Amazon fined record £636 million for GDPR breaches


3 mins

Posted on 05 Aug 2021

Amazon fined record £636 million for GDPR breaches

In June 2021, we reported that Amazon was facing a possible fine of around £300 million for alleged GDPR breaches. This followed a draft decision issued by Luxembourg’s National Commission for Data Protection (the CNPD). The proposed fine was significantly higher than any previous fine issued by EU authorities for data protection breaches but needed to be agreed between the EU authorities.

However, after consultations with the other data protection authorities within the EU 27, the CNPD has more than doubled the fine to £636 million. The CNPD has not officially announced the fine, which Amazon revealed in its regulatory filing on Friday 30 July 2021.

The CNPD has not published details of the alleged breaches but reports at the time of the draft decision suggest that they concern Amazon's privacy practices and the way that personal data is collected and used for marketing purposes. Amazon strongly denies any wrongdoing. It says that the fine is “without merit” and that “there has been no data breach, and no customer data has been exposed to any third party”. It also says it intends to appeal the decision.

The CNPD has not commented since issuing the fine. 

Comment 

The decision to increase the fine after proposing a lower figure in the draft decision demonstrates the growing confidence of Data Protection Authorities to exercise the powers given to them by the GDPR.  Under the GDPR, they can issue a fine of up to £20m or 4% of a company’s annual global turnover (whichever is higher). Data Protection Authorities must consider the seriousness, duration and nature of a breach when deciding to issue a penalty. It remains to be seen what prompted the higher figure in this case, but it is possible that reported calls for a larger fine from some of the other EU privacy regulators may have prompted this.

Although this is not the end of the matter, with Amazon’s appeal still to be heard, it does highlight the potential penalties that await companies who do not comply with their GDPR responsibilities. 

In the UK, the ICO significantly reduced proposed fines against both British Airways and Marriott from the figure set out in the original notices of intent to fine.  In the case of British Airways, the fine went down from a proposed £183.39 million to £20 million. In the case of Marriott, it went down from £99.2 million to £18.4 million. In both cases, the ICO took into account the economic impact of Covid-19 on the travel and hospitality industries when finalising the penalty. Of course, Covid-19 would not have been a relevant factor for Amazon as its business has thrived during the pandemic. 

Key Contacts

Mike Hibberd

Mike is an employment and data privacy law expert advising both organisations and senior individuals on a wide range of human resources and related issues.

  • Legal Director
  • T: +44 (0)118 951 6765
  • Email me

View profile

Piers Leigh-Pollitt

Piers advises a mixture of corporates and individuals on a wide range of HR/employment law matters and data protection issues (mainly from an HR perspective). Piers is also the firm’s internal compliance officer and handles all regulatory and internal compliance matters. He also heads up the firm's Data Privacy team and holds the Practitioner Certificate in Data Protection (GDPR).

  • Partner & Compliance Officer for Legal Practice
  • T: +44 (0)118 951 6761
  • Email me

View profile

The articles published on this website, current at the date of publication, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your own circumstances should always be sought separately before taking any action.

Back to top