Amazon.com Inc is facing the largest GDPR fine issued since the Regulation came into force in 2018, after its lead supervisory authority in Luxembourg issued a draft fine of $886m in July 2021, which significantly eclipses even the heftiest fines issued to date.

Given Luxembourg’s professional secrecy laws, the regulator (CNPD) is prevented from commenting on individual cases, meaning little is known about the basis for the fine, save that Amazon.com has itself confirmed that “There has been no data breach, and no customer data has been exposed to any third party.”

The Luxembourg decision concludes an investigation which originated in 2018 following a complaint from French privacy rights group, La Quadrature du Net, on behalf of 10,000 people to the French regulator, CNIL. It is thought that the complaint related to the way in which Amazon.com displays relevant advertising content to its customers. On the basis that Amazon.com, whose EU base is in Luxembourg, nominated CNPD as its lead supervisory authority under what is termed the GDPR’s “One Stop Shop” mechanism, the complaint was transferred from CNIL to CNPD.

Under the One Stop Shop mechanism, the data protection authority of the “main establishment” of a company in the EU acts as the lead regulator (or “lead supervisory authority”) in respect of cross-border processing activities undertaken by that company (see Article 56 GDPR). One of the key benefits of being able to identify a lead supervisory authority from a company’s perspective is that it can generally deal with a single European data protection regulator when it comes to data breach notification and/or enforcement. In essence, it avoids the company to avoid having to deal with every supervisory authority in every EEA/EU state where individuals are affected.

It is noteworthy that prior to 2021, the CNPD was one of the few national data protection regulators that had failed to impose any fines relating to breaches of the GDPR. Details of its first fines were only published on its website in early June but, owing to the abovementioned professional secrecy laws, none of the fined companies have been named. The CNPD has, however, confirmed that most of the cited cases relate to breaches of video surveillance and geolocation practices.

Perhaps unsurprisingly, Amazon.com has confirmed its intention to appeal CNPD’s decision saying that the fine is “without merit”. Amazon.com may well back itself as the victor in any such appeal given its success earlier this year when the EU General Court ruled against the European Commission and overturned a €250m tax bill in Luxembourg. However, even if it achieves a reduction in the fine from CNPD, Amazon.com will no doubt continue to attract scrutiny for its approach to data protection given the vast amounts of data it collects and processes from customers and partners alike.

For now, we shall monitor developments in relation to this fine closely and will report back on any reduction achieved by Amazon.com.