On 16 July 2021, the Luxembourg data protection authority imposed a fine of 746 million euros on Amazon Europe Core.
This decision stems from a collective complaint filed with French Data Protection Authority (“the CNIL”) by the non-profit organisation, La Quadrature du Net (LQDN).
However, under the one-stop-shop mechanism provided for by the GDPR, the Luxembourg authority was competent to deal with this case, as Amazon Europe Core is established on its territory.
The decision has not been published because Luxembourg law provides that the decision can only be published after all avenues of appeal have been exhausted. Further details will be provided as soon as the decision is published, but if Amazon appeals the decision, this may not happen before long…
Several media outlets have, however, reported that the decision may be related to the data processing operations for profiling purposes carried out without the valid consent of the individuals concerned and that Amazon is about to appeal the decision.
Although this is not the first sanction against Amazon, which the CNIL had fined €35 million regarding the use of cookies, the amount of €746 million is, as the CNIL pointed out in its press release, of unprecedented magnitude and marks, according to the latter, a turning point in the application of the GDPR.
However, given the current political and economical situation, it is difficult to know whether this is a new trend or an isolated decision.
Indeed, it seems to wait for similar sanctions to be imposed on European companies breaching the GDPR and processing an equivalent volume of data before drawing such a conclusion.
If you have any questions, please do not hesitate to contact Arnaud Blanc, French lawyer and data protection expert.
This post is also available in fr_FR.