Biggest test of GDPR enforcement awaits as CNPD issues its draft decision to fine Amazon
June 2021 by Howard Freeman, MD, Fortis (DPC)
Howard Freeman, MD, Fortis (DPC) discusses the road ahead
“Last week, the CNPD- Luxembourg’s data-protection commission circulated a draft decision sanctioning Amazon’s privacy practices and proposed a fine of $425 million against Amazon.com Inc. The latest fine is a clear example of how tech giants continue to fail to understand GDPR requirements across the board. “Whilst Amazon claims that it ‘complies with the law in all countries in which it operates’ the reality is that it may not actually know all the laws it needs to comply with.
“The decision was made by the Luxembourg regulator (the lead regulator in the EU) where Amazon is headquartered. However, the draft decision will need to be finalised by the regulators of the other 26 EU states where Amazon operates, and this is where problems may begin. Some will want a larger fine, some a lesser one. Others have laws that prevent administrative fines and may not agree to the fine at all! So, the fine will change and eventually there will be a decision. It is very likely that Amazon will seek counsel from its corporate lawyers to challenge the fine and where the breaches took place.
“This will be the biggest test of The GDPR enforcement to date and many of the tech giants will watch with great interest. If the fine is successfully imposed, it will send a clear message to the tech giants and other large corporates that the law is in force and fines will be paid. With 2020 turnover of approximately $386 billion, the fine is tiny by comparison. However, Amazon may decide to fight on principle.
“The size of the fine is considerably less than it could be. With annual turnover approaching nearly $400 billion, a fine of almost $16 billion is possible using the higher 4% tariff. Whether the fine is calculated at 2% or 4% and depending on the nature of the rules broken, the fine should be at least $8 billion. Whichever tariff is used, the fine would be considerably more than £425 million. This in turn sends a mixed message. The EU is prepared to fine businesses that breach the regulation but not to the maximum. This is reminiscent of the old UK Data Protection Act of 1998 where businesses found it cheaper to budget for fines than to actually comply with the law.
“For other companies who may fall foul of the regulation in their country for similar breaches, they may find a precedent over the percentages used to calculate fines. Should Amazon be fined $425,000,000 or 0.11% of global turnover then the ability of regulators to enforce the GDPR with huge fines will diminish. This fine, if it remains at this level is too small and threatens the future of the GDPR”.