General Data Protection Regulation (GDPR) , Governance & Risk Management , Privacy
Amazon Hit With $885 Million GDPR FineOnline Retailer Plans to Appeal the Decision Handed Down by EU Regulators
Amazon reports that it's been fined 746 million euros ($885 million) under the European Union's General Data Protection Regulation for violating privacy rights in its advertising program.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
The fine was levied by Luxembourg's data authority, known as the National Data Protection Commission, aka CNPD, on July 16. But the fine wasn't made public until Friday, when Amazon released its second-quarter 2021 financial statement.
"We strongly disagree with the CNPD's ruling, and we intend to appeal," an Amazon spokesperson tells Information Security Media Group. "The decision relating to how we show customers relevant advertising relies on subjective and untested interpretations of European privacy law, and the proposed fine is entirely out of proportion with even that interpretation."
The spokesperson adds: "Maintaining the security of our customers' information and their trust are top priorities. There has been no data breach, and no customer data has been exposed to any third party."
Regulators say Amazon's processing of personal data did not comply with GDPR requirements, and the company acknowledged it has been ordered to change its business practices, CNN reports.
The fine was issued by authorities in Luxembourg because that's the location of Amazon's European headquarters. The CNPD has not yet issued a statement on the fine and did not immediately reply to a request for comment.
"The decision also seems to be based on an assumption that some usage of user personal data in personalized advertising was/is unlawful," tweeted cybersecurity and blockchain expert Michèle Finck, senior research fellow for the Max Planck Institute for Innovation and Competition in Germany. "The decision could thus have considerable implications for personalization practices across the digital economy."
Setting a New Record?
If the fine is upheld, it would be the largest issued under GDPR, surpassing the $56 million fine against Google in January 2019.
GDPR empowers EU data protection authorities to impose fines of up to 20 million euros ($23 million) or 4% of an organization's annual global revenue - whichever is greater.