EU privacy regulator proposes $425M fine against Amazon

by Celine Castronuovo - 06/10/21 4:19 PM ET

A European Union privacy regulator has reportedly proposed issuing a more than $425 million fine against Amazon over alleged violations to European data privacy laws.

The Wall Street Journal reported Thursday that people familiar with the matter said that Luxembourg’s National Data Protection Commission, or the CNPD, had circulated a draft petition for fines to be imposed on Amazon across the EU’s 27 countries.

The CNPD serves as Amazon’s lead privacy regulator in the EU, with the multinational tech giant’s European headquarters located in the country’s capital of Luxembourg City.

The Journal reported that the draft proposal, which would need to be approved by other EU privacy regulators in order to take effect, cites alleged violations of Europe’s General Data Protection Regulation (GDPR), with Amazon’s collection and use of personal data.

One of the sources who spoke to the news outlet said the use of personal data was not related to the cloud-computing subsidiary, Amazon Web Services, though the person declined to elaborate on Amazon’s alleged privacy violations.

A CNPD spokesman said the regulator could not publicly comment on individual cases.

The Hill has reached out to Amazon for comment. An Amazon spokesman declined to comment to the Journal.

Amazon has previously defended its data practices, arguing that it makes the privacy of customers a top priority and works to comply with laws in each of the countries where it is present.

According to the Journal, the more than $425 million fine would account for roughly 2 percent of Amazon’s reported $21.3 billion net income for 2020, and 0.1 percent of its $386 billion in sales.

The GDPR, which went into effect in 2018, has forced several technology companies to reexamine their policies and how they use personal data from customers.

In March, a French start-up lobbying group said in a complaint that Apple’s latest operating software, iOS 14, allowed the company to carry targeted ad campaigns based on user data without explicitly asking for prior consent.

In April, Ireland’s privacy regulator launched an investigation into a Facebook data leak. The agency said Facebook could be found in violation of the GDPR for failing to notify regulators of the breach.