The National Commission for Data Protection (CNDP) of the Grand Duchy of Luxembourg would like to collect a 350 million euro fine for data protection violations from Amazon.com. That reports that Wall Street Journal (WSJ) with reference to the initiated. It is not known what exactly Amazon is accused of. The CNDP is responsible because the group has its European headquarters in Luxembourg.
Both Amazon and the authority have declined to comment. According to the newspaper report, the Luxembourg data protection authority has already sent a copy of its draft decision to its counterparts in the other EEA states. So the so-called coherence procedure has begun. The national data protection authorities coordinate with each other in order to apply the General Data Protection Regulation (GDPR) as coherently as possible.
Sea WSJ Some European data protectionists have already objected to the Luxembourg proposal and, in at least one case, have called for an even higher penalty. If Luxembourg’s authority does not come to an agreement with the data protection authorities of the other GDPR countries in the current Amazon case, the European Data Protection Committee (ESDA) must coordinate the penalty notice for Amazon. Under the chairmanship of the Austrian lawyer Andrea Jelinek, the data protection authorities of the 30 EEA countries are coordinating in the ESDA.
350 million euros would be a multiple of the previous (not legally binding) record fine: In December, France fined Google 60 million euros for using tracking cookies for advertising purposes without the consent of those affected, even contrary to express settings. Ireland’s data protection authority fined Google Ireland a further 40 million euros for the same case. Ireland’s agency plans to issue several draft penalties against large data companies this year.
The most expensive data protection penalty notice from Germany to date is dated September 30, 2020: The Hamburg Commissioner for Data Protection and Freedom of Information has sentenced the textile discount company H&M (Hennes & Mauritz) to more than 35 million euros because H&M is said to have spied on hundreds of employees. According to H & M, this process goes back to a voluntary disclosure by the company. The penalty is not final, as H&M has filed a lawsuit that is pending at the Hamburg Regional Court.
The highest European data protection penalty to date for Amazon comes from December and from France. There is a fine of 35 million euros for the use of tracking cookies for advertising purposes without the consent of the person concerned. This decision is not yet final either. The highest legally binding data protection penalty in Europe also comes from France: At the beginning of 2019, Google was fined 50 million euros for a lack of transparency, insufficient information and a lack of consent in relation to personalized advertising.