Amazon, GDPR Fines, New Enforcement Decisions

March 28, 2022 | 4 minutes read
Amazon, GDPR Fines, New Enforcement Decisions

When the European Union enacted the General Data Protection Regulation or GPDR in 2016, they completely changed the ways in which international businesses and corporations conducted operations within the boundaries of Europe. As many companies, particularly major technology and social media giants such as Twitter and Meta, function in accordance with the collection and processing of the personal data of millions of different individuals, the GDPR effectively outlawed many data collection practices and techniques that are currently legal in other countries around the world. Moreover, as companies that operate within the EU must also comply with provisions that have been implemented by individual member states, maintaining compliance with all applicable legislation has proven challenging for many businesses.

To this point, multinational technology company Amazon was fined 746 million-euro ($888 million) by Luxembourg’s data authority, the Commission Nationale pour la Protection des Données or CNPD, in response to various alleged violations in July of 2021. The fine represents the largest monetary penalty that has been imposed against a business under the provisions of the GDPR, as the previous record had been held by multinational technology company Google, which has been fined more than 200 million euros ($227 million) after having committed violations in a number of countries around Europe since 2019, including Ireland, France, Belgium.

Why did Luxembourg’s CNPD accuse Amazon of violating the GDPR?

While laws within Luxembourg prohibit the CNPD from commenting on individual cases, French privacy rights group La Quadrature du Net conducted a probe of Amazon beginning in 2018. To this point, while the exact reasons behind the allegations and subsequent fines have yet to be officially confirmed, it has been reported that online cookie consent played a large role in Amazon receiving such massive penalties. As Amazon had previously been fined €35 million ($38,101,000.00) in 2020 by the Commission Nationale Informatique & Libertés or CNIL, France’s data protection authority, for failing to obtain cookie consent from online users, the corporation has developed a reputation for failing to maintain compliance with the GDPR as it pertains to French-speaking countries.

While many consumers around the world currently relinquish their personal data through the means of social media profiles, online cookies represent the original method by which many businesses and corporations have been able to gain further insight and information about visitors to a particular website. As such, many online corporations such as Amazon make opting out of cookies extremely difficult when browsing their website, if users have the ability to opt out of cookies at all. However, while these practices are deemed legal in virtually every part of the world, particularly in America where federal comprehensive data protection legislation has not been forthcoming, the European Union has consistently taken a hardline stance as it concerns online cookie consent.

With this being said, in addition to the GDPR, businesses, and organizations that conduct operations within Europe are also responsible for complying with the ePrivacy Directive, known informally as the EU Cookies Directive or EU Cookie Law. Under the EU Cookie Law, online users within the EU retain the right to refuse the use of cookies when browsing websites online, as the collection of such information can be viewed as an invasion of personal privacy. As such, when international corporations collect cookies from online users within the EU without first obtaining expressed permission or consent, they are effectively violating two separate laws, opening the door for the massive fines that have been imposed during the past few years.

How can businesses avoid fines when providing products and services in the EU?

While it may appear to be a simple solution on a surface level, the primary means by which multinational corporations can avoid violating international privacy laws is by being transparent about what information they collect from consumers, as well as ensuring that personal data and information is only collected in accordance with user consent. Nevertheless, this level of transparency can reduce ad revenue for large-scale corporations, as they must spend additional time, effort, and resources to obtain the personal information they need to deliver targeted advertisements to consumers that are making use of their respective websites and platforms. However, while Amazon may have lost ad revenue when obtaining consent to collect cookies from online users in France and Luxembourg, they could have also avoided being fined hundreds of millions of dollars.

Despite the fact that many countries around the world have passed some form of data protection and personal privacy legislation in the past decade, few nations have enforced these laws with the fervor and intensity as has been displayed by regulatory authorities within the continent of Europe. As such, while Europe and the U.S. may enjoy many social and cultural similarities, the internet usage landscape between the two countries couldn’t be more different, as multinational companies are largely free to collect whatever forms of personal data they want from American consumers. In this way, the EU continues to set an international standard for data protection and privacy, ensuring that even the biggest corporations maintain compliance with the GDPR when operating within Europe.

Related Reads

Anyone doing business in or with the EU's 27 member states must take redaction seriously or possibly face million euro fines.
June 20, 2024 | 5 minutes read
The EU’s GDPR And How To Best Comply In 2024

What is the GDPR? How do you comply? With CaseGuard Studio, the all-in-one redaction solution, sensitive data redaction is made simple with powerful AI tools.

Learn More »
Two police officers on motor cycles watching people use a cross walk in the UK.
September 06, 2023 | 4 minutes read
Blurring Faces from Videos and The Truth About Body-Worn Camera Privacy

Body-worn cameras are an essential piece of equipment for law enforcement officers and the redaction of faces from BWC footage is necessary to protect the privacy of individuals.

Learn More »
Doctor in green scrubs looking at multiple computer screens with sensitive medical information on them
August 30, 2023 | 4 minutes read
Sensitive Information, Protected: Patient Privacy, HIPAA, And You

HIPAA compliance ensures patient privacy. Often making the consequences of non-compliance severe, so how do you avoid that?

Learn More »
healthcare worker
July 12, 2023 | 5 minutes read
Protecting Privacy in the Healthcare Field: PII, PHI & PCI

Healthcare professionals handle a wide range of sensitive data that is crucial for delivering quality care. But protecting that data is getting harder.

Learn More »
surveillance-cameras
June 26, 2023 | 6 minutes read
FISA Section 702, Is The US Government Monitoring You?

Is there a give-and-take relationship that must be accepted when it comes to keeping the country safe? Should U.S. persons be okay with the incidental collection of their conversations in the name of national security under FISA Section 702? Even when it violates their constitutional rights? Well, that’s up to Congress to decide.

Learn More »
The word "Security" with a curser near by
June 05, 2023 | 6 minutes read
The Gap You Won’t Want to Close: Air-Gapped Systems

An air-gapped system is a computer, or network that is physically isolated from any external connections and networks which includes the Internet. It operates in total isolation with neither wired nor wireless connections to other devices.

Learn More »