Amazon GDPR
Image credit: Piqsels

Amazon Fined Under EU General Data Protection Regulation

Privacy regulators in the European Union hit Amazon with a record fine of $887 million for advertising violations. It found that Amazon violated the General Data Protection Regulation (GDPR), the main body of data protection laws in the EU. The fine is the largest ever to be issued under the GDPR. The Luxembourg CNPD, the country’s data protection agency, brought the charges.

In response to the EU fine, Amazon stated that the decision was meritless. “The decision relating to how we show customers relevant advertising relies on subjective and untested interpretations of European privacy law, and the proposed fine is entirely out of proportion with even that interpretation.”

The fine represents roughly 4.2% of Amazon net income for 2020, which equalled about $21.3 billion. Regulators may impose fines on companies that account for up to 4% of their annual revenue.

The EU originally published the GDPR 2016. Engorcement began in 2018. The European Parliament and the Council of the European Union made th GDPR. They designed it to protect personal data and enhance individuals’ rights over their personal data. The GDPR also address how the EU should regulate data transfers outside of the EU.

A number of other countries have since modeled their privacy laws based on the framework provided by the GDPR. Argentina, Kenya, the UK, Japan, South Korea, and Brazil are some of the countries that have passed their own privacy laws. The GDPR inspired the drafting of their own privacy laws that relate to companies like Amazon. The GDPR has also been influential at the state and local government level. For example, the California Consumer Privacy Act (CCPA) has many similar provisions to the GDPR. The California legislature passed it in 2009.

The EU is not picking on Amazon. EU regulators have also hit other BigTech companies such as Alphabet, Apple, and Facebook with hefty fines. In 2019, the EU fined Google $57 million fine under the EU’s data privacy law. The EU penalized Google under the GDPR for not properly disclosing its data collection practices to users. It failed to disclose them across its service platforms, including YouTube and Google Maps, in the context of targeted advertising. At the time the charges, which France’s data protection authority brought, were only the fourth monetary penalty against any company under the GDPR.

Since then, regulators in the EU have ramped up efforts to reign in the privacy practices of large technology companies like Amazon. The GDPR has had a sweeping impact on tech companies and consumers alike. The increase in the number of consent boxes that have to be clicked has been one of the most noticeable results for the general public.

Eu regulators haven’t just policed the data privacy practices of large companies. They have taken a tough stance on the tax and antitrust violations. Google faced a $5.15 billion antitrust fine for abusing its power over the mobile phone market. The EU decision stated that Google used its Android mobile operating system, in 80% of the world’s smartphones, to suppress competition from rivals. Google is seeking to overturn the ruling at a five-day court hearing scheduled for September 2021.

GDPR Amazon
GDPR Amazon
Image credit: Dooffy on Pixabay

EU regulators have a number of antitrust investigations into Facebook’s advertising practices. They are probing into how Facebook uses advertising data in its classified ads business. Over the past decade, the EU has hit Facebook with fines totaling over $10 billion in a series of ongoing battles with EU regulators.

The news headlines have many stories doubt large tech companies facing penalties from EU regulators. But startups operating at a smaller scale should also take precautions in handling consumer data to remain out of the crosshairs of regulators. The consequences of GDPR noncompliance are steep. Under the GDPR, individuals have a right to file a complaint and seek damages when their data is mishandled. The definition of “personal data” under the GDPR is pretty wide-reaching. Furthermore, fines imposed by EU regulators can be up to 4% of the company’s global revenues.

Startups therefore need to implement comprehensive data management strategies. Measures should be taken to manage data in a transparent and secure fashion. The GDPR states that companies should minimize data usage to what is necessary to fulfill its purpose.

Startups should also implement privacy policies that address potential risks under the GDPR. Thorough review by one or more lawyers is recommended to make sure a company’s privacy policy is compliant with the EU’s data privacy laws. The privacy policy should address the purposes of data collection, the third parties involved in processing data, users’ rights with respect to their personal data, and how users will be notified of any changes to the company’s privacy policy.

Ryan Carpenter serves as Attorney and Managing Director of Carpenter Wellington. Ryan advises clients across a broad set of corporate and commercial matters.