The Tiny Nation of Luxembourg Slaps Amazon with the Biggest GDPR Fine Yet: Nearly $900 Million

Posted on Aug 12, 2021 by Glyn Moody

As Privacy News Online has noted, one name that crops up frequently in the context of the EU’s General Data Privacy Regulation (GDPR) is the privacy expert and activist Max Schrems. But he is by no means the only player in this sphere. The French digital rights group La Quadrature du Net (LQDN) has also been doing important work here. Three years ago, this blog reported on privacy complaints that LQDN sent to the French data protection agency CNIL, shortly after the GDPR came into force. LQDN adopted an unusual approach. It invited Internet users living in France to join 12 group actions against what it terms “GAFAM” – Google, Apple, Facebook, Amazon and Microsoft. Here’s the central argument LQDN made :

With this European regulation (which we staunchly supported three years ago), we finally have a chance to break down the horrible injustice upon which the world of GAFAM is built: the “consent” we’ve been giving them, allowing them to monitor and influence us, is worth nothing. We cannot use their websites and apps without letting them grossly use or abuse it however they want.

However, European law is now crystal clear: monetized, sold-off consent has no value, and is no longer enough to make their mass surveillance legal. Zuckerberg and his friends can no longer use this worthless agreement as their alibi to claim we’re responsible for the loss of our privacy, or for the destruction of our social bonds.

Our class actions will be based on this sole legal argument, the falsehood of consent, because it targets the heart of the hyper-centralized (for them) and individualised (for us) world they hope to force on us.

In six weeks, more than 12,000 people signed up to the joint legal actions, which were submitted on 28 May 2018 against Facebook, Google (separate actions for Gmail, YouTube, and Google Search), Apple, Amazon and LinkedIn (hyperlinks to the full legal documents can be found at the bottom of this LQDN post). As LQDN explained, because of the way that the GDPR works, the French data protection authority CNIL would pass on the joint complaints to the relevant authorities. LQDN expected most of them would go to the Irish Data Protection Commission, while the one against Amazon would end up with the authorities in Luxembourg, which is where the company has its European headquarters. In fact, CNIL imposed directly a fine of 50 million euros (about $57 million) on Google in January 2019, as this blog reported. At the time, this was the highest penalty imposed under the still-new GDPR, but LQDN wrote that it hoped this was just the start of a series of even larger fines:

the CNIL explains the low amount of its sanction, considering Google’s nearly 110 billion US dollars revenue, by the fact it limited the scope of its examination to “the data processing covered by the privacy policy presented to a user when creating their account on their Android mobile phone” (our translation). We therefore expect the CNIL to quickly answer the rest of our complaint, which concerns Youtube, Gmail and Google Search, by issuing a fine commensurate with this company and the extent and the duration of the violation of ours rights (the maximum amount possible is 4 billion euros – 4% of global revenue –, which we hope for).

LQDN was to be disappointed. After the promising start against Google, nothing more was heard from CNIL or any other EU data protection authority – until now, as LQDN explains:

On July 16 2021, the Luxembourg Data Protection Agency finally rendered its opinion on the collective legal action we and 10 000 more people took in May 2018 against Amazon. This decision breaks a three-year silence which had started to make us expect the worst.

The decision, revealed by Bloomberg, suffers from no ambiguity: the targeted ad system that Amazon forces onto us is not based on free consent, which is a violation of the GDPR. As such, the corporation is fined to the tune of 746 million euros [around $885 million]. This is a new European record for breaching GDPR rules (the previous high-mark was the 50 million euros fine the CNIL, the French DPA, levied against Google, again as a result of our collective legal action).

In comments to various press outlets, Amazon emphasized that there had been “no data breach”. But as LQDN rightly points out, its action against Amazon was over its use of targeted advertising, not over any claimed security breach. LQDN wrote: “This historic fine hits straight to the heart of Big Tech’s predatory system, and should be celebrated as such.” LQDN also noted that the massive fine imposed by the data protection authority of Luxembourg contrasted with the “blatant abdication of the Irish Data Protection Agency who, in three years, was not able to close a single one of the four other actions we lodged against Facebook, Apple, Microsoft and Google”, something this blog has commented on several times before. It also criticized the lack of further action by the French CNIL after the initial 50 million euro fine against Google back in 2019.

The Luxembourg fine dwarfs anything that has been imposed before. Amazon said in a financial filing that it intended to defend itself vigorously, as you’d expect. But with nearly a billion dollars in play, the difference between winning and losing has suddenly become rather more serious. The potential global impact of the GDPR has just been taken up a notch, and in a rather unexpected way.

Featured image by djedj.

VPN Service