On July 29, 2021, Amazon disclosed in a regulatory filing that it sustained what is the largest privacy-related fine ever issued for violating EU privacy rules – a massive €746 million ($886 million) fine. Amazon barely mentions the fine in its latest quarterly report: “On July 16, 2021, the Luxembourg National Commission for Data Protection (the “CNPD”) issued a decision against Amazon Europe Core S.à r.l. claiming that Amazon’s processing of personal data did not comply with the EU General Data Protection Regulation. The decision imposes a fine of €746 million and corresponding practice revisions. We believe the CNPD’s decision to be without merit and intend to defend ourselves vigorously in this matter.”
This disclosure is actually related to a 2018 action brought against Amazon due to its targeted ad efforts – hardly a new action where talk of pursuing a defense makes any sense. Simply put, it is unclear why the filing references a vigorous defense – that time has long passed. Amazon must now appeal what it previously defended and lost – which may end up working out for the company given in recent decisions courts have overturned GDPR privacy fines. Still, the CNPD ruling was appreciated by the privacy group that brought suit given it dwarfs the previous record EU privacy fine of €50 million handed down to Google.
Until this action runs its full appellate course, there is not much solace that plaintiffs should derive from the fine – especially given that Amazon has had three $100 billion quarters in a row and this significant fine can easily be shrugged off from a materiality perspective.