacy as GDPR investigations are too slow and ineffective. Some people even want GDPR to be ripped up entirely.

But Luxembourg’s action against Amazon stands out for two reasons: first, it shows the potential power of GDPR; second, it exposes cracks in how inconsistently such regulations are applied across the EU. And for both of these reasons it is arguably the most important GDPR decision issued.

“With so many large cases piling up in front of regulators, we were really waiting for one of those cases to be resolved to show that the GDPR basically has teeth,” says Estelle Massé, the global data protection lead at non-profit internet advocacy group Access Now. La Quadrature du Net, the French civil liberties group that originally made the complaint against Amazon, said that regulators had given it “hope” that legal action could be brought “against Big Tech”.

Despite the headline-grabbing fine, little is really known about the details of what Amazon has been fined for. The case was taken on by officials in Luxembourg as the country acts as Amazon’s main base in Europe. The tiny nation has historically been labelled as a tax haven – although accusations of Amazon avoiding tax in the country have been rejected by the European courts. But by fining Amazon, Luxembourg’s National Commission for Data Protection has, at least for the short-term, launched itself into the pro-privacy spotlight.

La Quadrature du Net’s original May 2018 complaint, which was filed on behalf of 10,000 people, claimed that Amazon’s advertising system isn’t based on “free consent”. But that’s about all we know. The Luxembourg regulator says it issued a decision against Amazon on July 15 but it hasn’t published any more details. A spokesperson for the authority says that “professional secrecy” laws in Luxembourg mean it can’t publish any details until an appeal process has been completed. And Amazon – which is incredibly data hungry – says it will appeal the fine.

“There has been no data breach, and no customer data has been exposed to any third party,” an Amazon spokesperson says. That’s all well and good, but companies don’t need to have suffered a data breach to break GDPR rules. The spokesperson goes on to claim that the ruling in Luxembourg, which is based on how it shows customers “relevant advertising” is based on “subjective and untested interpretations of European privacy law, and the proposed fine is entirely out of proportion with even that interpretation”.

Amazon may have a point. It’s possible that any appeal process or negotiations may bring the fine down – last year the UK data protection regulator’s fine against British Airways dropped from £184m to just £20m. Another, against hotel group Marriott, was reduced from £99m to £18m.

The €746m Amazon fine is far bigger than anything that’s come before – a €50 million fine against Google holds the current record. While GDPR allows potentially huge fines to be issued, the reality is that it was always unlikely regulators would issue them. Up to the start of 2021, a total of €272m in GDPR fines had been issued by all of Europe’s regulators combined, according to analysis from law firm DLA Piper. Italy’s data protection body, which had issued €69.3m in fines, has led the way. Germany (€69m), France (€54m) and the UK (€44m) follow.

While that list contains some of the most populous countries in Europe, it doesn’t include Europe’s most important data protection authorities – Luxembourg and Ireland. Under GDPR laws, companies that operate across multiple countries in Europe can select one country – where their main office is based – to act as the nation where complaints are funnelled through. This process is called the one-stop-shop mechanism. Before a decision – which can include a fine or enforcement action that can make companies change their behaviour – is issued, all the European nations that are interested in the case are given a right to reply.