The Luxembourg data protection authority, the CNPD, has fined Amazon a massive $888 million for violating GDPR regulations, reports Bloomberg.
Amazon is based in Luxembourg in the EU and the regulator has the power to fine Amazon for up to 4% of its global revenue.
The fine is based on a 2018 complaint by French privacy rights group La Quadrature du Net who accused Amazon of processing the data of EU citizens without their consent.
Amazon is criticized for announcing that it is carrying out certain processing operations personal data concerning the persons in whose name the this complaint is lodged (2.2) without, however, basing this processing on one of the legal bases required by law (2.1), rendering therefore these illicit (2.3).
The news was not announced by CNPD but was confirmed by Amazon who disclosed it in a regulatory filing today, saying it was “without merit.”
“We strongly disagree with the CNPD’s ruling, and we intend to appeal. The decision relating to how we show customers relevant advertising relies on subjective and untested interpretations of European privacy law, and the proposed fine is entirely out of proportion with even that interpretation.”
The original complainant is not running a victory lap either yet.
“It’s a first step to see a fine that’s dissuasive, but we need to remain vigilant and see if the decision also includes an injunction to correct the infringing behaviour,” said Bastien Le Querrec, a member of La Quadrature’s litigation team, adding the group hadn’t received the decision yet.