We first published this alert on 03 August 2021 and have updated it now more information has come to light
The Luxembourg National Commission for Data Protection (CNPD) has issued notice of its intention to fine tech and online retail giant Amazon €746 million relating to Amazon’s data processing practices, the highest fine to date for GDPR violations. Amazon has said that it disputes the findings and intends to appeal.
What do we know so far?
Information about the enforcement action has been limited so far. This fine came to light from a disclosure on 29 July 2021 that Amazon made to the US Securities and Exchange Commission (SEC) in accordance with listing rules. This is becoming an increasingly common way for the public to first hear about sizable data protection fines – for example the ICO’s actions against BA and Marriott first became public through stock exchange filings. It seems that the CNPD had told Amazon of the fine on 16 July 2021.
The CNPD says that local secrecy laws mean that the CNPD cannot comment on individual cases or complaints. We are waiting to see if the CNPD will publish its findings – generally these remain anonymous, unless special powers are invoked.
We do not know from an official source which GDPR provisions Amazon has been found to have infringed, but the information we have on the case suggests that:
- The action came off the back of a complaint in 2018 from French privacy rights group La Quadrature du Net.
- Amazon has its EU headquarters in Luxembourg, making the CNPD its lead supervisory authority.
- The action relates to Amazon Europe Core S.à.r.l.’s targeted advertising practices. The original complaints raised concerns with Amazon’s compliance with its obligations related to security and user consent in this context.
- The findings seem to suggest that the case included an analysis of the lawful basis for processing and that Amazon’s arguments that it could process personal data by virtue of a contract with data subjects did not hold up in the CNPD’s eyes. The case seems to turn on an interpretation of GDPR Art. 6(1)(b).
- Amazon has focused in on the security aspect and denied that there has been any data leak or that personal data has been disclosed to third parties.
What is the relevant context for this fine?
This is much bigger than just a single “data breach”; it strikes at the heart of the system used by the big tech companies to target consumers with advertising. These types of advertising practices involve widespread sharing of high volumes of user data with numerous players across the ad tech ecosystem, and the main concerns raised by regulators and privacy groups have centred on:
- the inadequacy of technical and organisational controls, and
- the challenges associated with obtaining valid user consent.
There have been other investigations too in this space – see, for example, the UK Information Commissioner Office’s (ICO) investigation into real time bidding and ad tech (which has recently resumed after being put on hold to juggle other priorities during the COVID-19 pandemic). We’ve also written before on increased cookies enforcement which is often linked – see for example here https://bit.ly/2noybcookie. The French DPA, CNIL, has already taken action against Amazon over its cookies compliance with a €35m fine last year – there are more details of this case here https://www.corderycompliance.com/cnil-cookies-investigation/.
Is it just a fine?
No. Our understanding at the moment is that there are additional prohibitions in addition to the fine. As we’ve said before DPAs have wide powers under GDPR to impose additional sanctions including prohibiting data processing. There’s more on these extensive powers in GDPR Art. 58. We have heard that CNPD have also ordered Amazon to stop the offending processing within 6 months or face an additional fine of €736,000 per day for non-compliance.
Does Luxembourg have a track record for GDPR enforcement?
The simple answer is no. There had been no public GDPR enforcement in Luxembourg until June 2021. Since then the CNPD has announced 26 decisions including 6 where fines have been levied. There’s a full list of the CNPD’s decisions to date here https://cnpd.public.lu/en/decisions-sanctions.html.
Will there be similar cases?
Perhaps. As we’ve said a number of DPAs are looking at ad tech and cookies. It is important to remember that La Quadrature du Net also filed complaints against Apple, Facebook, Google and LinkedIn. We can expect more pressure on the DPAs of those companies as a result. The pressure may be felt especially in Ireland who seems to be the lead DPA for all of the remaining 4. We can expect some news from Ireland shortly from Ireland after the EDPB published its decision relating to an unconnected investigation into Facebook subsidiary WhatsApp last week.
What happens next?
Under Article 52 of the Luxembourg Law of 1st August 2018 establishing the CNPD and implementing GDPR, it is up to the CNPD to determine whether to publish the decision or not. It may only publish a decision or parts of it if all appeal processes have been exhausted and there is no disproportionate prejudice by publishing the decision. Publication of the decision in the near future therefore seems unlikely.
Amazon’s appeal will most likely be in the form on a judicial review of the CNPD’s decision by the Administrative Court. In this context, the word review signifies “recours en reformation” i.e. a procedure for reviewing the administrative act as oppose to another form of action in Luxembourg administrative law known as “recours en annulation” i.e. proceedings requesting the annulment of the administrative decision.
In effect, Article 55 of the Law provides that an appeal against the decisions of the CNPD is open for judicial review in the Administrative Court where the judge rules on the merits (juge du fond). This would mean that the judge will look at all the facts from the outset of the case. We believe that given that the judge has the right to adjudicate on the merits, the court also has the power to review the measure of damages.
What are the likely timeframes?
The rules applicable to the judicial review are those governing the administrative procedure. This means that the procedure is in writing and strict timelines are applicable. In essence, Amazon has 3 months to institute the procedure, the administration has 3 months to respond, Amazon has 1 month to respond to the administration pleadings and the administration has 1 month to respond to Amazon. Unless the judge asks for additional clarifications the pleadings are then closed. In practical terms, it is relatively a quick procedure although there is the possibility of a further appeal or possibly a reference to the ECJ for a ruling on a point of European law.
Can the appeal succeed?
As we’ve said before appeals often have a good chance of success under GDPR given the procedural requirements imposed on DPAs.
Fines are also not the only enforcement action that the regulator can take – for example, injunctions can be ordered to compel an organisation to take action or to cease certain actions. If Amazon is forced to change its data practices, this is likely to be way more disruptive to business than even a nine figure fine.
This is certainly one to watch, as it is likely to send ripples across the entire ad tech industry if the CNPD is able to make its ruling stick.
For more information
We are indebted to Gwendoline Bella of RJ Gaito in Luxembourg for her help in understanding the Luxembourg legal procedure for the appeal. You can reach her at www.rjgaito.com.
There is more information about this and other data protection topics in Cordery’s GDPR Navigator subscription service. GDPR Navigator includes short films, straightforward guidance, checklists and regular conference calls to help you comply. More details are at www.bit.ly/gdprnav.
Amazon’s SEC disclosure is here https://bit.ly/3rRqlD9
The EDPB decision regarding WhatsApp is here https://edpb.europa.eu/news/news/2021/edpb-adopts-art-65-decision-regarding-whatsapp-ireland_en
Some technical terms are used in this note which are defined at www.bit.ly/gdprwords
For more information please contact Katherine Eyres or Jonathan Armstrong who are lawyers with Cordery in London where their focus is on compliance issues.
30 Farringdon Street,
London EC4A 4HH
30 Farringdon Street,
London EC4A 4HH
|Office: +44 (0)207 075 1784||Office: +44 (0)20 7075 1786|
Image copyright Grand Duchy of Luxembourg