Amazon faces possible fines totaling €350 million for alleged GDPR violations.
Luxembourg’s privacy regulator, the CNPD is proposing a fine of at least €350 million on Amazon.com Inc, relating to alleged violations of the GDPR. Before this draft decision can become final, it must first be approved by other EU privacy regulators. A final decision could take months and may result in a fine higher or lower than the proposed amount. This possible fine has the potential to be the bloc’s biggest penalty yet. While the amount is roughly 2% of the company’s reported net income for 2020, and the latest proposed sanction this far, some other EU regulators argue that it may not be enough. The alleged violations are related to Amazon’s collection and use of personal data.
The alleged violations by Amazon are related to the company’s collection and use of personal data.
The draft decision for the sanction has been circulated among the bloc’s 26 other authorities. Because Amazon’s EU headquarters is based in the Grand Duchy, the CNPD, Luxembourg’s data protection commission is the lead authority issuing this fine. The proposed fine is related to alleged violations of the EU’s GDPR, with regard to Amazon’s collection and use of personal data, however this is not linked to his cloud computing business, or Amazon Web services. Months ago, whistles were blown on the tech giant regarding privacy and compliance issues from former information security employees. According to Politico, three individuals were anonymously interviewed and identified as former high level employees of the company, who raised flags over issues relating to the security of customers’ information not being prioritized as it should. Due to the status of legal proceedings however, the privacy regulator was unable to provide very many details on the specifics of the alleged violations being brought against the tech giant.
According to the whistle-blowing former information-security employees, data stored by Amazon is at risk, as there is a lack of clarity on what data is being stored, where it is stored and who can access it. As a result it would be severely difficult for Amazon to fulfill a request from a customer wanting to exercise their right to erasure,as it would be impossible for the company to identify all of the places where every bit of information is stored. Article 17 of the GDPR states that data subjects have the right to request that all their personal data be erased by a data controller, and to have that request fulfilled without delay. Representatives from Amazon maintain that the privacy of its customers is a priority and that it complies with the laws of the countries where it operates.
Amazon faces possible fines of record-breaking status, which could possibly climb higher by the time a final decision is reached.
While the proposed amount of this fine would be a record-breaking fine for EU regulators, due to the size of the company among other factors some regulators feel that this may not be enough. According to the GDPR, a fine of up to 4% of the company’s annual revenue may be imposed for violations. The proposed fine is only 2% of Amazons reported net income for 2020, which totaled approximately €17.5 billion. While the final decision may feature a higher or lower fine, the decision making process, which could take several months, does have the potential to double the proposed fine amount, according to the GDPR. This draft decision is one of many privacy enforcement above being taken against tech giants like Amazon. Ireland’s privacy regulator has also expressed intent to make draft decisions against other tech giants, the likes of which may include Facebook, Google and Apple, which are all headquartered in Ireland.