Blog details

Record EU GDPR fine repealed by Amazon

Record EU GDPR fine repealed by Amazon

Amazon has repealed the record EU GDPR fine on the basis that there was no data breach.


In July, we reported that Amazon was facing a possible fine for alleged GDPR violations totalling €350 million. According to this Bloomberg report, Amazon is now repealing this fine, which stands at €746 million. The CNPD, Luxembourg’s privacy watchdog hit Amazon with this record-breaking fine, claiming that it’s processing of user data was a violation of the EU GDPR. This fine is the result of a 2018 complaint from French privacy rights group La Quadrature du Net.


Amazon has repealed the record EU GDPR fine, claiming that there has been no data breach.


Amazon has disagreed with the CNPD’s findings, claiming that there has been neither a data breach, nor any customer data exposed to a third party. The world’s largest online retailer has also stated that there are guidelines as to what employees are allowed to do with customer data, which is collected in order to improve the customer experience. Some lawmakers and regulators have voiced concerns that the data collected is being used to give the company an unfair advantage in the marketplace. Amazon is being scrutinized by EU authorities over its use of data from sellers on its platform as they question whether it unfairly favors its own products.


The initially proposed fine of roughly 2% of Amazon’s global sales rose to the maximum fine under the EU GDPR – 4% of the company’s annual global sales.


Under the EU GDPR, regulators can fine companies up to 4% of their annual global sales. The fine proposed at first was roughly 2% of Amazon’s global sales at €350 million, but following the gaining of approval from other regulators in the Bloc, the fine now stands at €746 million. This fine is related to alleged compliance issues surrounding the company’s collection, storage and use of user data.

While Amazon stated that there has been no data breach, sources claim that their manner of storing user data violated the GDPR.


While Amazon claims that there has been no data breach, according to whistleblowers who previously worked with the company as information security officers, the manner in which data is stored on Amazon’s databases make it impossible for the company to comply with Article 17 of the GDPR. Article 17 states that data subjects have the right to request that all their personal data be erased by a data controller, and to have that request fulfilled without delay. Allegedly, data stored by Amazon is at risk, as there is a lack of clarity on what data is being stored, where it is stored and who can access it, making it impossible to fulfill the requirements of Article 17 of the EU GDPR.



Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Prev post
Fine for unlawful CCTV monitoring in the reception area of a salon
November 2, 2021
Next post
Monitoring data processors: guidance from Danish DPA
November 9, 2021

Leave a Comment