Amazon faces £635 million fine for GDPR violations
Friday, July 30, 2021
CNPD, the Luxembourg data regulator, handed Amazon the fine on the 16th July for violating the General Data Protection Regulation. The company released the details on Friday 30th July, saying in a statement, 'There has been no data breach, and no customer data has been exposed to any third party. These facts are undisputed. We strongly disagree with the CNPD's ruling.'
Ilia Kolochenko, a member of Europol Data Protection Experts Network and founder of ImmuniWeb, commented: "Contrasted to the common misconception, Article 83 of GDPR is very specific about its penalties: security-related incidents are fined by up to two per cent of the annual turnover, while violations such as lack of consent or unlawful data processing are punished more severely by a fine going up to four per cent. Thus, Amazon's statement that no data breach has occurred is probably not very relevant to the case.
Amazon, which has its EU headquarters in Luxembourg, plans to appeal the ruling, which Kolochenko said is likely to at least partly succeed: "In view of the recent GDPR-related litigation in the EU and available jurisprudence, the fine...indeed seems to be excessive and will likely be significantly reduced on appeal. Amazon will undoubtedly endeavour to win the case in court on appeal."
Full details about the case are not available, though we do know that the fine stemmed from a 2018 complaint from French privacy rights group La Quadrature du Net (LQN).
LQN has long fought against the commodification of peoples' personal data. In 2018, in concert with the launch of GDPR, it launched a series of complaints with the French data regulator, CNIL, against Google, Apple, Facebook, Amazon and Microsoft. CNIL handled the Google case, while handing others to its counterparts in Ireland and Luxembourg. It is likely that this complaint is the source of the Amazon fine.
Such a large penalty may have political and trade ramifications, Kolochenko said: "The outcome of this case will likely be influenced by politics, as such punitive actions by the EU may strongly discourage American companies doing business in Europe. Furthermore, it may motivate US states, that are now rapidly implementing state privacy laws, to retaliate by imposing mirrored penalties upon European companies. The long-awaited federal privacy law in the US should hopefully harmonise data protection regimes and finally bring a peace of mind both to consumers and businesses on the two sides of the pond." Read Full Article
SC Media: Top exploit list highlights the long tail of some vulnerabilities
Dark Reading: CISA, FBI Name the Most Exploited Vulnerabilities Over the Past Year