Amazon’s record EU privacy fine may be just the start

The news: Amazon has been fined €746 million by European Union privacy regulators in Luxembourg—the largest privacy fine in EU history—for alleged data privacy violations, according to a securities filing released by Amazon. The fine, issued two weeks ago by Luxembourg’s data protection authority CNPD, accuses Amazon of violating the block’s General Data Privacy Regulations (GDPR) rules.

• Amazon’s European headquarters are located in Luxembourg, so the lawsuit was filed there.

In addition to the monetary penalty, regulators have ordered Amazon to revise certain undisclosed business practices. And while specific details surrounding those business practices and the precise violations in question remain murky at the time of writing, Amazon has already spoken out forcefully against the ruling, saying it will appeal the ruling in court.

Why this matters: EU regulators have ramped up enforcement efforts against Big Tech companies in recent months, increasing both the frequency and severity of fines issued in line with GDPR rules.

More broadly, EU regulators have gained significant enforcement power since GDPR took effect in 2018: watchdogs are permitted under law to issue fines of up to 4% of a company’s annual global sales.

• For context, Luxembourg’s fine would represent roughly 4.2% of Amazon’s net income of $21.3 billion for 2020, and a mere 0.2% of its $386 billion in sales, per the Wall Street Journal.

More enforcement power has resulted in more fines. Business law firm DLA Piper estimates there have been at least €142.7 million worth of GDPR-related fines issued between January 2020 and January 2021, a nearly 40% increase from the first 20 months since the law was in effect.

• Amazon’s case marks a substantial increase in fines levied at individual companies as well. Until last week’s case, the highest fine under GDPR rules was a €50 million fine of Google in 2019.

The bigger picture: Europe’s GDPR provides regulators with a clearer legal framework with which to base fines than regulators in other regions.

• For example, In the US, regulators have set their sights on Amazon and other Big Tech companies, but have struggled to issue meaningful penalties due to outdated US antitrust laws. The absence of any federal data privacy standard stifles these efforts as well.

What’s next? Amid an emboldened European regulatory climate, tech firms, both large and small, will likely need to reassess and assure their GDPR compliance.

• Concern about GDPR is already high. According to Evergage and Researchscape International, 33% and 10% of marketing professionals said they were moderately concerned or extremely concerned about data privacy regulation, respectively.
• Meanwhile, 34% of business decision-makers worldwide last year said security or GDPR concerns represented the biggest technology roadblocks to making decisions at their companies, per Exasol.