zimmytws - Fotolia

Amazon GDPR fine signals expansion of regulatory focus

Amazon's $887 million GDPR fine likely stems from consumer consent and may indicate the EU is moving beyond data breaches and zeroing in on data practices.

Amazon has been hit with the largest GDPR fine to date; although, how the company violated the European Union's data privacy law remains unclear.

The Luxembourg National Commission for Data Protection issued Amazon a fine of $887 million, claiming Amazon's "processing of personal data did not comply with the EU General Data Protection Regulation," Amazon revealed in a U.S. Securities and Exchange filing on July 29. Amazon, which has its European headquarters in the city of Luxembourg, noted in the filing that it believes the decision to be "without merit" and the company is appealing the decision.

The original complaint was filed by the French civil liberties group La Quadrature du Net in 2018, which alleged Amazon's advertising practices didn't rely on consumers' freely given consent. But why the subsequent fine was issued is fairly secretive, said Ryan O'Leary, research manager at IDC, who is covering privacy and legal technology. Prior fines have been linked to data breaches, but O'Leary said he believes the Amazon GDPR fine leans more toward the "true spirit" of the law to protect individuals from the unlawful processing of their data without consent.

"We haven't really seen the teeth of GDPR bared at all," O'Leary said. "It's refreshing to see the law is actually being used to enforce what it's meant to enforce, which is, essentially, leveling the playing field between the data subject, or the citizen, and these giant corporations."

Amazon hints at consumer consent issue

O'Leary said when computer cookies, or data used by websites to identify a user, were developed and embedded into the users' internet experience, tech giants like Amazon and Google understood the power of that feature before the average consumer did.

"They were able to advertise, specifically, to folks and guide consumer decisions without the consumers knowing," he said.

GDPR was developed to ensure consumers were provided more transparency about their online experience and given more agency over how their data is used, which is why O'Leary said he believes the hefty GDPR fine leveled against Amazon is about consumer consent.

I'm wondering if this is signaling that these larger, more complex investigations are coming to an end and we're going to start seeing some dominoes fall here.
Ryan O'LearyResearch manager, IDC

O'Leary said options like consent to process user data is often embedded deep inside lengthy terms and conditions from companies like Amazon and are often nonnegotiable.

But Article 7 of GDPR states that if the consent to process user data is buried within a lengthy declaration concerning other matters such as terms and conditions, it needs to be specifically called out and made clear as to what users are consenting to.

"We don't really have a good test case for what unlawful processing in the context of advertising and terms and conditions looks like under GDPR, so I think that's what this is going to be about," he said.

Indeed, an Amazon spokesperson said there has been no data breach and no exposure of customer data to any third party -- pointing to the fine being aimed at something else.

"The decision relating to how we show customers relevant advertising relies on subjective and untested interpretations of European privacy law, and the proposed fine is entirely out of proportion with even that interpretation," according to an Amazon spokesperson.

O'Leary pointed out that GDPR is still nascent, having become a law in 2018. Although data breaches addressed by GDPR have been "cut and dried," other aspects of data privacy, such as consent, were less straightforward and, likely, needed further investigations before they could be enforced, he said..

"I'm wondering if this is signaling that these larger, more complex investigations are coming to an end, and we're going to start seeing some dominoes fall here," O'Leary said.

Indeed, Alan Pelz-Sharpe, founder of consulting firm Deep Analysis, said the Amazon GDPR fine shows a seriousness from the EU to regulate big tech not just for data breaches, but for data privacy practices.

"GDPR was designed to protect personally identifiable information [PII] and ensure data privacy; it's not limited to simply pulling data out of a jurisdiction without consent or in suffering a data leak," he said. "It is about how you make use of PII, not just how and where you store it. That's important and something all the big tech firms should have … already been aware of."

Also this week

  • The Federal Trade Commission is adjusting its merger review process to deal with a surge in merger filings. Due to constrained resources, if it is unable to fully investigate mergers within normal timeframes, the FTC will send letters alerting companies that its investigation remains open if companies decide to move forward with the merger. "Companies that choose to proceed with transactions that have not been fully investigated are doing so at their own risk," Holly Vedova, FTC Bureau of Competition acting director, wrote in a blog post.
  • In a July 30 hearing regarding a U.S. antitrust lawsuit against Google for its search practices, Google sought to compel Microsoft to hand over documents related to its Bing search engine, Internet Explorer and Edge. The company failed to comply with a subpoena to turn over the documents served about three months ago, according to a court filing. Google claimed the documents will show if Microsoft was hindered in its competition with Google or simply failed to successfully compete.
  • Twitter's payments firm Square Inc. will purchase Australian company Afterpay for $29 billion. Afterpay allows consumers to buy products now but pay later through interest-free installments. The move creates an online transactions giant, setting the company up to compete with banks and tech firms.

Elsewhere

  • The U.K. is considering stopping Nvidia's acquisition of chipmaker Arm Ltd., according to Bloomberg. The U.K.'s Competition and Markets Authority delivered a report to U.K. Culture Secretary Oliver Dowden in July on whether the deal could be anticompetitive or if it poses potential national security concerns. According to Bloomberg, sources have said the report contains worrying national security concerns regarding the deal, and the U.K. is inclined to reject the acquisition.

Makenzie Holland is a news writer covering big tech and federal regulation. Prior to joining TechTarget, she was a general reporter for the Wilmington StarNews and a crime and education reporter at the Wabash Plain Dealer.

Dig Deeper on Risk management and governance