Luxembourg’s data protection authority CNPD has imposed a fine of €746m ($888m) on Amazon for processing personal data in breach of the EU’s General Data Protection Regulation (GDPR). The CNPD also ordered the online retailer to revise it practices.

Amazon disclosed the 16 July ruling in a Securities and Exchange Commission filing for its second-quarter financial results.

“We believe the CNPD’s decision to be without merit and intend to defend ourselves vigorously in this matter,” the tech giant added.

The Luxembourg decision follows an investigation into a complaint by a French privacy group.

“Maintaining the security of our customers’ information and their trust are top priorities,” Amazon said in a subsequent statement.

“There has been no data breach, and no customer data has been exposed to any third party. These facts are undisputed.

“We strongly disagree with the CNPD’s ruling, and we intend to appeal. The decision relating to how we show customers relevant advertising relies on subjective and untested interpretations of European privacy law, and the proposed fine is entirely out of proportion with even that interpretation,” the statement added.


PrivSec Global is back for another 2 information-packed days, featuring a series of brand new topics and themes. Register now and hear industry experts discuss Global Data Protection and Privacy Law Developments.