Amazon GDPR fine signals expansion of regulatory guidance



Amazon has received the biggest GDPR fine to date; However, how the company violated European Union data privacy law remains unclear.

The Luxembourg National Commission for Data Protection fined Amazon $ 887 million, claiming that “the processing of personal data by Amazon did not comply with the EU General Data Protection Regulation”, Amazon disclosed in a U.S. Securities and Exchange filing on July 29. Amazon, which has its European headquarters in Luxembourg City, said in the file that it considers the decision to be “without merit” and that the company is appealing the decision.

The initial complaint was filed by French civil liberties group La Quadrature du Net in 2018, which claimed that Amazon’s advertising practices were not based on the free consent of consumers. But why the ensuing fine was imposed is pretty much a secret, said Ryan O’Leary, research director at IDC, which covers privacy and legal technology. Previous fines have been linked to data breaches, but O’Leary said he believes Amazon’s GDPR fine leans more towards the “true spirit” of the law to protect individuals from unlawful processing of data. their data without consent.

“We haven’t really seen the GDPR’s teeth bare,” O’Leary said. “It’s refreshing to see that the law is really being used to enforce what it is supposed to enforce, which is, essentially, to level the playing field between the person concerned, or the citizen, and these giant corporations. . “

Amazon hints at consumer consent issue

O’Leary said that when computer cookies, or data used by websites to identify a user, were developed and incorporated into users’ internet experience, tech giants like Amazon and Google realized the power of this feature before the average consumer.

“They were able to advertise, in particular, to people and guide consumers’ decisions without their knowledge,” he said.

GDPR was developed to give consumers more transparency about their online experience and more authority over how their data is used, which is why O’Leary said he believes the hefty GDPR fine imposed to Amazon concerned consumer consent.

I wonder if that means these larger, more complex investigations are coming to an end and we’re going to start seeing dominoes falling here.

Ryan o’learyResearch manager, IDC

O’Leary said options such as consent to process user data are often deeply embedded in the long terms and conditions of companies like Amazon and are often non-negotiable.

But Article 7 of the GDPR states that if the consent to the processing of users’ data is buried in a long statement regarding other matters such as the terms and conditions, it must be specifically called and made clear to what the users are consenting.

“We don’t really have a good test of what illegal processing looks like in the context of advertising and terms and conditions under GDPR, so I think that’s what it will be.” , did he declare.

Indeed, an Amazon spokesperson said there had been no data breach and no exposure of customer data to a third party, indicating that the fine was aimed at something else.

“The decision on how we show customers relevant advertisements is based on subjective and untested interpretations of EU privacy law, and the proposed fine is grossly disproportionate even with this interpretation,” according to an Amazon spokesperson.

O’Leary pointed out that the GDPR is still nascent, having become law in 2018. Although the data breaches handled by the GDPR have been “cut and dried”, other aspects of data privacy, such as the consent, were less simple and, probably, necessary. other investigations before they can be implemented, he said.

“I wonder if this indicates that these larger, more complex investigations are coming to an end, and we’re going to start seeing dominoes falling here,” O’Leary said.

Indeed, Alan Pelz-Sharpe, founder of consultancy firm Deep Analysis, said Amazon’s GDPR fine shows the EU’s seriousness in regulating big tech not just for data breaches, but for data breaches. data privacy practices.

“The GDPR was designed to protect personally identifiable information [PII] and ensure data confidentiality; it’s not just about removing data from a jurisdiction without consent or experiencing a data breach, ”he said. “It’s about how you use personal information, not just how and where you store it. It’s important and it’s something every big tech company should have… already been aware of. “

Somewhere else

  • The UK is considering stopping Nvidia’s acquisition of chipmaker Arm Ltd., according to Bloomberg. The UK Competition and Markets Authority delivered a report to UK Culture Secretary Oliver Dowden in July, indicating whether the deal could be anti-competitive or if it posed potential national security concerns. According to Bloomberg, sources said the report contained worrying national security concerns about the deal, and the UK is inclined to reject the acquisition.

Makenzie Holland is a news writer covering major tech and federal regulation. Prior to joining TechTarget, she was a general reporter for the Wilmington StarNews and a crime and education journalist at Wabash Plain Merchant.



About Author

Comments are closed.