Internet retail giant Amazon has been hit by a record fine of €746 million by the data protection authority (CNPD) in Luxembourg, and is the highest ever imposed in the EU.
Amazon was accused of offences against the EU’s General Data Protection Regulation (GDPR), a strict data protection law that obliges any online entity to obtain express permission from visitors before accessing and using their data.
GDPR, in short, is the reason why we have to agree to cookies every time we visit a new website, or return to a previous one.
As one of the largest retailers in the online world, Amazon makes massive use of user data. Search for a pair of crocodile-skin boots, say, and you’ll be dogged for days by advertisements for crocodile-skin boots, even on sites that have nothing to do with Amazon.
The exact nature of the complaint against the company have not yet been revealed, but Amazon itself has issued a statement denying the charges. The declaration was made in accordance with SEC rules in the US.
“Maintaining the security of our customers’ information and their trust are top priorities. There has been no data breach, and no customer data has been exposed to any third party. These facts are undisputed,” the statement said.
“We strongly disagree with the CNPD’s ruling, and we intend to appeal. The decision relating to how we show customers relevant advertising relies on subjective and untested interpretations of European privacy law, and the proposed fine is entirely out of proportion with even that interpretation.”
The issue is believed to relate to a complaint brought by the French group La Quadrature du Net, which claims to represent more than 10,000 internet users, and argues that major internet companies like Google, Facebook, Apple and Amazon use their power to manipulate the ads users see for commercial and political ends.
“The model of economic domination based on the exploitation of our privacy and free will is profoundly illegitimate and contrary to all the values that our democratic societies claim to defend,” the group said in a blog post published yesterday.
The last major fine imposed under GDPR was a €50 million fine on Goggle in 2019.