A European Union privacy regulator has proposed a fine of more than $425 million against
Amazon.com Inc.,
AMZN 1.40%
part of a process that could yield the biggest-yet penalty under the bloc’s privacy law, people familiar with the matter said.
Luxembourg’s data-protection commission, the CNPD, has circulated a draft decision sanctioning Amazon’s privacy practices and proposing the fine among the bloc’s 26 other national authorities, the people said. The CNPD is Amazon’s lead privacy regulator in the EU because Amazon has its EU headquarters in the Grand Duchy.
The Luxembourg case relates to alleged violations of Europe’s General Data Protection Regulation, or GDPR, linked to Amazon’s collection and use of personal data, and isn’t related to its cloud-computing business, Amazon Web Services, one of the people familiar with the matter said. The person declined to elaborate on the specific allegations against Amazon.
An Amazon spokesman declined to comment. The company has previously said the privacy of its customers is a priority and it complies with the law in all countries where it operates. A spokesman for the CNPD said the regulator wasn’t allowed to comment on individual cases.
Before the draft decision can become final, it must effectively be agreed by other EU privacy regulators, a process that could take months and lead to substantive changes, including a higher or lower fine.
The fine proposed by Luxembourg would represent roughly 2% of Amazon’s reported net income of $21.3 billion for 2020, and 0.1% of its $386 billion in sales. Under the GDPR, regulators can fine up to 4% of a company’s annual revenue.
Luxembourg’s regulator has received a handful of objections to its draft decision, including at least one saying the fine should be higher, another of the people familiar with the matter said. Luxembourg can either resolve objections amicably, or reject them and trigger a debate and vote among all EU privacy regulators at the European Data Protection Board.
The draft decision, along with the fine’s size, signal a new wave of privacy enforcement against big technology companies in Europe, when Silicon Valley giants are under increasing global scrutiny.
Ireland’s privacy regulator, which leads GDPR enforcement for
Facebook Inc.,
Alphabet Inc.’s
Google and
Apple Inc.
because their EU headquarters are in the country, has said it expects to make draft decisions in roughly half a dozen privacy cases involving big tech companies this year.
One Irish draft decision circulated to other regulators alleges GDPR violations related to Facebook’s data sharing between its social network and its chat app WhatsApp. That draft decision recommends a fine of roughly 30 million euros to €50 million, according to people familiar with the matter, equivalent to around $37 million to $61 million.
Representatives of Facebook didn’t immediately respond to requests for comment. When asked about the case in the past, a spokesman declined to comment.
The EU’s mounting privacy enforcement comes alongside increasing antitrust enforcement, with European and U.S. regulators launching multiple cases against big tech companies. Last week, the top competition enforcers in the U.K. and EU announced formal antitrust probes into Facebook’s dating service and its classified-ads service Marketplace.
A Facebook spokesman said last week that its Marketplace and dating services “operate in a highly competitive environment with many large incumbents. We will continue to cooperate fully with the investigations to demonstrate that they are without merit.”
When it comes to privacy, activists have complained that Europe’s pace of enforcement is too slow. Since the GDPR went into effect in 2018, the largest penalty under the law has been a €50 million fine against Google from France’s privacy regulator, according to law firm DLA Piper.
Ireland, which leads enforcement for the EU for many of the biggest U.S. tech companies, has come under particular fire from activists and politicians for not having issued more decisions. So far, the authority has issued a final decision in one big-tech case, fining Twitter €450,000 in December.
In response to criticism,
Helen Dixon,
who leads Ireland’s privacy regulator, said the tech cases are novel and the companies must be given their due-process rights to respond substantively to all allegations, or risk being tossed out later in court.
Write to Sam Schechner at sam.schechner@wsj.com
Copyright ©2020 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8