The EU fine on Amazon was based on the finding that the corporation allegedly processed personal data in violation of GDPR rules, and was ruled on the 16th July, as disclosed in a regulatory filing on Friday.
The CNPD claimed the tech giant’s processing of personal data did not comply with EU law, which requires companies to seek the consent of users before using their personal data.
Amazon, however, has announced that it will appeal the legislation, stating that the CNPD’s decision was made without merit.
“There has been no data breach, and no customer data has been exposed to any third party,” said an Amazon spokesperson.
“These facts are undisputed. We strongly disagree with the CNPD’s ruling, and we intend to appeal. The decision relating to how we show customers relevant advertising relies on subjective and untested interpretations of European privacy law, and the proposed fine is entirely out of proportion with even that interpretation.”
If the regulation goes ahead, the fine would be a record for GDPR breach measures, with the current biggest fine being $57 million, imposed on Google by French privacy regulator CNIL in January 2019.
Three years down the track – is GDPR enough to protect our data?
According to Rob Elliss, vice-president EMEA, data protection at Thales, “This ruling is a significant moment in data privacy regulation history. For a long time, the strength of legislation like GDPR has been questioned and whether it had the ‘teeth’ to make an impact.
“While this ruling is set to be challenged, it sends a significant message to any company dealing with EU citizens’ personal data that they must keep on top of all compliance requirements or be hit with a heavy fine.
“In this ‘hybrid era’ of a ‘work from anywhere mentality’, achieving compliance can be trickier than ever, with data being accessed from multiple locations and outside core company networks. Legislation like GDPR could not possibly anticipate the rampant adoption of the cloud, that has now become the ‘new normal’ during the pandemic.
“As a result, it means businesses must carefully review and understand their compliance requirements or leave themselves vulnerable to falling foul of the regulations and being hit with a big fine, even if this is done by mistake. Personal Data Protection Officers have a huge role to play in ensuring their companies understand these regulations and where they need to adapt.”