This insane GDPR Fine on Amazon is self defeating


Luxembourg Data Protection Authority (CNPD) has done great disservice to the Privacy Community by administering a fine of $887 million(Rs 6582 crores) on Amazon for using customer data for advertising purpose. The fine has been revealed by Amazon in its SEC filing and requires public confirmation from CNPD. It is possible that CNPD may revise its decision since it is blatantly unrealistic and will create a huge backlash from the business to the sanctity of the administrative fine system.

Details available here

The ruling appears to have been a result of a complaint filed in 2018 by a French privacy rights group La Quadrature du Net representing the interests of 10065 persons. The complaint states that “Amazon is  carrying out certain personal data concerning the persons on whose behalf the this complaint is lodged (2.2) without, however, establishing these treatments on one of the legal bases required by law (2.1), making therefore, they are unlawful (2.3).”

Amazon has rightly pointed out that there is no “Data Breach” and the fine is disproportionate to the alleged violation.

It is important to observe that while CNPD can take pride in claiming that this is a “Record” fine based on the “4% Global Turnover window” provided in the GDPR, the level of fine is unlikely to be accepted by any sane Court.

The prayer in the complaint was

“request that the following measures be imposed on the from Amazon:
• the prohibition of behavioral analysis and targeting treatments advertising described above, pursuant to Article 58,§2(f) GDPR;
• an administrative fine which, because of the massive, lasting nature and manifestly deliberate of the breach found, must be the highest possible, pursuant to Article 83(2) and (5) of the GDPR.”

It is interesting to note that Luxembourg is one of the smallest sovereign states in Europe with a population 6,26,108 and an area of 2585  square Kilometers. It is a rich country but too insignificant because it is  an entity smaller than the State of Goa and a population of some small town in India. The fine will enrich the country by about Rs 1 lakh per citizen.

It is possible that the CNPD thinks that it is upholding the privacy rights of the entire EU population and it is the torchbearer of privacy protection for the entire democratic world.

It is however necessary for such regulators to remember that “Advertising” is an essential ingredient of marketing and cannot be completely eliminated. In the course of developing a targeted advertising of a commercial product, Amazon is being accused of not having a proper consent. The accusation may be partially true. But the punishment envisaged must be reformative and reasonable. The current level of fine will be considered as unreasonable and will actually  create a sympathy for Amazon.

I hope the Indian regulatory authority when it comes into existence would be more reasonable.

It is possible that the report as it happens in most media reports is itself not completely true. It is possible that CNPD might have raised a show cause notice on Amazon on why it cannot be fined Euro 447 million and Amazon might have disclosed it as a “Risk” in its disclosure documents to SEC. In the process, Amazon could have also exaggerated the possible fine without appropriate basis.

Based on the response from Amazon, CNPD may revise the fine downwards to more reasonable levels or a Court may actually squash the order. Hence the criticism may be premature.

However the incident does raise a question on how Privacy has to look at targeted advertising as a commercial marketing tool and whether it needs to be banned completely or regulated to the extent that it is used only for positive uses for the society.

Imagine a situation where all advertising on internet is banned. Then the entire internet industry would become so expensive that people will stop using it and technological development will be seriously affected.

This was not the intention behind GDPR and we should not allow the individual regulatory authorities to redefine the objective of GDPR and convert it into a revenue generating tool for themselves at the cost of business.


About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.