La Quadrature du Net, whose complaint led to the Luxembourg fine, called the penalty a “first step,” but said that “we need to remain vigilant” in the face of Amazon’s ongoing violations.

By Brett Wilkins, staff writer for Common Dreams. Published 7-30-2021

Amazon/AWS offices in Luxembourg. Photo: -wuppertaler, CC BY-SA 4.0 via Wikimedia Commons

Digital rights advocates on Friday applauded a €746 million fine levied against Amazon by a Luxembourg regulator for the tech giant’s violation of European Union data privacy laws.

The record penalty—which converts to about U.S. $886 million—was imposed on July 16 by CNPD, Luxembourg’s data protection agency, and disclosed in an Amazon regulatory filing (pdf) on Friday, according to Bloomberg.

CNPD said Amazon violated the E.U.’s General Data Protection Regulation (GDPR), which requires companies to seek users’ consent prior to using their personal data.

👏🏼👏🏾👏🏻 Congrats to @edri member @laquadrature who rallied 10K people in a collective plaintiff against Amazon for GDPR violations, resulting in a record breaking fine of 746 million. https://t.co/lmqGskVVVw

— EDRi (@edri) July 30, 2021

The fine—while small for a company whose revenue topped $386 billion last year—shatters the previous GDPR violation record of €50 million ($59.2 million) imposed by France’s CNIL against Google in 2019. Responding to criticism about the relatively modest fines levied against companies like Amazon, CNPD Commissioner Marc Lemmer told Politico earlier this year that “the aim is not to have big sanctions—the aim is to have a change in culture.”

The French digital rights group La Quadrature du Net (“Squaring the Net”)—which filed a 2018 complaint against Amazon that led to the fine—and other advocacy organizations welcomed the CNPD sanction.

“It’s a first step to see a fine that’s dissuasive, but we need to remain vigilant and see if the decision also includes an injunction to correct the infringing behavior,” La Quadrature du Net attorney Bastien Le Querrec told Bloomberg.

What can you expect from #Amazon and #AWS that provide services to most intelligence agencies including the #CIA and #NSO https://t.co/ElpC8nIioq

— EthicsInTech (@EthicsInTech) July 30, 2021

La Quadrature du Net said that “this ‘party is over’ sanction puts in even starker contrast the blatant abdication of the Irish Data Protection Agency who, in three years, was not able to close a single one of the four other actions we lodged against Facebook, Apple, Microsoft, and Google.”

The group added that the fine “is also a cold shower for the French CNIL,” which it called “but a shadow of its former self.”

“Our collective actions were initially lodged before [CNIL], and would have given it a perfect opportunity to take the reins of enforcing the GDPR against the systemic violations of personal data and privacy, which lie at the heart of the business model of the web giants,” La Quadrature du Net added.

Amazon—whose European headquarters are located in Luxembourg—responded to the fine by saying it believes the CNPD decision is “without merit” and that it would defend itself “vigorously in this matter.”

Over 3yrs in the making and largest GDPR fine to date — @Amazon is fined $888M (2% of $21.3B 2020 net income) for “the way it collects personal data and uses it for marketing purposes” #privacy

Well done @CNPD_net_do & @laquadrature!

Almost one beeeellllion dollars! https://t.co/rcN3fC7bgo pic.twitter.com/VSC1mxq9mR

— ashkan soltani (@ashk4n) July 30, 2021

.@Amazon confirms €746 CNPD fine in latest SEC 10-Q filing and claims they “intend to defend ourselves vigorously”

(Alternatively they *could* just fly ~32 members of CNPD to space on @blueorigin for the same amount: $888M/$28M = 32)https://t.co/izhFNpQjO3 (ht @privasense) pic.twitter.com/vZcBG1wZHz

— ashkan soltani (@ashk4n) July 30, 2021