Amazon (AMZN) was fined €746 million ($886 million) by a European Union privacy regulator for not complying with the alliance’s data-protection law, making this the largest EU privacy penalty yet.
According to the filing disclosed by the company on Friday, the decision was issued on July 16 by the Luxembourg National Commission for Data Protection (CNPD), which ruled that "Amazon’s processing of personal data did not comply with the EU's General Data Protection Regulation."
"We believe the CNPD’s decision to be without merit and intend to defend ourselves vigorously in this matter," Amazon wrote in the filing.
Processing personal data is generally prohibited by the GDPR unless it is expressly allowed by law or the company has sought the consumers' consent to use their personal data. If companies fail to comply, they could be subjected to large fines.
"We strongly disagree with the CNPD’s ruling, and we intend to appeal. The decision relating to how we show customers relevant advertising relies on subjective and untested interpretations of European privacy law, and the proposed fine is entirely out of proportion with even that interpretation,” an Amazon spokesperson told Politico.
So far, the largest GDPR penalty was a €50 million ($59.4 million) fine against Google in 2019.
According to the Wall Street Journal, Luxembourg’s fine would represent roughly 4.2% of Amazon’s reported net income of $21.3 billion for 2020, and 0.2% of its $386 billion in sales. Under the GDPR, regulators can fine up to 4% of a company’s annual revenue.