On Thursday of last week Amazon submitted a regulatory filing to the US Securities and Exchange Commission (SEC) that disclosed they had received the largest fine for a data protection infringement in history.
The Company is involved from time to time in claims, proceedings, and litigation… On July 16, 2021, the Luxembourg National Commission for Data Protection (the “CNPD”) issued a decision against Amazon Europe Core S.à r.l. claiming that Amazon’s processing of personal data did not comply with the EU General Data Protection Regulation. The decision imposes a fine of €746 million and corresponding practice revisions. We believe the CNPD’s decision to be without merit and intend to defend ourselves vigorously in this matter.
You might normally anticipate that a EUR746mn (USD888mn) fine would lead to a statement by the data protection authority that imposed it, but Luxembourg’s CNPD does not work that way. CNPD were responsible for handling this complaint because Amazon’s European headquarters are in Luxembourg, but unlike other European data protection agencies, they take the unorthodox approach of treating every complaint as a wholly private matter. So whilst Amazon has been told of CNPD’s ruling, the rest of the world only found out because Amazon needed to disclose it to the SEC. Even the originators of the complaint, French advocacy group La Quadrature du Net, only learned they had prevailed courtesy of a news article in Bloomberg. The result evidently came as a shock to La Quadrature du Net, because as recently as May they stated CNPD had not even acknowledged receipt of the complaint, even though it was submitted soon after GDPR came into force in May 2018!
Bloomberg initially made the mistake of reporting that the infringement concerns a data breach when the substance of this case has far wider potential ramifications. The secrecy surrounding CNPD will create a headache for lawyers wanting to analyze this case, but La Quadrature du Net’s complaint centered on Amazon processing personal data in order to present tailored advertising to customers without first obtaining the customer’s consent. The wording of La Quadrature du Net’s CNPD submission about Amazon (in French) highlights the sections of GDPR that require a consumer to be able to access a service, such as making a purchase through Amazon, without being forced to accept extraneous processing of their personal data, such as the automated prediction of other products they may want to buy. If CNPD has accepted the argument that a business cannot serve behavioral adverts without first receiving consent from customers this could soon translate into an effective EU-wide ban on advertising that reflects a customer’s past behavior.
Note that this case does not even concern the transmission of personal data from one business to another for the purpose of advertising. The complaint covered Amazon ads presented on Amazon’s own platform and which were chosen by analyzing data Amazon obtained by monitoring the purchasing and browsing habits of their own customers. Amazon told Bloomberg that “there has been no data breach, and no customer data has been exposed to any third party”. These assertions may be true, but they are not pertinent to the arguments put forward by La Quadrature du Net. A blog on the website of La Quadrature du Net said (translated from the French):
…the advertising targeting system imposed by Amazon violates GDPR by not obtaining our free consent.
…our complaints were meant to completely sweep aside the very system of targeted advertising, and not just occasional security breaches.
It is no surprise that Amazon will appeal the CNPD decision. The realpolitik of relations between the EU and the USA may still lead to an interpretation of GDPR that will allow Amazon to save some face and a lot of money. However, La Quadrature du Net’s reading of the relevant GDPR provisions is so straightforward that it will be difficult for even the wiliest lawyers to spin the rules without making it obvious that European politicians have lied about the extent to which GDPR protects individuals from unwanted processing of their personal data. A three year old GDPR complaint which the complainant assumed had been completely ignored may now prompt the end of all behavioral advertising within the European Union.