Amazon.com Inc. faces the biggest ever European Union privacy fine after its lead privacy watchdog hit it with a 746 million-euro ($888 million) penalty for violating the bloc’s tough data protection rules.
CNPD, the Luxembourg data protection authority, slapped Amazon with the record fine in a July 16 decision that accused the online retailer of processing personal data in violation of the EU’s General Data Protection Regulation, or GDPR. Amazon disclosed the findings in a regulatory filing on Friday, saying the decision is “without merit.”
“There has been no data breach, and no customer data has been exposed to any third party,” Amazon announced in a statement, adding that it plans to appeal. “These facts are undisputed. We strongly disagree with the CNPD’s ruling.”
The decision concludes a probe started by a 2018 complaint from French privacy rights group La Quadrature du Net. It cautiously welcomed the decision.
“It’s a first step to see a fine that’s dissuasive, but we need to remain vigilant and see if the decision also includes an injunction to correct the infringing behavior,” said Bastien Le Querrec, a member of La Quadrature’s litigation team, adding the group hadn’t received the decision.
EU data protection regulators’ powers have increased significantly since the bloc’s GDPR rules took effect in May 2018. It allows watchdogs for the first time to levy fines of as much as 4% of a company’s annual global sales. The biggest fine to date was a 50 million-euro penalty for Google issued by France’s CNIL.
CNPD didn’t immediately respond to an email seeking comment. Local laws bind the Luxembourg authority to professional secrecy and prevent it from commenting on individual cases, or confirming receipt of a complaint. Amazon has its EU base in Luxembourg, which puts the local regulator in charge of monitoring its data protection law compliance.