Luxembourg court overturns $858 million privacy fine against Amazon

A Luxembourg court reversed a €746 million ($858 million) fine the country’s data protection regulator imposed on Amazon in 2021, referring the case back to the National Commission for Data Protection (CNPD).

While the court entirely vacated the 2021 judgement — the second largest imposed since the EU General Data Protection Regulation (GDPR) took effect in 2018 — it did not say that the regulator’s findings on the substance of Amazon’s data breaches were illegitimate.

The court said it overturned the fine on Thursday because the CNPD failed to determine whether Amazon intentionally violated the GDPR and because it did not do enough to consider whether the fine was too high and other measures could have been taken.

The CNPD probe of Amazon was launched in 2018 after a French privacy advocacy organization complained about how the tech giant was obtaining consent for targeted ads. Amazon told consumers what data it collected and how it was processed, the privacy advocate reportedly said, but did not explicitly obtain consent for the processing.

Amazon is regulated primarily by the CNPD because its European operations are headquartered in Luxembourg. 

The CNPD has acknowledged that Amazon has fixed the data privacy violations it was accused of. The regulator said in a press release that “the main regulatory action it had taken has borne fruit.”

“Indeed, the Administrative Court has endorsed the CNPD’s approach almost in its entirety and, in particular, confirmed that Amazon’s reliance on legitimate interests as the legal basis for the processing operations in question was not justified,” the statement said. “The Administrative Court also upheld the CNPD’s analysis that, at the time of its decision, the information procedures did not comply with the relevant provisions of the GDPR.”

The Administrative Court vacated the fine based on a change in the European Union’s Court of Justice laws that was made after the CNPD’s decision. That change in the law involves a requirement that regulators analyze how they impose financial penalties.

“The CNPD notes that its action has led to Amazon’s practices being brought into full compliance with the relevant provisions of the case regarding online behavioural advertising,” the press release said. 

The regulator left open the possibility that after a review it will issue a new fine, saying that it will “continue to handle the case in a way to ensure the efficient application of the GDPR.”

Amazon said in a statement that it is pleased with the decision.

“In 2018, when an ambiguous new privacy law came into force in the EU without clear guidance on how to show customers relevant advertising, we worked in good faith to give customers control over whether they see personalised advertising based on their interests,” the statement said. 

“We strongly disagreed with the initial ruling and disproportionate fine that had originally been issued in this case, which is why we appealed.”