The previous record holder for the highest fine received for GDPR violations was Google who received a €50 million penalty. However, Amazon was recently fined an eye-watering €746 million, signaling that violating privacy rules in the EU is getting a lot more expensive as time goes by.
Amazon seems to be doing relatively well under its new leadership, but the company’s growth is slowing down and the shortcuts taken to achieve its gargantuan size are biting again. The retail giant has been fined a whopping €746 million ($885 million) after Luxembourg’s National Data Protection Commission (CNPD) found the company had violated GDPR rules when processing personal data.
The Wall Street Journal spotted the fine in a security filing, where the company disclosed that it was issued two weeks ago after the CNPD concluded an investigation into Amazon’s advertising practices.
Amazon noted in the filing the CNPD asked it to revise its advertising practices, but the company didn’t reveal any details about the proposed changes. Either way, Amazon isn’t happy about the fine, and believes “the decision relating to how we show customers relevant advertising relies on subjective and untested interpretations of European privacy law.”
The company plans to appeal the decision in court, and argues the proposed fine is “entirely out of proportion.” GDPR rules allow for the penalty to be €20 million or 4 percent of a company’s annual global revenue, whichever is higher. Back in June, the Wall Street Journal saw a CNPD draft where the fine was set at $425 million, but that amount more than doubled after other EU privacy regulators weighed in on the matter.
Last year, the European Commission revealed the results of a separate investigation into how Amazon promotes its own products in the region. Specifically, the EU commissioners found that Amazon used third-party seller data from its marketplace to bolster its own products.
Depending on the outcome of that investigation, Amazon could be fined up to $28 billion.
GDPR enforcement seems to be taking a turn after privacy advocates have repeatedly criticized the European Commission for moving too slowly and applying small fines that do little to dissuade companies with deep pockets. For a company like Amazon, $885 million is still pocket change, but it’s more than an order of magnitude higher than the $57 million Google had to pay for violating GDPR rules.