Amazon has quietly been hit with a record-breaking €746 million fine for alleged GDPR violations regarding how it performs targeted behavioral advertising.
The fine was issued by Luxembourg’s Commission nationale pour la protection des données (CNPD), an independent public agency established to monitor the legality of the collection and use of personal information.
In an SEC Form 10-Q filed today, Amazon states that this massive fine came out of CNPD in July 2021, which fined them for improper processing of personal data.
“On July 16, 2021, the Luxembourg National Commission for Data Protection (the “CNPD”) issued a decision against Amazon Europe Core S.à r.l. claiming that Amazon’s processing of personal data did not comply with the EU General Data Protection Regulation,” reads an SEC 10-Q filing submitted by Amazon today.
“The decision imposes a fine of €746 million and corresponding practice revisions. We believe the CNPD’s decision to be without merit and intend to defend ourselves vigorously in this matter.”
The decision comes from a complaint filed by La Quadrature du Net in 2018 against Amazon Europe Core SARL, Amazon EU SARL, Amazon Services Europe SARL and Amazon Media EU SARL, and Amazon Video Limited.
The complaint alleges that Amazon is analyzing users’ behavior to build profiles used for targeted advertising. This creation of these behavioral profiles is being done without a user’s consent and thus violates GDPR.
Amazon has told BleepingComputer that this fine is not related to a data breach or unauthorized access to customer data but rather how they perform advertising.
Amazon further states that they believe the decision is based on subjective and untested interpretations of the GDPR privacy law.
“We strongly disagree with the CNPD’s ruling, and we intend to appeal,” Amazon said in a statement to BleepingComputer.
“The decision relating to how we show customers relevant advertising relies on subjective and untested interpretations of European privacy law, and the proposed fine is entirely out of proportion with even that interpretation.”
This fine is the largest ever issued by the European Union for GDPR violations. Before this decision, the largest fine was €50 million ($56.6 million at the time) against Google for not correctly receiving consent when processing user’s data when creating a Google account or performing advertising.