Amazon, GDPR Fines, New Enforcement Decisions
When the European Union enacted the General Data Protection Regulation or GPDR in 2016, they completely changed the ways in which international businesses and corporations conducted operations within the boundaries of Europe. As many companies, particularly major technology and social media giants such as Twitter and Meta, function in accordance with the collection and processing of the personal data of millions of different individuals, the GDPR effectively outlawed many data collection practices and techniques that are currently legal in other countries around the world. Moreover, as companies that operate within the EU must also comply with provisions that have been implemented by individual member states, maintaining compliance with all applicable legislation has proven challenging for many businesses.
To this point, multinational technology company Amazon was fined 746 million-euro ($888 million) by Luxembourg’s data authority, the Commission Nationale pour la Protection des Données or CNPD, in response to various alleged violations in July of 2021. The fine represents the largest monetary penalty that has been imposed against a business under the provisions of the GDPR, as the previous record had been held by multinational technology company Google, which has been fined more than 200 million euros ($227 million) after having committed violations in a number of countries around Europe since 2019, including Ireland, France, Belgium.
Why did Luxembourg’s CNPD accuse Amazon of violating the GDPR?
While laws within Luxembourg prohibit the CNPD from commenting on individual cases, French privacy rights group La Quadrature du Net conducted a probe of Amazon beginning in 2018. To this point, while the exact reasons behind the allegations and subsequent fines have yet to be officially confirmed, it has been reported that online cookie consent played a large role in Amazon receiving such massive penalties. As Amazon had previously been fined €35 million ($38,101,000.00) in 2020 by the Commission Nationale Informatique & Libertés or CNIL, France’s data protection authority, for failing to obtain cookie consent from online users, the corporation has developed a reputation for failing to maintain compliance with the GDPR as it pertains to French-speaking countries.
While many consumers around the world currently relinquish their personal data through the means of social media profiles, online cookies represent the original method by which many businesses and corporations have been able to gain further insight and information about visitors to a particular website. As such, many online corporations such as Amazon make opting out of cookies extremely difficult when browsing their website, if users have the ability to opt out of cookies at all. However, while these practices are deemed legal in virtually every part of the world, particularly in America where federal comprehensive data protection legislation has not been forthcoming, the European Union has consistently taken a hardline stance as it concerns online cookie consent.
With this being said, in addition to the GDPR, businesses, and organizations that conduct operations within Europe are also responsible for complying with the ePrivacy Directive, known informally as the EU Cookies Directive or EU Cookie Law. Under the EU Cookie Law, online users within the EU retain the right to refuse the use of cookies when browsing websites online, as the collection of such information can be viewed as an invasion of personal privacy. As such, when international corporations collect cookies from online users within the EU without first obtaining expressed permission or consent, they are effectively violating two separate laws, opening the door for the massive fines that have been imposed during the past few years.
How can businesses avoid fines when providing products and services in the EU?
While it may appear to be a simple solution on a surface level, the primary means by which multinational corporations can avoid violating international privacy laws is by being transparent about what information they collect from consumers, as well as ensuring that personal data and information is only collected in accordance with user consent. Nevertheless, this level of transparency can reduce ad revenue for large-scale corporations, as they must spend additional time, effort, and resources to obtain the personal information they need to deliver targeted advertisements to consumers that are making use of their respective websites and platforms. However, while Amazon may have lost ad revenue when obtaining consent to collect cookies from online users in France and Luxembourg, they could have also avoided being fined hundreds of millions of dollars.
Despite the fact that many countries around the world have passed some form of data protection and personal privacy legislation in the past decade, few nations have enforced these laws with the fervor and intensity as has been displayed by regulatory authorities within the continent of Europe. As such, while Europe and the U.S. may enjoy many social and cultural similarities, the internet usage landscape between the two countries couldn’t be more different, as multinational companies are largely free to collect whatever forms of personal data they want from American consumers. In this way, the EU continues to set an international standard for data protection and privacy, ensuring that even the biggest corporations maintain compliance with the GDPR when operating within Europe.