We first published this alert on 03 August 2021 and have updated it now more information has come to light
The Luxembourg National Commission for Data Protection (CNPD) has issued notice of its intention to fine tech and online retail giant Amazon €746 million relating to Amazon’s data processing practices, the highest fine to date for GDPR violations. Amazon has said that it disputes the findings and has now launched its appeal.
What do we know so far?
Information about the enforcement action has been limited so far. This fine came to light from a disclosure on 29 July 2021 that Amazon made to the US Securities and Exchange Commission (SEC) in accordance with listing rules. This is becoming an increasingly common way for the public to first hear about sizable data protection fines – for example the ICO’s actions against BA and Marriott first became public through stock exchange filings. It seems that the CNPD had told Amazon of the fine on 16 July 2021.
The CNPD says that secrecy laws in Luxembourg mean that the CNPD cannot comment on individual cases or complaints. We are waiting to see if the CNPD will publish its findings – generally these remain anonymous, unless special powers are invoked.
We do not know from an official source which GDPR provisions Amazon has been found to have infringed, but the information we have on the case suggests that:
- The action came off the back of a complaint in 2018 from French privacy rights group La Quadrature du Net.
- Amazon has its EU headquarters in Luxembourg, making the CNPD its lead supervisory authority.
- The action relates to Amazon Europe Core S.à.r.l.’s targeted advertising practices. The original complaints raised concerns with Amazon’s compliance with its obligations related to security and user consent in this context.
- The findings seem to suggest that the case included an analysis of the lawful basis for processing and that Amazon’s arguments that it could process personal data by virtue of a contract with data subjects did not hold up in the CNPD’s eyes. The case seems to turn on an interpretation of GDPR Art. 6(1)(b).
- Amazon has focused in on the security aspect and denied that there has been any data leak or that personal data has been disclosed to third parties.
What is the relevant context for this fine?
This is much bigger than just a single “data breach”; it strikes at the heart of the system used by the big tech companies to target consumers with advertising. These types of advertising practices involve widespread sharing of high volumes of user data with numerous players across the ad tech ecosystem, and the main concerns raised by regulators and privacy groups have centred on:
- the inadequacy of technical and organisational controls, and
- the challenges associated with obtaining valid user consent.
There have been other investigations too in this space – see, for example, the UK Information Commissioner Office’s (ICO) investigation into real time bidding and ad tech (which has recently resumed after being put on hold to juggle other priorities during the COVID-19 pandemic). We’ve also written before on increased cookies enforcement which is often linked – see for example here https://bit.ly/2noybcookie. The French DPA, CNIL, has already taken action against Amazon over its cookies compliance with a €35m fine last year – there are more details of this case here https://www.corderycompliance.com/cnil-cookies-investigation/.
Is it just a fine?
No. Our understanding at the moment is that there are additional prohibitions in addition to the fine. As we’ve said before DPAs have wide powers under GDPR to impose additional sanctions including prohibiting data processing. There’s more on these extensive powers in GDPR Art. 58. We have heard that CNPD have also ordered Amazon to stop the offending processing within 6 months or face an additional fine of €736,000 per day for non-compliance.
Does Luxembourg have a track record for GDPR enforcement?
The simple answer is no. There had been no public GDPR enforcement in Luxembourg until June 2021. Since then the CNPD has announced 32 decisions including 10 where fines have been levied. There’s a full list of the CNPD’s decisions to date here https://cnpd.public.lu/en/decisions-sanctions.html.
Will there be similar cases?
Perhaps. As we’ve said a number of DPAs are looking at ad tech and cookies. It is important to remember that La Quadrature du Net also filed complaints against Apple, Facebook, Google and LinkedIn. We can expect more pressure on the DPAs of those companies as a result. The pressure may be felt especially in Ireland who seems to be the lead DPA for all of the remaining 4. We can expect some news from Ireland shortly about Facebook.
What happens next?
We understand that Amazon lodged its appeal on Friday.
Under Article 52 of the Luxembourg Law of 1st August 2018 establishing the CNPD and implementing GDPR, it is up to the CNPD to determine whether to publish the decision or not. It may only publish a decision or parts of it if all appeal processes have been exhausted and there is no disproportionate prejudice by publishing the decision. Publication of the decision in the near future therefore seems unlikely.
What are the likely timeframes?
The rules applicable to the judicial review are those governing the administrative procedure in Luxembourg. This means that the procedure is in writing and strict timelines are applicable. In essence, Amazon had 3 months to institute the procedure. The administration now has 3 months to respond. After that Amazon has 1 month to reply to the administration’s pleadings and the administration has 1 month to respond to Amazon. Unless the judge asks for additional clarifications the pleadings are then closed. In practical terms, it is relatively a quick procedure although there is the possibility of a further appeal or possibly a reference to the ECJ for a ruling on a point of European law.
Can the appeal succeed?
Amazon has not yet published its grounds for appeal but as we’ve said before appeals often have a good chance of success under GDPR given the procedural requirements imposed on DPAs. There are rumours that the proposed fine was raised after other DPAs in the EU made representations through the EDPB consistency process. Those rumours suggest that the CNPD originally planned to impose a fine of €348.7 million. The EDPB process also resulted in an increased fine for Ireland in the WhatsApp case in September (see https://bit.ly/waireland). Both cases raise interesting potential appeal points – will a domestic appeal court uphold a fine imposed on a domestic regulator against its wishes?
This case also shows that fines are also not the only enforcement action that the regulator can take – for example, injunctions can be ordered to compel an organisation to take action or to cease certain actions. If Amazon is forced to change its data practices, this is likely to be way more disruptive to business than even a nine figure fine.
This is certainly one to watch, as it is likely to send ripples across the entire ad tech industry if the CNPD is able to make its ruling stick.
For more information
We are indebted to Ronnen Gaito & Gwendoline Bella of RJ Gaito in Luxembourg for her help in understanding the Luxembourg legal procedure for the appeal. You can reach them at www.rjgaito.com.
There is more information about this and other data protection topics in Cordery’s GDPR Navigator subscription service. GDPR Navigator includes short films, straightforward guidance, checklists and regular conference calls to help you comply. More details are at www.bit.ly/gdprnav.
Amazon’s SEC disclosure is here https://bit.ly/3rRqlD9
Some technical terms are used in this note which are defined at www.bit.ly/gdprwords
For more information please contact Katherine Eyres or Jonathan Armstrong who are lawyers with Cordery in London where their focus is on compliance issues.
30 Farringdon Street,
London EC4A 4HH
30 Farringdon Street,
London EC4A 4HH
|Office: +44 (0)207 075 1784||Office: +44 (0)20 7075 1786|
Image copyright Grand Duchy of Luxembourg