The Administrative Court of Luxembourg confirmed on March 18, 2025, the decision of the national data protection authority (CNPD), upholding an unprecedented fine of €746 million against Amazon.
Background of the Case
The fine, originally imposed in 2021 and then a record-breaking amount, resulted from severe violations of the General Data Protection Regulation (GDPR), particularly due to a lack of transparency in processing personal data for personalized advertising. The CNPD identified breaches of Articles 6, 12 to 17, and 21 of the GDPR, as Amazon failed to obtain the necessary user consent for data processing.
In addition to the financial penalty, the CNPD had also ordered a daily fine of €746,000 until Amazon aligned its data protection practices with European law. However, this recurring payment was suspended during the appeal process.
The Decision
Amazon appealed the CNPD’s decision, but the Luxembourg Administrative Court upheld the €746 million fine on March 18, 2025. The court ruled that Amazon had also violated transparency and information obligations, as well as data subject rights, including the rights to access, rectify, and erase processed data.
The specific violations attributed to Amazon include:
- Lack of Legal Basis: Amazon failed to provide a sufficient legal justification for processing personal data.
- Lack of Transparency: The company did not fulfill its transparency obligations and failed to adequately inform affected individuals about data processing.
- Violation of Data Subject Rights: Amazon infringed on individuals’ rights to access, rectify, and delete their personal data, as well as their right to object to processing.
Implications for Businesses
The ruling highlights:
- High Fines: GDPR violations can lead to significant financial penalties.
- Strengthened Data Protection Authorities: The decision demonstrates regulators’ commitment to enforcing GDPR compliance.
- Necessity of Transparency: Companies must handle data processing transparently and respect individuals’ rights.
Conclusion
The Luxembourg court’s ruling is a strong message for data protection, even for Big Tech companies. It reinforces the importance of GDPR compliance and the need for transparency and legality in data processing. Businesses should take GDPR requirements seriously to avoid substantial fines and reputational damage.
