Amazon is the largest e-commerce company in the world. It offers a range of software products. It collects a lot of information from its customers and re-sellers. This helps them to improve the customer service. However, this data can help Amazon to improve its own products in its own marketplace. It knows a lot about the product selling patterns in different geographies and in different locations.
Penalties Under GDPR
Though there was no data breach, the data protection authorities can still impose penalties. GDPR is a powerful enactment. It allows the authorities to impose a fine on a company for the amount equivalent to 4% of the revenues of the company. While GDPR allows potentially huge fines to be issued, the reality is that it is yet to pick the pace. Up to the start of 2021, a total of $322 million in GDPR fines had been issued by all of Europe’s regulators combined.
What is CNPD?
Commission Nationale pour la Protection des Données is also known as CNPD. It is also the National Data Protection Commission of the Luxemborg.
CNPD is financially and administratively autonomous. It verifies the legality of the processing of personal data and ensures the respect of personal freedoms and fundamental rights with regard to data protection and privacy.
CNPD imposes fines under the European Union’s data protection law. Its first enforcement was in May 2021 when it penalized the unknown owner for 1900 Euros. This agency has issued small fines against a cafe owner and an Insurance company too. But its biggest fine came against Amazon at 746 million euros ($888 million). It is interesting to note that Luxembourg was Amazon’s choice to funnel the GDPR complaints. Companies doing business in multiple European countries can choose one country as their data regulator.
Amazon chose its European Headquarters in Luxembourg.
It is fine for non-compliance with general data processing principles. GDPR applies to all organizations worldwide that are handing European Union (EU) citizen data.
Additionally, GDPR finally delivered more than just a slap on the wrist, and just in time to put a stop to remarks and criticism of the EU enforcement system.
Reasons for Penalty on Amazon
The investigation was triggered by a 2018 complaint from the French privacy rights group La Quadrature du Net. It promotes and defends fundamental freedoms. Additionally, 10000 people supporting this group were part of this complaint.
The CNPD has taken steps of investigating Amazon Data Protection and the Data software. They will get to know the overall process of Amazon and how they collect the personal data of its customers. The CNPD analyzed the different types of infringements that have taken place in the Amazon Advertising targets. Hence, The Amazon Advertising targets proceeded without any consent of anyone.
Collecting advertising data from customers without their consent may be a violation as the law requires to use of clear, plain language to collect the private customer data.
The Luxemburg action against it is vital as it shows how powerful GDPR can be? Though there was no information available about the exact reasons of this fine, professional secrecy laws could be the reason for the same.
Prior GDPR Fines on Amazon
However, this was not the first case of the GDPR violation by Amazon. In late 2020, CNIL, fined Amazon 35 million euros for placing advertising cookies on users’ computers. CNIL stands for Commission nationale de l’informatique et des libertés. CNIL cites the reason for its penalties. The report says that without obtaining prior consent and adequate information amazon was placing cookies on the customer’s computers.
The repercussions of the case
Amazon has strongly disagreed with the statement put up in the CNPD decision. They filed an appeal against this decision. They also opposed the statement saying that they haven’t done anything which is in violation of the law. Therefore, they appealed against the decision of CNPD in the courts. Even if Amazon is successful in reducing the same in the court of law, by far this was the biggest penalty in the history of the GDPR till 2022.
