Since the implementation of the European Union's General Data Protection Regulation (GDPR), which became enforceable in 2018, e EU has levied a number of fines against companies. While the general reason for fines is data breaches, they can also be levied for improper handling of consumer data. That is the situation that Amazon is currently facing, as the company has received the largest fine ever issued under the GDPR, coming in at $888 million. Amazon said of the fine,
Maintaining the security of our customers' information and their trust are top priorities. There has been no data breach, and no customer data has been exposed to any third party. These facts are undisputed.
The fine was issued by Luxembourg's CNPD, which has the legal authority over these matters because Amazon's European operations are headquartered in Luxembourg. Under the GDPR, the nation in which a company is based is responsible for handling the investigation, as well as implementing fines, for infringements. These fines are allowed to be up to 4% of the infringing company's global revenue.
This fine, which is the largest to date under GDPR, follows an investigation conducted by the CNPD based on a 2018 complaint by La Quadrature du Net, a French privacy group. The complaint involves the ways with which the company handles and processes consumer data. The organization says that its goal is to ensure that tech companies respect customer data and do not use it for manipulative political or commercial purposes.
Amazon has come under increasing scrutiny around the world surrounding its data policies. In particular, user privacy and antitrust behavior have been at the forefront. As is the case here, regulators are concerned that Amazon might be violating consumer privacy in the type of data it collects, as well as the way it uses that data. For example, Amazon has been accused of using the data that it collects about its users in order to undermine the other sellers in its marketplace. This behavior could both violate consumer privacy laws and antitrust laws, all in a single action.