Amazon has quietly been hit with a record-breaking €746 million fine for alleged GDPR violations regarding how it performs targeted behavioral advertising.
The fine was issued by Luxembourg’s Commission nationale pour la protection des données (CNPD), an independent public agency established to monitor the legality of the collection and use of personal information.
In an SEC Form 10-Q filed today, Amazon states that this massive fine came out of CNPD in July 2021, which fined them for improper processing of personal data.
On July 16, 2021, the Luxembourg National Commission for Data Protection (the “CNPD”) issued a decision against Amazon Europe Core S.à r.l. claiming that Amazon’s processing of personal data did not comply with the EU General Data Protection Regulation, reads an SEC 10-Q filing submitted by Amazon today.
The decision imposes a fine of €746 million and corresponding practice revisions. We believe the CNPD’s decision to be without merit and intend to defend ourselves vigorously in this matter.
The decision comes from a complaint filed by La Quadrature du Net in 2018 against Amazon Europe Core SARL, Amazon EU SARL, Amazon Services Europe SARL and Amazon Media EU SARL, and Amazon Video Limited.
The complaint alleges that Amazon is analyzing users’ behavior to build profiles used for targeted advertising. This creation of these behavioral profiles is being done without a user’s consent and thus violates GDPR.
Amazon has told BleepingComputer that this fine is not related to a data breach or unauthorized access to customer data but rather how they perform advertising.
Amazon further states that they believe the decision is based on subjective and untested interpretations of the GDPR privacy law.