The big data breach story of the week is that the Data Protection Commission in Luxembourg has issued a proposed decision penalising Amazon for a breach of the General Data Protection Regulation (GDPR).

Details of the data breach

Allegedly, the data breach relates to the collection and use of personal data without consent of the data subject. The definition of what constitutes valid consent was tightened significantly under GDPR and consent is now only valid if it is freely given, specific, informed and comprises an unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

The proposed decision has been circulated to the other 26 member state privacy authorities and must be agreed upon before it becomes final and issued. As you might expect, this is unlikely to be a quick process and could stretch on for months. We could also anticipate amendments to the decision and to the amount of the fine.

How much could the data breach fine be?

At its current level, the fine represents slightly more than 0.1% of Amazon’s $386.1 billion in annual revenue in 2020. As we are all aware, under GDPR, a company can be fined up to 4% of its global sales for the most severe infringements of the law. That means whilst businesses are already raising their eyebrows at the level of this fine, Amazon could potentially face a staggering maximum fine of €425million. We know that the EU authorities are keen to penalise these global companies and are focusing on the percentage of the fine against turnover, rather than the actual figures themselves. When Twitter was fined €450K in December last year, several of the EU authorities were vocal in their criticism that the fine was not higher.

The key question though, is not one of magnitude of the fine, but whether or not companies such as Amazon, twitter and Facebook will now start to demonstrate compliance with this important legislation. We all underwent a huge shift with regard to our data protection practices back in 2018 when GDPR (and our national Data Protection Act 2018) came into force and whilst we understand that smaller businesses can be more agile and respond more quickly to legislative changes, Amazon has had plenty of time to change its data collection practices so that it is compliant.

We shall watch the decision’s journey with interest.

Visit our data protection page on our website to find out how we can help you ensure your business is data compliant thereby protecting you from any potential data breaches.