heise PlusAbo
Anzeige

GDPR infringement: Luxembourg court confirms record fine for Amazon

Amazon to pay its record fine for data breach, says Luxembourg administrative court: 746 million euros.

listen Print view
The twelve yellow EU stars on a blue background; a white padlock and the letters GDPR (General Data Protection Regulation) can be seen in the circle; the blue background is a map of Europe

(Image: peterschreiber.media/Shutterstock.com)

2 min. read
By

Amazon.com fails before Luxembourg's administrative court in its appeal against sanctions imposed by the national data protection authority CNPD (Commission nationale pour la protection des données). In 2021, the CNPD imposed a fine of 746 million euros on Amazon for violations of the General Data Protection Regulation (GDPR). That was a record at the time. The main issue was Amazon's advertising targeting; the CNPD found that the company had not obtained the necessary consent from users.

In October 2021, Amazon challenged this decision by the CNPD. At the time, a company spokesperson said: "There was no breach of personal data protection and no customer data was disclosed to third parties." The penalty was disproportionate.

Videos by heise

At the beginning of 2024, a hearing was held before the Luxembourg Administrative Court. In its ruling of March 18, the court has now fully confirmed the CNPD's original decision. This means that the fine imposed for violations of the GDPR remains in place and Amazon must implement the corrective measures ordered by the supervisory authority. The Luxembourg judges also found that Amazon had also breached transparency and information obligations as well as data subject rights, including the right to access, rectify and erase processed data.

Meta must pay more

Amazon can appeal again, which would have a suspensive effect, the data protection authority explained. Amazon criticizes the ruling and believes that the CNPD's decision is based on "subjective" interpretations of data protection law, for which there had previously been no clear guidelines. The US company is considering further legal action. It could take the case all the way to the Luxembourg Supreme Court.

With this case, Amazon currently ranks second among the decisions issued to date with the highest individual GDPR fines. In 2023, the Irish Data Protection Commission (DPC) imposed the new record fine of 1.2 billion euros on Meta Platforms for processing data without a legal basis.

Read also

(ds)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten