Luxembourg hits Amazon with EU's biggest data fine
Luxembourg’s data protection watchdog has proposed a fine of more than $425 million (€349 million) against Amazon, in what would be the biggest ever penalty under the EU’s privacy law, the Wall Street Journal said on Thursday.
The CNPD (Commission Nationale pour la Protection des Données) has circulated a draft decision proposing the fine among the EU’s 26 other data protection authorities, the US business newspaper said in a report.
A spokesman for Amazon in Luxembourg declined to comment. The CNPD also declined to comment.
The CNPD is the lead regulator for major corporations such as Amazon which have their European headquarters in Luxembourg.
The proposed fine relates to alleged breaches – linked to Amazon’s collection and use of personal data - of the EU's General Data Protection Regulation, or GDPR, which was introduced in May 2018.
The penalty is not connected to the corporate giant’s cloud-computing business, Amazon Web Services, the newspaper said, quoting sources close to the matter.
Any draft decision has to be agreed by the EU’s other national regulators, which could delay a final outcome by several months and result in any penalty being reduced or increased. There have been a number of objections to the draft penalty already, according to the Journal.
The EU’s 2018 data protection legislation allows for regulators to impose fines of up to 4% of a company’s annual revenue. The draft Luxembourg proposal, if implemented, would represent 2% of Amazon’s reported net income last year of $21.3 billion (€17.4 billion) and 0.1% of its sales of $386 billion (€316.7 billion).
The proposed fine would far outstrip the previous largest penalty of €50 million from France's watchdog against Google. Ireland, which is responsible for monitoring several of the big tech companies, has come in for criticism for the slow pace of its investigations. It fined Twitter €450,000 last year, its only final decision concerning a big tech company to date.
Prior to this year, the CNPD was one of the few national watchdogs which had not imposed any fines relating to breaches of GDPR. It issued details of its first fines on its website earlier this week.
(Additional reporting by Douwe Miedema)