In a landmark case, Amazon has been fined $886m by Luxembourg’s National Commission for Data Protection (CNPD) for serious breaches of the General Data Protection Regulation (GDPR). Whilst the scale of the fine suggest that the GDPR is finally matching the promises of its inception, the circumstance of its reporting still leaves the consumer facing an uphill battle to hold illegal privacy practices to account.
An $886 Million Problem
The release of Amazon’s annual financial records at the end of July contained a surprise to many: a $886 million fine issued by Luxembourg’s National Commission for Data Protection (CNPD). Whilst certainly not the first high profile fine of the GDPR era, the size of the fine dwarfs all that have come before; Even the initial fine for the 2018 British Airways’ Data Breach (an estimated £184 million reduced to £20 million) comes nowhere close to that which has been issued to Amazon.
Although little is known of the exact cause of the fine, the CNPD have allegedly centred their case on accusations of illegal processing actions by Amazon following a complaint originally made by the French Civil Liberties group La Quadrature du Net in 2018. This complaint, filed on behalf of 10,000 EU citizens claimed that Amazon’s advertising services did not adhere to the ‘free consent’ required by the GDPR. Under the GDPR, consent must be freely given, explicit, and is subject to various extra legal obligations and responsibilities on the part of the data controller.
Unsurprisingly, Amazon have responded in aggressive fashion. In a statement to the BBC Amazon claimed that they believe the CNPD’s decision to be “without merit and intend to defend [them]selves vigorously in this matter”. The statement confirmed that there had been “no data breach” and maintained that the “security of [their] customers information and their trust” were top priorities for the company.
The Empire strikes back
So should this case be seen as a victory for the GDPR and the data subjects that it protects?
Firstly, it is likely that Amazon will be able to reduce the fine, or potentially reverse it on appeal. Indeed the GDPR’s track record on fine reductions suggests that the former is more than likely. The GDPR allows for multinational organizations, such as Amazon, to channel all complaints to a single national regulatory body in a process called the ‘one-stop-shop’ mechanism. Whilst this has been designed to simplify the complaints process, in actuality the mechanism elongates the decision making process as all European nations who are interested in the case are given a right to reply. According to analysis published by Access Now in May 2021, GDPR regulators in Germany and Ireland have both expressed their dissatisfaction with the process and fear that complaints have been lost during the process.
Moreover, the nature of its disclosure must be seen as the latest in a series of consumer awareness failings. Luxembourg maintains strict “professional secrecy” laws that prevent the Commission from publishing any details until an appeal process is completed. This means that, despite the obvious severity of the case and its effects upon the data subject, the consumer remains in the dark regarding their own exposure. Recent investigations into the data processed by ‘healthcare’ apps has similarly highlighted the opaqueness of many companies approaches to informing consumers on how their personal data is being processed and used.
The deliberate suppression of consumer awareness is thus a deeply worrying trend.
Despite these concerns, this case should still be viewed as evidence that the GDPR is beginning to discover the strength in its bite.
The fact that Luxembourg, traditionally a ‘tax-haven’ and with a history of accommodation towards US business, has driven this investigation and its subsequent findings is significant. Whilst the GDPR is a universal regulation across the EU member states and the UK, its implementation is dependent upon national regulatory authorities. One of the leading organizations, the Irish Data Protection Commission, has previously made rulings against Twitter, fining them €450,000 in December, and their WhatsApp ruling is currently pending. The CNPD’s activity is therefore a welcome expansion and exhibition of these shared responsibilities.
Whilst the size of the fine is perhaps the most headline-worthy element of this case, the nature of its issuing should also raise several eyebrows. Whereas the majority of GDPR-related fines have been reactive in nature (i.e a response to a recognised data breach), the CNPD’s actions and alleged reasoning suggested a proactivity to the implementation of the GDPR that the consumer should welcome.
This proactivity can also be seen in the work undertaken by the ‘None of Your Business’ (NYOB) organization. Founded by the Austrian privacy activist Max Schrems, NYOB has recently conducted an investigation into illegal cookie practices integrated into thousands of websites. As of August 10th 2021, the group has filed 422 formal GDPR complaints as a result of their investigation encouraging the rectification of multiple illegal cookie practices.
Amazon are certainly going to try to reduce the fine. Indeed, Amazon has indicated that it will begin the appeal process imminently. They have had recent success in the Luxembourg courts, winning a battle in May over €250m in unpaid taxes. The big tech companies have an impressive track record of limiting or mitigating the fines that they have been issued in the past.
The precedent that this ruling has set must be seen as a reassertion of intent on behalf of the European Commission. Whilst the GDPR has yet to fully realise it’s promises of holding illegal privacy activity to account, this recent flurry of activity suggests a renewed focus to its implementation.
For the consumers affected by these illegal activities, the proactivity of this ruling should be seen as a welcome trend towards greater data subject empowerment; albeit one tempered by the nature of its disclosure. As the regulatory efficacy improves, private industry will be forced to adapt and improve their protective activities. By targeting major internet service providers, such as Amazon and WhatsApp, the consumer must hope that these rulings effect top-down change.
This change will not come easily, nor be welcomed by the major tech companies – many of whom are actively fighting it. Yet despite the failures surrounding the disclosure of Amazon’s actual illegal activities, the size and scope of the fine levied at Amazon should be celebrated by those who support the cause for greater data subject privacy. It seems that the GDPR has finally discovered a bite to match its bark.