Can Europe regulate American tech giants? Ep. 1

On the €746 million GDPR mega-fine against Amazon

Amazon was fined for 746 million euros for a breach of GDPR by the Luxembourg data protection authority (CNPD) in 2021. To top this, a penalty payment of 746 thousand euros apply per day of delay. This is the second-highest fine ever for data protection violations. As Amazon contested this decision at court, it was upheld only a few weeks ago, maintaining that Amazon breached the lawfulness principle, transparency obligations and it was not able to provide the rights of access, erasure, rectification and the right to object to its customers¹.

Although CNPD remains relatively silent on the case - referring on the peculiar national data protection law imposing professional secrecy - it was confirmed in Luxembourg court decisions that the fine is related to targeted advertising and falsely relying on user consent for that.²

Wait - what does Amazon has to do with the authorities in Luxembourg?

It is common practice for US Big Tech companies to have their European counterparts based in smaller European countries such as Ireland (Meta, Google, Microsoft) or Luxembourg (Amazon). The reason for this is mainly more favourable tax conditions but also usually more flexibility on other regulatory topics, as these countries have less-resourced supervisory authorities compared to other major European countries.

The issue with this from a data protection point of view is that the GDPR adopted a “one-stop shop” mechanism, meaning that privacy-related complaints should be handled the supervisory authority where the organisation is based, i.e. Ireland or Luxembourg when it comes to Big Techs. This means that a country of 5 million and another with less than 700,000 are making decisions impacting the rest of the EU with 450 million people, with potential impacts on essentially all social media users or Amazon customers around the world, which is a real issue from a democratic point of view as well.

Back to the Amazon fine, you might notice that the process since that:

1. An initial complaint from a privacy NGO was filed in 2018³.

2. CNPD fined Amazon in 2021.

3. In 2025, a Luxembourgish court upheld CNPD’s decision.

The story might not end here, as Amazon might further appeal. Therefore, after a process of 7 years, there is still no conclusive decision on the second-highest GDPR fine, and almost no transparency from the regulator’s side on why Amazon was actually fined. This not only creates legal uncertainty but also calls into question the effectiveness of the GDPR: if this regulation cannot regulate Big Techs the way it should, why bother then?

So why was Amazon fined?

In its decision, CNPD invoked Article 42 of the Luxembourg data protection law on professional secrecy, arguing that they will not publish the decision until all avenues of appeal were exhausted, which is a general practice they follow with all organisations, not only with Amazon. Nevertheless, it can call into question the effectiveness of its decisions as this practice reduces the reputational impact for the company. This would be a strong impact both for general prevention - i.e. a clear message to other market participants to respect the GDPR - and specific prevention, i.e. the delinquent organisation (Amazon in this case) will be less likely to commit the same infringement once again. Most importantly: a more specific decision would guide companies on how to actually comply with the GDPR on a very complex topic as targeted advertising (and it would be a great resource for writing this article). Without this, companies will only calculate the financial impacts of a potential administrative fine, whether they can afford breaching the GDPR or not, and doing so with a lack of legal certainty.

Nevertheless, the Luxembourg court decision is sufficiently clear on the merits of the case, where lawfulness was one of the main debates. Amazon identified that it relies on legitimate interests when using targeted (or behavioural) advertising. This means that rather than asking for the prior consent of Amazon users when entering the website, Amazon assumed the lawfulness of the processing stating that

“(…) the disputed mechanism would promote the growth of the internet economy, and e-commerce in particular, a well-established policy objective of the European Union.

As it was a bit blurry which well-established policy of the EU is referred at this point, I have discovered that this is indeed mentioned in a previous WP29 opinion⁴ from 2010. Although the document is now somewhat obsolete, the document clearly mentions that “while the Article 29 Working Party does not question the economic benefits that behavioural advertising may bring for stakeholders, it firmly believes that such practice must not be carried out at the expense of individuals' rights to privacy and data protection”. I fully agree with the statement, and looking at where the idea of Amazon’s legitimate interest comes from, this is simply not the right place to refer.

Amazon further argued “that each euro invested in advertising contributes on average around 7 euros to the European Union's gross domestic product and that advertising acts as a driver of innovation, further encouraging companies to develop new and different products and services in order to outperform their competitors, while highlighting that the advertising sector has created nearly 6 million jobs in the European Union”. They further explained that Amazon helps the development of the European Digital Single Market, especially during the COVID-19 pandemic when online sales sky-rocketed.

The court however argued that the legitimate interest (Article 6(1)(f) GDPR) are in fact commercial interests of Amazon, and that Amazon wrongly refers to the societal impacts of targeted advertising and on the interests of the broader community. While the CNPD and the court acknowledge the value of the traditional advertising sector, they argue that it was not demonstrated in this case that targeted advertising was necessary and that there were no less intrusive ways from a privacy perspective.

Amazon also argued that the term “legitimate interest” would not be clear for an average user, and therefore they did not include this term to their privacy notices. This was the clearer language they chose to use instead, for specifying that your data can be shared with potentially 300,000 companies selling their products on Amazon: “third-party advertisers or advertising companies ... may ... measure the effectiveness of their ads, show you more relevant advertising content, and provide services on behalf of (AA).” Whether this is sufficiently clear for an average user, I let the readers decide, but the CNPD and the court both concluded that this statement is a breach of transparency obligations under the GDPR.

Without going into more details of the merits of the case, where for example Luxembourg administrative law was debated in detail and also the amount of the fine, it should be noted that Amazon failed to provide essential data subject rights to its users on the context of targeted advertising, i.e. the right of access, erasure, rectification of personal data, and they failed to implement a clear way of objecting against targeted ads. For the latter, Amazon provided a long cookie banner with several buttons, instead of just providing an option for “I disagree”.

Conclusion

While I agree with the CNPD and the court that a legitimate interest was not justified in this case, what really lacks clarity is what other interests can be lawful in the context of targeted ads, and how exactly this should be implemented. Another issue with the overall process is that if it lasts more than 7 years to make a clear conclusion against a Big Tech company in such a high-profile case, this can undermine the credibility of data protection law and its enforcement.

And at the end of the day, if you check “Your Ads Privacy Choices” (a by the way very well-hidden button on amazon.com), you can see for yourself that Amazon continues to assume that you agree to behavioural ads by just entering their website:

This is the default setting when you enter Amazon.

Amazon sells it in its Privacy Notice as:

“By using Amazon Services, you are consenting to the practices described in this Privacy Notice.”

Topping this with their description from the Internet-Based Ads: “Some third-parties may provide us pseudonymized information about you (such as demographic information or sites where you have been shown ads) from offline and online sources that we may use to provide you more relevant and useful advertising.” The message clearly conveys that your data will be used by default, even from offline sources. However, there is no information how this is exactly done and from what sources.

Seeing the overall impact of this debate for 7 years, the question really is that is it possible to effectively regulate US-based Big Tech companies from the EU, especially when it comes to privacy?

More on this in next article of Digital Agora.

1

A very brief summary of the case was published in French by the Luxembourg administrative court.

2

Beginning of the procedure and decision from 2025 (both in French).

3

Article on this from the NGO (in English) and the complaint initially addressed to CNIL, the French data protection authority (in French).

4

ARTICLE 29 DATA PROTECTION WORKING PARTY Opinion 2/2010 on online behavioural advertising, Adopted on 22 June 2010