Breach of GDPR
In July 2021, Luxembourg’s data protection authority issued the largest fine under the GDPR to date. The authority found that Amazon was in breach of the requirement under GDPR to have a lawful basis for collecting and processing personal data. They were fined £636,000,000 as a result.
Whilst little is known about the breach, it seems to be around Amazon’s collecting of personal data for the purposes of advertisement. It appears that rather than actively seeking consent from its users to collect data Amazon instead relies upon the “legitimate interests” legal basis for collecting data.
Within the authority’s decision, Amazon was given until 15 January 2022 to ensure that its processing is compliant with GDPR. If they fail to ensure this conformity, they will be met with an additional daily penalty of £622,000.00 per day.
In response to the fine Amazon commented that “there had been no data breach, and no customer data has been exposed to any third party”. Whilst this may be the case, companies do not need to have suffered a data breach to be in breach of the rules present within the GDPR. Amazon appealed against the decision and asked the Luxembourg Administrative Tribunal to suspend the order to comply by 15 January 2022.
In relation to their request for a suspension, Amazon argued that the deadline set by the authority was entirely unrealistic on the basis that it was not clear what changes Amazon would be required to make and no guidance had been given by the authority in this respect.
The Administrative Tribunal’s decision
The Administrative Tribunal agreed with Amazon. In coming to its decision the Tribunal commented that the decision made by Luxembourg’s data protection authority was not “sufficiently clear, precise and without uncertainty” and therefore Amazon could not be expected to comply by the deadline of 15 January 2022.
Comment
The decision reached is an unusual one and goes against what has been decided in recent case law. For example, earlier in 2021, the French State Council rejected Google’s request to suspend a decision by the country’s privacy regulator to comply with the EU e-Privacy Directive on cookie banners.
It will be interesting to see what impact the Tribunal’s decision in this case to suspend compliance will have on other cases in the future.
How can we help
Ruby Ashby is an Associate in our expert Dispute Resolution team.
Should you have any legal issues in respect of data protection, please do not hesitate to contact Ruby or another member of the team in Derby, Leicester, or Nottingham on 0800 024 1976 or via our online enquiry form.