A European Union privacy regulator has proposed a fine of more than $425 million against Amazon.com Inc., part of a process that could yield the biggest-yet penalty under the bloc’s privacy law, people familiar with the matter said.
Luxembourg’s data-protection commission, the CNPD, has circulated a draft decision sanctioning Amazon’s privacy practices and proposing the fine among the bloc’s 26 other national data-protection authorities, the people said. The CNPD is Amazon’s lead privacy regulator in the EU because Amazon has its EU headquarters in the Grand Duchy.
The Luxembourg case relates to alleged violations of Europe’s General Data Protection Regulation, or GDPR, linked to Amazon’s collection and use of individuals’ personal data, and isn’t related to its cloud-computing business, Amazon Web Services, one of the people familiar with the matter said. The person declined to elaborate on the specific allegations against Amazon.
An Amazon spokesman declined to comment. The company has previously said the privacy of its customers is a priority and it complies with the law in all the countries where it operates. A spokesman for the CNPD said the regulator isn’t allowed to comment on individual cases.
Before the draft decision can become final under the GDPR, it must effectively be agreed upon by other EU privacy regulators, a process that could potentially take months and lead to substantive changes in the outcome, including a higher or lower fine.
The fine proposed by Luxembourg would represent roughly 2% of Amazon’s reported net income of $21.3 billion for 2020, and 0.1% of its $386 billion in sales. Under the GDPR, regulators can fine up to 4% of a company’s annual revenue for certain violations.
Luxembourg’s regulator has received a handful of objections to its draft decision from its counterparts, including at least one saying the fine should be higher, another of the people familiar with the matter said. Luxembourg can either resolve objections amicably, or reject them and trigger a debate and vote among all EU privacy regulators at the European Data Protection Board.