According to a recent SEC 10-Q filing, Amazon has received the largest fine in GDPR history, 887 million dollars. Amazon’s GDPR fine is more than ten times the second largest fine in GDPR history, which was a 61 million dollar fine issued to Google. Furthermore, Amazon’s GDPR fine more than twice the aggregate amount of all fines issue since the law went into effect, 330 million dollars.
On July 16, 2021, the Luxembourg National Commission for Data Protection issued a decision against Amazon alleging that “Amazon’s processing of personal data did not comply” with the GDPR. Additionally, Amazon is required to put “corresponding practice revisions,” in place. According to Amazon, “[t]he decision relating to how we show customers relevant advertising relies on subjective and untested interpretations of European privacy law, and the proposed fine is entirely out of proportion with even that interpretation.” Amazon intends to fight back on the decision, stating that it is “without merit.”
GDPR Enforcement and Precedent
The European Union’s General Data Protection Regulation (GDPR) has been in effect for several years now, and businesses have had ample time to become compliant with its many complex provisions. Enforcement of the GDPR has been increasing in recent years, with the number of reported fines more than doubling over the course of 2020. Corresponding to the increased enforcement, we are seeing businesses take the GDPR more seriously to avoid potential fines. In total, 281,000 data breach notification have been sent since the GDPR went into effect, with an average of 331 breach notifications sent per day in 2020 (a 20% increase from 2019).
Effect of Amazon’s GDPR Fine
Even if Amazon is successful in reducing this fine, which is not unusual for a GDPR fine, the precedent of a fine this large cannot be understated. With the uptick in compliance measures following the smaller fines than have been issued, it is safe to assume that a headline grabbing enforcement penalty against such a high profile company will further encourage increased compliance from companies of all sizes. That said, even this massive fine pales in comparison to what the data privacy regulators could have issued, up to 4 percent of global revenues.
