Amazon hit with record $888M fine over GDPR violations

EU data protection laws look to be incompatible with the way the online retailer processes customer information, according to Luxembourg.

Katie Collins Senior European Correspondent
Katie a UK-based news reporter and features writer. Officially, she is CNET's European correspondent, covering tech policy and Big Tech in the EU and UK. Unofficially, she serves as CNET's Taylor Swift correspondent. You can also find her writing about tech for good, ethics and human rights, the climate crisis, robots, travel and digital culture. She was once described a "living synth" by London's Evening Standard for having a microchip injected into her hand.
Katie Collins
2 min read

Amazon has received a huge fine in the EU.

SOPA Images/Getty

Amazon quietly took a big hit earlier this month, as the company was issued the largest ever fine for data protection violations in Europe. On July 16, Luxembourg's data protection authority told Amazon it would have to pay a penalty of 746 million euros ($888 million) for violating the EU's strict data protection laws, known as the GDPR .

The fine came from Luxembourg's CNPD following an investigation into the way Amazon processes customer data, and was revealed in a regulatory filing by the company on Friday, according to Bloomberg. The CNPD hasn't commented publicly on its decision and didn't immediately respond to request for comment.

Its investigation into Amazon was based on a 2018 complaint by French privacy group La Quadrature du Net. The group says it represents the interests of thousands of Europeans to ensure their data isn't used by big tech companies to manipulate their behavior for political or commercial purposes. It didn't immediately respond to request for comment.

Amazon is under growing scrutiny both at home and abroad over the way it uses customer data. Regulators are concerned that not only could the company's data processing policies violate privacy protections for consumers while they're shopping online, they might give the company an advantage over competitors operating within its marketplace. Meanwhile, Amazon is keen for customers to know that their data is safe, and unlike many GDPR fines, this one hasn't been issued due to a data breach.

"Maintaining the security of our customers' information and their trust are top priorities," said an Amazon spokesman in a statement on Friday. "There has been no data breach, and no customer data has been exposed to any third party. These facts are undisputed."

In 2018, data protection authorities across Europe were given greater powers to wield against companies that failed to protect people's data or use it appropriately with the introduction of the GDPR. If companies fail to meet their obligations, the national regulator of the European country in which they're based has the ability to issue fines of up to 4% of global revenue. As Amazon is based in Luxembourg, it is up to the CNPD to decide whether the company is abiding by the rules.

The Amazon spokesman said that the company strongly disagrees with the ruling and planned to appeal. "The decision relating to how we show customers relevant advertising relies on subjective and untested interpretations of European privacy law, and the proposed fine is entirely out of proportion with even that interpretation," he said.