Amazon fined $887 million over EU privacy violations

Luxembourg’s data privacy regulator hit tech giant Amazon with a €746 million fine ($887 million) over claims that the company's processing of personal data did not comply with the European Union's General Data Protection Regulation. It is by far the largest-ever fine issued under the GDPR.

Amazon disclosed the details about the Luxembourg National Commission for Data Protection's (CNDP) decision in a filing to the U.S. Securities and Exchange Commission on Friday. The decision was made on July 16, and comes with "corresponding practice revisions" in addition to the hefty monetary penalty, according to the filing.

An Amazon spokesperson said the decision is without merit and plans to appeal:

“Maintaining the security of our customers’ information and their trust are top priorities. There has been no data breach, and no customer data has been exposed to any third party. These facts are undisputed. We strongly disagree with the CNPD’s ruling, and we intend to appeal. The decision relating to how we show customers relevant advertising relies on subjective and untested interpretations of European privacy law, and the proposed fine is entirely out of proportion with even that interpretation,” the spokesperson said.

Although CNDP maintains a public list of its decisions, it has not revealed any details about the Amazon case. The regulator did not immediately respond to a request for comment.

The GDPR, which became enforceable in 2018, limits how companies collect and share customers' personal data. Data protection regulators have broad authority to impose fines of up to 4% of a company's global annual revenue—potentially billions of dollars for large firms like Amazon.

However, over the last three years most GDPR enforcement actions have come with modest penalties. The largest fine up until now was against Google, which was handed a €50 million fine in 2019 from France's National Data Protection Commission (CNIL).