Amazon Facing Possible $425 Million Fine for Alleged GDPR Privacy Violation

Amazon faces a possible $425 Million dollar fine for alleged violations of the General Data Protection Regulation (GDPR), which encompasses a set of  privacy and security laws governing the collection and processing of personal information of individuals in the European Union (EU). The National Data Protection Commission in Luxembourg (CNPD), released a draft decision to the other EU privacy authorities that proposed a hefty $425 Million dollar fine on Amazon for alleged violations of privacy laws within the GDPR related to the collection and use of individuals’ personal data by Amazon’s AWS (Amazon Web Service) cloud computing service. Purportedly, AWS’ servers routed emails between third-party marketplace sellers and customers without baseline encryption or either party having to provide a personal email address to the other party.

A final decision could take months and lead to changes in the amount of the fine.  The fine in the draft decision amounts to slightly more than 0.1% of Amazon’s $386.1 billion in annual revenue in 2020.  However, GDPR allows organizations to be fined up to 4% of their global sales for the most severe violations.  Amazon is thus subject to a fine of up to $1.54 billion.

Preceding this case, in December 2020, Twitter was fined €450,000 ($548,400) by supervisory authorities in Ireland for GDPR violations over a bug in its Android application that caused some users’ protected tweets to be made public. A number of European authorities advocated for a more severe punishment. For example, Austrian regulators pushed for a fine of at least $30 million, while German regulators pushed for the fine to be in the range of €7.3 million to €22 million. 

This draft decision serves as a reminder that email security fundamentals and other privacy law considerations should be taken seriously, and resources put in now to ensure information privacy law compliance will likely far outweigh the costs of penalties and remediation incurred through inaction.

Within Lerner David’s full-service IP practice, the firm assists companies ranging from start-ups to large multinationals with information privacy law compliance.