Amazon GDPR fine signals expansion of regulatory focus


Amazon has been hit with the largest GDPR fine to date; although, how the company violated the European Union’s data privacy law remains unclear.

The Luxembourg National Commission for Data Protection issued Amazon a fine of $887 million, claiming Amazon’s “processing of personal data did not comply with the EU General Data Protection Regulation,” Amazon revealed in a U.S. Securities and Exchange filing on July 29. Amazon, which has its European headquarters in the city of Luxembourg, noted in the filing that it believes the decision to be “without merit” and the company is appealing the decision.

The original complaint was filed by the French civil liberties group La Quadrature du Net in 2018, which alleged Amazon’s advertising practices didn’t rely on consumers’ freely given consent. But why the subsequent fine was issued is fairly secretive, said Ryan O’Leary, research manager at IDC, who is covering privacy and legal technology. Prior fines have been linked to data breaches, but O’Leary said he believes the Amazon GDPR fine leans more toward the “true spirit” of the law to protect individuals from the unlawful processing of their data without consent.

“We haven’t really seen the teeth of GDPR bared at all,” O’Leary said. “It’s refreshing to see the law is actually being used to enforce what it’s meant to enforce, which is, essentially, leveling the playing field between the data subject, or the citizen, and these giant corporations.”

Amazon hints at consumer consent issue

O’Leary said when computer cookies, or data used by websites to identify a user, were developed and embedded into the users’ internet experience, tech giants like Amazon and Google understood the power of that feature before the average consumer did.

“They were able to advertise, specifically, to folks and guide consumer decisions without the consumers knowing,” he said.

GDPR was developed to ensure consumers were provided more transparency about their online experience and given more agency over how their data is used, which is why O’Leary said he believes the hefty GDPR fine leveled against Amazon is about consumer consent.

I’m wondering if this is signaling that these larger, more complex investigations are coming to an end and we’re going to start seeing some dominoes fall here.
Ryan O’LearyResearch manager, IDC

O’Leary said options like consent to process user data is often embedded deep inside lengthy terms and conditions from companies like Amazon and are often nonnegotiable.

But Article 7 of GDPR states that if the consent to process user data is buried within a lengthy declaration concerning other matters such as terms and conditions, it needs to be specifically called out and made clear as to what users are consenting to.

“We don’t really have a good test case for what unlawful processing in the context of advertising and terms and conditions looks like under GDPR, so I think that’s what this is going to be about,” he said.

Indeed, an Amazon spokesperson said there has been no data breach and no exposure of customer data to any third party — pointing to the fine being aimed at something else.

“The decision relating to how we show customers relevant advertising relies on subjective and untested interpretations of European privacy law, and the proposed fine is entirely out of proportion with even that interpretation,” according to an Amazon spokesperson.

O’Leary pointed out that GDPR is still nascent, having become a law in 2018. Although data breaches addressed by GDPR have been “cut and dried,” other aspects of data privacy, such as consent, were less straightforward and, likely, needed further investigations before they could be enforced, he said..

“I’m wondering if this is signaling that these larger, more complex investigations are coming to an end, and we’re going to start seeing some dominoes fall here,” O’Leary said.

Indeed, Alan Pelz-Sharpe, founder of consulting firm Deep Analysis, said the Amazon GDPR fine shows a seriousness from the EU to regulate big tech not just for data breaches, but for data privacy practices.

“GDPR was designed to protect personally identifiable information [PII] and ensure data privacy; it’s not limited to simply pulling data out of a jurisdiction without consent or in suffering a data leak,” he said. “It is about how you make use of PII, not just how and where you store it. That’s important and something all the big tech firms should have … already been aware of.”


  • The U.K. is considering stopping Nvidia’s acquisition of chipmaker Arm Ltd., according to Bloomberg. The U.K.’s Competition and Markets Authority delivered a report to U.K. Culture Secretary Oliver Dowden in July on whether the deal could be anticompetitive or if it poses potential national security concerns. According to Bloomberg, sources have said the report contains worrying national security concerns regarding the deal, and the U.K. is inclined to reject the acquisition.

Makenzie Holland is a news writer covering big tech and federal regulation. Prior to joining TechTarget, she was a general reporter for the Wilmington StarNews and a crime and education reporter at the Wabash Plain Dealer.

Articles You May Like

The Equity crew riffs on the Intuit-Mailchimp news
Index leads $12.2M seed in Sourceful, a data play to make supply chains greener
Numando: Count once, code twice
Critical Flaws Discovered in Azure App That Microsoft Secretly Installed on Linux VMs
Top 10 COVID-19 Scams: How to Stay Protected

Leave a Reply

Your email address will not be published. Required fields are marked *