Amazon hit with $886m fine for alleged data law breach

  • Published
Amazon packagesImage source, Getty Images

Amazon has been hit with an $886.6m (£636m) fine for allegedly breaking European Union data protection laws.

The fine was issued by Luxembourg's National Commission for Data Protection, which claimed the tech giant's processing of personal data did not comply with EU law.

Amazon said it believed the fine to be "without merit", adding that it would defend itself "vigorously".

A spokeswoman told the BBC there had been "no data breach".

The EU's General Data Protection Regulation (GDPR) rules requires companies to seek people's consent before using their personal data or face steep fines.

Luxembourg's data protection authority, also known as Commission Nationale pour la Protection des Données (CNPD), issued the fine to Amazon on 16 July, according to a US Securities and Exchange Commission (SEC) filing by the company on Friday.

In response, Amazon said: "We believe the CNPD's decision to be without merit and intend to defend ourselves vigorously in this matter."

The fine comes following rising regulatory scrutiny of large tech companies due to concerns over privacy and misinformation, as well as complaints from some businesses that the tech giants have abused their market power.

The Wall Street Journal reported in June that Amazon could be fined more than $425m under the European Union's privacy law.

Amazon is by no means the first large company to fall foul of the EU's General Data Protection Regulation (GDPR), but this fine is the largest there has been since the law came into effect in 2018 - and by a very significant margin.

The regulation introduced strict limits on the way in which sensitive data could be used, stored or processed.

While companies such as Google, British Airways, H&M and Marriot Hotels have all faced penalties from European governments for breaching the rules, those fines were in the tens, rather than the hundreds of millions.

We don't yet know exactly what Amazon did to attract such a severe penalty.

However, given that national authorities are meant to take account of the gravity, duration and character of the infringement when deciding on a penalty, it must be particularly serious.

What this shows is that legislation has teeth - and that even a country like Luxembourg, which has in other ways been very accommodating towards US multinationals, is willing to apply it forcefully.

But so far, Amazon is also being forceful. It says it believes the Luxembourg authority's decision to be without merit, and has promised to defend itself vigorously.

An Amazon spokeswoman said maintaining the "security of our customers' information and their trust" were "top priorities".

Image source, AFP
Image caption,
Amazon's offices in Clausen Valley, where several tech giants have their bases in Luxembourg

"There has been no data breach, and no customer data has been exposed to any third party," she added. "These facts are undisputed."

She stressed that the firm strongly disagrees with the CNPD's ruling and intends to appeal.

"The decision relating to how we show customers relevant advertising relies on subjective and untested interpretations of European privacy law, and the proposed fine is entirely out of proportion with even that interpretation," she added.

US tech giants, including Amazon, have been accused of "monopoly power" in recent years, which has prompted calls for the powers those companies have to be "reined in".

Previously, the EU's concerns were believed to centre around the data that Amazon has access to and how it uses it, such as sensitive commercial information on third-party products like volume and price.

Meanwhile, in May, Amazon won a court battle over €250m (£215m) in taxes it had been ordered to pay Luxembourg.

The European Commission had ordered the tech giant to repay the funds as back taxes, alleging that Amazon had been given unfair special treatment, but a court overturned the order.