Amazon Faces Possible $425 Million EU Privacy Fine

The Luxembourg case relates to alleged violations of Europe’s General Data Protection Regulation, or GDPR, linked to Amazon’s collection and use of individuals’ personal data, and isn’t related to its cloud-computing business, Amazon Web Services, one of the people familiar with the matter said. The person declined to elaborate on the specific allegations against Amazon.

An Amazon spokesman declined to comment. The company has previously said the privacy of its customers is a priority and it complies with the law in all the countries where it operates. A spokesman for the CNPD said the regulator isn’t allowed to comment on individual cases.

Before the draft decision can become final under the GDPR, it must effectively be agreed upon by other EU privacy regulators, a process that could potentially take months and lead to substantive changes in the outcome, including a higher or lower fine.

The fine proposed by Luxembourg would represent roughly 2% of Amazon’s reported net income of $21.3 billion for 2020, and 0.1% of its $386 billion in sales. Under the GDPR, regulators can fine up to 4% of a company’s annual revenue for certain violations.

Luxembourg’s regulator has received a handful of objections to its draft decision from its counterparts, including at least one saying the fine should be higher, another of the people familiar with the matter said. Luxembourg can either resolve objections amicably, or reject them and trigger a debate and vote among all EU privacy regulators at the European Data Protection Board.

Write to Sam Schechner at [email protected]