In its statement, the CNPD highlighted the professional secrecy obligations it is bound by under Luxembourg law which preclude it from commenting on individual cases. Amazon’s regulatory filing only notes that the CNPD is “claiming that Amazon’s processing of personal data did not comply with the EU General Data Protection Regulation” and that, as well as imposing a fine, the CNPD is seeking “corresponding practice revisions”.
However, a report by the Luxembourg Times cites a further Amazon statement reporting that the decision concerns “how we show customers relevant advertising”, while Bloomberg has reported that the case stems from a complaint raised in 2018 by French digital rights organisation La Quadrature du Net alleging that Amazon lacks the necessary lawful basis for presenting personalised ads to users.
In its filing, Amazon said it believes the CNPD’s decision “to be without merit” and that it plans to “defend ourselves vigorously in this matter”. According to the additional statement reported by the Luxembourg Times, the company believes the CNPD’s decision “relies on subjective and untested interpretations of European privacy law, and [that] the proposed fine is entirely out of proportion with even that interpretation”.
With its statement the CNPD indirectly confirmed that the deadline for Amazon to lodge an appeal has not yet passed. It said it was unable to “publish any decision before the deadline for appeals has expired” as such disclosure would constitute a “supplementary sanction” under Luxembourg law.
Amsterdam-based Wouter Seinen of Pinsent Masons, the law firm behind Out-Law, said: “The unconfirmed reports of the origins of this decision highlight the increased risks businesses face from complaints raised by private individuals and interest groups. We have already seen a rise in data protection-related litigation in Europe and now this case of the CNPD’s in Luxembourg against Amazon shows their potential influence in driving enforcement action by data protection authorities. This case is unlikely to be the last of this kind.”
The proposed €746m fine would, if it is confirmed in a final decision of the CNPD, be the largest penalty imposed by a data protection authority since the GDPR came into effect in 2018. The current record fine is that of €50m issued by the Commission Nationale de l’information et des Liberties (CNIL) in France in 2019 in a case involving Google. Larger penalties had been proposed by the UK’s Information Commissioner’s Office (ICO) in cases against British Airways and Marriott but these were revised down by the authority when it issued its final decisions in both cases last year.