On 16 July 2021 the Luxembourg Data Protection Authority (Commission nationale pour la protection des donées (CNPD)) issued a fine of EUR 746 million against Amazon Europe Core S.à.r.l. The fine is based on the claim that Amazon did not obtain valid consent for its personalised advertising and thereby violated the provisions of the GDPR (General Data Protection Regulation). Amazon has already announced that it will appeal the decision.
Background of the decision
The procedure against Amazon is based on a complaint by the French NGO La Quadrature du Net, which on behalf of 10,000 individuals filed a complaint with the CNPD. Following that, the CNPD issued the record GDPR fine.
The decision of the CNPD is based on the claim that the targeted advertising used by Amazon is not based on free consent of the data subjects, which constitutes a violation of the GDPR. Little is known yet about the reasoning behind the decision, which the CNPD has justified on grounds of professional secrecy. It points out that the publication of the decision would mean an additional penalty and therefore can only take place after the deadline for appeals has passed.
Amazon announced that it will appeal the decision, arguing that there “has been no data breach, and no customer data has been exposed to any third party.” La Quadrature du Net, however, points out that “it is the system of targeted advertising itself, and not merely occasional security breaches, that our legal action attacked.“
Also, other European data protection authorities, like the French data protection authority (Commission Nationale de l’Informatique et des Libertés (CNIL)) have confirmed the fine. Moreover, referring to a letter from CNIL, La Quadrature du Net announced that Amazon will have to pay an additional fine of EUR 746,000 per day, unless it complies with data protection laws within 6 months.
Meaning of the decision
The fine by the CNPD is the highest GDPR fine that has ever been issued. Moreover, another record GDPR fine of EUR 225 million has been issued by CNIL on 2 September 2021 against WhatsApp. Both fines show once again that GDPR incompliance can have serious repercussions for companies. Data protection authorities can issue fines up to EUR 20 million, or up to 4 % of a company’s annual global turnover, whichever is higher. It seems that the data protection authorities are increasingly making use of the fine range the GDPR provides, thus enforcing GDPR rules more aggressively. As CNIL stated, the CNPD’s decision is “of an unprecedented scale and marks a turning point in the application of the GDPR and the protection of the rights of European nationals.”
The Amazon decision, in particular, underlines once again how important it is to obtain valid consent if data is to be processed on this basis.
How can consent be validly obtained?
For consent to be valid, you have to obtain it in compliance with the standard set out in Art. 4 (11) GDPR. Hence, consent must be a “freely given, specific, informed and unambiguous indication of the data subject’s wishes […] by a statement or by a clear affirmative action”.
Therefore, you must obtain consent prior to the collection of any data. Hereby, you have to inform the data subject about what data is collected, for which purposes and how it is used. This information has to be clear and easy to understand. Moreover, for consent to be considered freely given, the data subject must have a genuine choice to refuse consent without suffering any disadvantages. Finally, you have to provide the possibility for data subjects to withdraw consent at any time and in a way that is as simple as the declaration of consent.