Connect with us

Hi, what are you looking for?


Amazon Faces Possible $425 Million EU Privacy Fine

Amazon Faces Possible 5 Million EU Privacy Fine

A European Union privacy regulator has proposed a fine of more than $425 million against Inc.,

AMZN 1.29%

part of a process that could yield the biggest-yet penalty under the bloc’s privacy law, people familiar with the matter said.

Luxembourg’s data-protection commission, the CNPD, has circulated a draft decision sanctioning Amazon’s privacy practices and proposing the fine among the bloc’s 26 other national authorities, the people said. The CNPD is Amazon’s lead privacy regulator in the EU because Amazon has its EU headquarters in the Grand Duchy.

The Luxembourg case relates to alleged violations of Europe’s General Data Protection Regulation, or GDPR, linked to Amazon’s collection and use of personal data, and isn’t related to its cloud-computing business, Amazon Web Services, one of the people familiar with the matter said. The person declined to elaborate on the specific allegations against Amazon.

An Amazon spokesman declined to comment. The company has previously said the privacy of its customers is a priority and it complies with the law in all countries where it operates. A spokesman for the CNPD said the regulator wasn’t allowed to comment on individual cases.

Before the draft decision can become final, it must effectively be agreed by other EU privacy regulators, a process that could take months and lead to substantive changes, including a higher or lower fine.

The fine proposed by Luxembourg would represent roughly 2% of Amazon’s reported net income of $21.3 billion for 2020, and 0.1% of its $386 billion in sales. Under the GDPR, regulators can fine up to 4% of a company’s annual revenue.

Luxembourg’s regulator has received a handful of objections to its draft decision, including at least one saying the fine should be higher, another of the people familiar with the matter said. Luxembourg can either resolve objections amicably, or reject them and trigger a debate and vote among all EU privacy regulators at the European Data Protection Board.

The EU’s new data-privacy law, known as GDPR, has created the first ever Bill of Rights for consumer privacy. Here’s what you need to know. (Originally published Aug. 8, 2018)

The draft decision, along with the fine’s size, signal a new wave of privacy enforcement against big technology companies in Europe, when Silicon Valley giants are under increasing global scrutiny.

Ireland’s privacy regulator, which leads GDPR enforcement for

Facebook Inc.,

Alphabet Inc.’s

Google and

Apple Inc.

because their EU headquarters are in the country, has said it expects to make draft decisions in roughly half a dozen privacy cases involving big tech companies this year.

One Irish draft decision circulated to other regulators alleges GDPR violations related to Facebook’s data sharing between its social network and its chat app WhatsApp. That draft decision recommends a fine of roughly 30 million euros to €50 million, according to people familiar with the matter, equivalent to around $37 million to $61 million.

Representatives of Facebook didn’t immediately respond to requests for comment. When asked about the case in the past, a spokesman declined to comment.

The EU’s mounting privacy enforcement comes alongside increasing antitrust enforcement, with European and U.S. regulators launching multiple cases against big tech companies. Last week, the top competition enforcers in the U.K. and EU announced formal antitrust probes into Facebook’s dating service and its classified-ads service Marketplace.

A Facebook spokesman said last week that its Marketplace and dating services “operate in a highly competitive environment with many large incumbents. We will continue to cooperate fully with the investigations to demonstrate that they are without merit.”

When it comes to privacy, activists have complained that Europe’s pace of enforcement is too slow. Since the GDPR went into effect in 2018, the largest penalty under the law has been a €50 million fine against Google from France’s privacy regulator, according to law firm DLA Piper.

Ireland, which leads enforcement for the EU for many of the biggest U.S. tech companies, has come under particular fire from activists and politicians for not having issued more decisions. So far, the authority has issued a final decision in one big-tech case, fining Twitter €450,000 in December.

In response to criticism,

Helen Dixon,

who leads Ireland’s privacy regulator, said the tech cases are novel and the companies must be given their due-process rights to respond substantively to all allegations, or risk being tossed out later in court.

Write to Sam Schechner at

Copyright ©2020 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8

You May Also Like


A member of Pakistan’s parliament, Sania Ashiq Jabeen was born in Lahore and raised there. She studied at the National College for Drug Administration...


France, which has opened its borders to Canadian tourists, is eager to see Canada reopen to the French. The Canadian border remains closed...


The Liberals remain poised to regain a majority government in the next federal election, a new poll suggests, while support for the Conservatives...


Kashechewan First Nation in northern Ontario is experiencing a “deepening state of emergency” as a result of surging COVID-19 cases in the community...