Amazons Massive GDPR Fine Shows the Laws Powerand Limits
We were promised huge fines, and GDPR has finally delivered. Last week Amazonâs financial records revealed that officials in Luxembourg are fining the retailer â¬746 million ($883 million) for breaching the European regulation.
The fine is unprecedented: Itâs the biggest GDPR fine issued to date and is more than double the amount of every other GDPR fine combined. The financial penalty, which Amazon is appealing, comes at a time when GDPR is feeling the strain of lax enforcement and measly fines. Experts say companies are allowed to get away with abusing peopleâs privacy as GDPR investigations are too slow and ineffective. Some people even want GDPR to be ripped up entirely.
But Luxembourgâs action against Amazon stands out for two reasons: First, it shows the potential power of GDPR; second, it exposes cracks in how inconsistently such regulations are applied across the EU. And for both of these reasons it is arguably the most important GDPR decision issued.
âWith so many large cases piling up in front of regulators, we were really waiting for one of those cases to be resolved to show that the GDPR basically has teeth,â says Estelle Massé, the global data protection lead at nonprofit internet advocacy group Access Now. La Quadrature du Net, the French civil liberties group that originally made the complaint against Amazon, said that regulators had given it âhopeâ that legal action could be brought âagainst Big Tech.â
Despite the headline-grabbing fine, little is really known about the details of what Amazon has been fined for. The case was taken on by officials in Luxembourg because the country acts as Amazonâs main base in Europe. The tiny nation has historically been labeled as a tax havenâ"although accusations of Amazon avoiding tax in the country have been rejected by the European courts. But by fining Amazon, Luxembourgâs National Commission for Data Protection has, at least for the short term, launched itself into the pro-privacy spotlight.
La Quadrature du Netâs original May 2018 complaint, which was filed on behalf of 10,000 people, claimed that Amazonâs advertising system isnât based on âfree consent.â But thatâs about all we know. The Luxembourg regulator says it issued a decision against Amazon on July 15 but it hasnât published any more details. A spokesperson for the authority says that âprofessional secrecyâ laws in Luxembourg mean it canât publish any details until an appeal process has been completed. And Amazonâ"which is incredibly data hungryâ"says it will appeal the fine.
âThere has been no data breach, and no customer data has been exposed to any third party,â an Amazon spokesperson says. Thatâs all well and good, but companies donât need to have suffered a data breach to break GDPR rules. The spokesperson goes on to claim that the ruling in Luxembourg, which is based on how the company shows customers ârelevant advertising,â is based on âsubjective and untested interpretations of European privacy law, and the proposed fine is entirely out of proportion with even that interpretation.â
Amazon may have a point. Itâs possible that any appeal process or negotiation may bring the fine downâ"last year the UK data protection regulatorâs fine against British Airways dropped from £184 million ($256 million) to just £20 million ($28 million). Another, against hotel group Marriott, was reduced from £99 million ($137 million) to £18 million ($25 million).
The â¬746 million Amazon fine is far bigger than anything thatâs come beforeâ"a â¬50 million fine against Google holds the current record. While GDPR allows potentially huge fines to be issued, the reality is that it was always unlikely regulators would issue them. Up to the start of 2021, a total of â¬272 million ($322 million) in GDPR fines had been issued by all of Europeâs regulators combined, according to analysis from law firm DLA Piper. Italyâs data protection body, which had issued â¬69.3 million in fines, has led the way. Germany (â¬69 million), France (â¬54 million), and the UK (â¬44 million) follow.
While that list contains some of the most populous countries in Europe, it doesnât include Europeâs most important data protection authoritiesâ"Luxembourg and Ireland. Under GDPR laws, companies that operate across multiple countries in Europe can select one countryâ"where their main office is basedâ"to act as the nation where complaints are funneled through. This process is called the one-stop-shop mechanism. Before a decisionâ"which can include a fine or enforcement action that can make companies change their behaviorâ"is issued, all the European nations that are interested in the case are given a right to reply.
Amazon has selected Luxembourg as its main data protection regulator and the complaint against it, which was first raised in France, was passed to authorities there. A number of major complaints against Facebook, Google, Twitter, and Apple have been made to Irelandâs Data Protection Commission (DPC), where the companies have their European headquarters. To date, the Irish office has only made one ruling against a big tech firm since GDPR was introduced in May 2018â"a â¬450,000 ($533,000) fine against Twitter in December 2020. Another against WhatsApp is pending.
Multiple people say the one-stop-shop is failing. âIt's not working,â says Romain Robert, a program director at European data rights group NYOB. Robert claims the one-stop-shop system has caused GDPR complaints to become lost or resulted in lengthy delays and breakdowns in communication. âThere is no deadline in the one-stop shop,â he says. âThe procedure is so different in each member state that you have to know where you go.â
GDPR regulators, which are often underfunded and overworked, also arenât happy about the setup. GDPR analysis published by Access Now in May 2021 shows the concerns of regulators. Those in Germany pointed to long delays. Ireland said it can be hard to determine which data protection group should be the âlead authorityâ in each case. Sweden said different national approaches made it hard for countries to âcooperate effectively.â The complaints go on.
âIt is a cumbersome system because it adds additional complexity to already very complex enforcement situations,â says Hielke Hijmans, chairman of the litigation chamber of Belgiumâs data protection authority. A case involving the Belgium regulator, Facebook, and how the one-stop shop is applied went to one of Europeâs top courts and reiterates it is possible for countries to avoid the mechanism in some circumstances. âThere is a lot of discussion around whether the system is sustainable in the long term, because of its cumbersome character and also because most big tech companies are concentrated in one or two member states,â Hijmans says.
The European Data Protection Board (EDPB), an independent body that was setup to promote cooperation between the EUâs data protection regulators, acknowledges that the system isnât perfect. âEnforcing at a national level and at the same time resolving cross-border cases is time and resource intensive,â an EDPB spokesperson says. âWhile we are aware of these challenges and of others, the EDPB is not in favor of an overhaul of the GDPR or the one-stop-shop mechanism.â It says that âslowly, but steadily, we are seeing resultsâ and that there have been 254 final decisions where the one-stop-shop has been successfully used.
So is there anything that can be done to improve the system? The EDPB spokesperson says that GDPR is a âlong-term projectâ and it is working to âstrengthen cooperationâ between Europeâs regulators. But both Massé and Robert say things should go further. They say that some GDPR investigations should have timelines placed upon themâ"to stop them dragging on for yearsâ"and that regulators also need to move more swiftly. âWe need to address those seemingly boring bureaucratic issues to make sure this actually works,â Massé says. âThose are issues that should be resolved and addressed at the EU level.â
This story originally appeared on WIRED UK.
More Great WIRED Stories
0 Response to "Amazons Massive GDPR Fine Shows the Laws Powerand Limits"
Post a Comment