Amazon disclosed earlier today in its Q2 earnings report that the Luxembourg National Commission for Data Protection, earlier this month ordered Amazon to pay €746MM ($887MM) as a result of claims against Amazon Europe Core Sarl that it improperly processed personal data not otherwise in compliance with the GDPR. Additionally, the Commission ordered Amazon to revise undisclosed business practices previously adopted by Amazon. Prior to this assessed fine, the largest fine assessed under the GDPR had been a €50MM ($57MM at the time of the fine) levied against Google by France’s data protection authority back in September 2020.
In response to the fine, Amazon issued a statement denying that any data breach had occurred and disputing the validity of the fine, but also proclaiming that the security of its customers’ information remains a top priority of the company.
Under the GDPR, companies can be fined as much as 4% of their annual global sales. Amazon reported $21+B in revenue in 2020 and thus the Luxembourg fine amounts to slightly more than the 4% maximum-allowed fine. The size of the fine certainly suggests that EU regulators are moving beyond their self-imposed grace period of ramping up GDPR compliance requirements and are now at a point of seeking maximum fines to impose conformity with the GDPR.
Nixon Peabody’s Cybersecurity and Privacy Team will continue to monitor developments.