Amazon is potentially facing the biggest ever GDPR fine

A quarterly earnings report has revealed that Amazon is potentially facing the biggest ever GDPR fine- €746 million (approx. Rs. 65 thousand crores) – that Luxembourg’s data protection regulator has imposed for unlawful processing of personal data. Besides, the regulator has also directed “corresponding practice revisions.”

The ruling was handed on 16th July, possibly in a complaint filed by French advocacy group La Quadrature du Net against Amazon’s targetted advertising practices. If the regulator confirms the fine, it would be the largest data protection penalty ever- almost 15 times greater than the previous highest.

The One-Stop-Shop Principle

Article 56 of the GDPR says that the supervisory authority of the main establishment of the data controller or processor shall be competent to act as a lead supervisory authority. In contrast, a supervisory authority that is not a lead supervisory authority shall handle a complaint lodged with it with the lead supervisory authority.

The Luxembourg National Commission for Data Protection (CNPD) confirmed to IT Pro that the decision was made on the basis of the one-stop-shop principle, set out in Article 60 of the GDPR.

This essentially means that the Luxembourg regulator was nominated as the lead supervisory authority to investigate the allegation of a GDPR violation across EU territories.

Also read: DPA can investigate even if it’s not the lead data supervisor under GDPR.

Why is the case not public?

The CNPD says that Luxembourg’s local data protection laws mandate the authority to maintain ‘professional secrecy’ while taking regulatory action. The regulator, hence, cannot publish details of the case until Amazon’s deadline for appeals expires.

Amazon said in its filing that it believes the CNPD’s decision to be “without merit” and intends to defend itself “vigorously in this matter”, indicating its intent to appeal against the decision.

Speaking to The Verge, it said, “The decision relating to how we show customers relevant advertising relies on subjective and untested interpretations of European privacy law, and the proposed fine is entirely out of proportion with even that interpretation.”


Do subscribe to our Telegram channel for more resources and discussions on tech-law. To receive weekly updates, don’t forget to subscribe to our Newsletter.

Rohit Ranjan Praveer

Rohit is a practicing advocate at Delhi. Beginning as a tech enthusiast, Rohit always had a keen interest in computer forensics and information security. Building upon these fundamentals, he has undertaken extensive research on various techno-legal topics and continues his pursuit pass on valuable information to the masses, with a zeal to build something that outlasts him.​

Share your thoughts!

This site uses Akismet to reduce spam. Learn how your comment data is processed.