AMAZON AND THE GDPR
Online merchandiser and tech giant, Amazon, has just been fined a whopping $888 million or €776 million by the GDPR. The European Union data protection and regulatory body claimed that Amazon’s processing of personal data did not comply with the GDPR and consequently Luxembourg’s National Commission for Data Protection (CNPD) issued the penalty on 16 July. Google’s fine of €50 million and H&M’s €35 million, both in 2020, dwarf in comparison.
AMAZON HITS BACK AT THE GDPR
On 29 July, Amazon categorically stated that the GDPR fine was without merit. A spokesperson for the company told Bloomberg:
“There has been no data breach, and no customer data has been exposed to any third party. These facts are undisputed. We strongly disagree with the CNPD’s ruling.”
Amazon is now in the process of appealing the CNPD’s decision regarding its breach of the GDPR.
WHY THE $888 MILLION FINE?
This massive fine dumped on Amazon by the GDPR originated in 2018 when 10,000 people filed a complaint to the privacy rights group La Quadrature du Net (LQDN). Exactly how Amazon has violated EU law seems unclear but the LQDN alleges that Amazon’s advertising practices didn’t rely on consumers’ freely given consent. Ryan O’Leary, Research Manager at the global marketing intelligence firm, IDC, said:
“We haven’t really seen the teeth of GDPR bared at all. It’s refreshing to see the law is actually being used to enforce what it’s meant to enforce, which is, essentially, leveling the playing field between the data subject, or the citizen, and these giant corporations.”
O’Leary also claimed that tech giants such as Amazon and Google exploit cookies, embedded into a user’s internet and web browsing experiences, while the average user remains oblivious to the power behind these text files. He said:
“They were able to advertise, specifically, to folks and guide consumer decisions without the consumers knowing.”
WHAT IS PERSONAL DATA?
Personal data, by definition, is a tricky and complex concept to unpack. Some say that it is the all-encompassing collection of an individual’s identifiers, both online and offline. According to the GDPR, personal data embraces
- Name
- Physical attributes
- Health information
- Economic, cultural and social identity
- Identification numbers
- Online identifiers including IP addresses
- Location data
TECH GIANTS MUST WATCH OUT
But there’s more to the Amazon war with the GDPR than a case of inappropriate use of cookies for targeted advertising. Alan Pelz-Sharpe, the founder of consulting firm Deep Analysis, believes that the Amazon GDRP fine is a sign of things to come and demonstrates how the EU will regulate big tech in terms of both data privacy and data breaches. He said:
“GDPR was designed to protect personally identifiable information [PII] and ensure data privacy; it’s not limited to simply pulling data out of a jurisdiction without consent or in suffering a data leak,” he said. “It is about how you make use of PII, not just how and where you store it. That’s important and something all the big tech firms should have … already been aware of.”
DON’T RISK THE FINE
The recent Amazon GDPR fine shows just how much authority the EU regulator has, being able to lever fines of up to 4% of a company’s global annual turnover. Amazon’s revenue was $386 billion in 2020, significantly more than that of $232 billion in 2018. Doing the math, the GDPR’s fine equates to 0.23% of Amazon’s annual turnover in 2020 and 0.38% relative to its 2018 earnings, coinciding with the submission date of the complaint. Don’t risk the fine. If you have any doubt about your GDPR compliance, please contact me. I have over 20 years of experience in Business IT Management, Cybersecurity Practices, and Risk Mitigation. I’ll make sure that you say on the right side of the GDPR.