Amazon's Massive GDPR Fine Shows the Law's Power'and Limits

We were promised massive fines and GDPR finally delivered. Amazon's financial records last week revealed that officials from Luxembourg were fining the retailer 746 millions ($883 million), for violating European regulations.WIRED UK Original story.This is a record-breaking fine for GDPR. It is more than twice the amount of all other GDPR fines combined. Amazon has appealed the financial penalty. This comes as GDPR is under pressure from lax enforcement and measly penalties. Experts believe companies can abuse people's privacy because GDPR investigations are slow and ineffective. Some even want to see the GDPR ripped up completely.Luxembourg's action against Amazon is notable for two reasons. First, it demonstrates the power of GDPR. Second, it exposes the inconsistencies in the way such regulations are applied across Europe. It is undoubtedly the most important GDPR decision.We were waiting for one of the large cases to be resolved because there were so many cases before regulators. This would show that the GDPR actually has teeth, according to Estelle Mass, Access Now's global data protection lead. La Quadrature du Net in France, a civil liberties group, originally filed the complaint against Amazon. It stated that regulators had given it hope that Big Tech could be sued.Although the headline-grabbing fine is a big deal, very little information exists about what Amazon was actually fined for. Officials in Luxembourg took the case because Luxembourg is Amazon's main European base. Although the tiny country has been known historically as a tax haven, accusations that Amazon had evaded tax in Luxembourg have been dismissed by European courts. However, the National Commission for Data Protection of Luxembourg has launched itself, at least for the moment, into the pro-privacy spotlight by fining Amazon.La Quadrature du Nets May 2018 complaint was brought on behalf of 10,000 people. It claimed that Amazon's advertising system wasn't based upon free consent. Although the Luxembourg regulator claims it made a decision against Amazon on Jul 15, it has not published further details. The spokesperson for the authority said that it cannot publish details until an appeal has been filed because Luxembourg's professional secret laws prevent them from disclosing information. Amazon, which is extremely data-hungry, will appeal the fine.An Amazon spokesperson stated that there has not been a data breach and that no customer data was exposed to third parties. All that is great and all, however, companies don't need to have experienced a data breach in order to violate GDPR rules. According to the spokesperson, the Luxembourg ruling, which was based upon how the company showed customers relevant advertising, was based on subjective interpretations of European privacy law. The proposed fine is completely out of proportion with that interpretation.Amazon might have a point. There is a possibility that an appeal or negotiation could bring down the fine. Last year, the UK data protection regulators fine against British Airways was reduced from 184 million ($256m) to only 20 million ($28m). Another was against Marriott hotel group. It was reduced from 99million ($137 million to 18million ($25 million).This Amazon fine of 746 million is much greater than any that has been imposed on Google. Although GDPR permits for potentially large fines, it is unlikely that regulators will issue them. According to DLA Piper analysis, all European regulators combined had issued a total amount of 272 million GDPR fines ($322 millions) up to 2021. The leader in this regard is Italy's data protection agency, which has issued fines totaling 69.3 millions. France (54 millions), Germany (69million), and the UK (44.4 million) are following.