According to Amazon’s July 2021 quarterly report, the tech giant was found in violation of the European data privacy law, the General Data Protection Regulation (GDPR). The violation resulted in an eye-popping €746 million ($883 million) fine.
While specific details on Amazon’s privacy violation were scant, they join the ranks of Google, H&M, and Telecom Italia for running afoul of GDPR’s regulations, with the added distinction of having the single largest GDPR fines levied against it to date.
What does Amazon’s fine mean for the future of GDPR?
On paper, GDPR is one of the strictest data security and privacy laws in the world, with the ability to issue fines equal to 4 percent of global operating revenue which, since coming into effect in May 2018, has amounted to nearly $332 million in fines.
However, given the global scale of some of the companies found in violation, the fines to this point have been mostly bark and a little bite when it comes to holding these organizations to their data security and privacy standards.
EU regulators are clearly looking to change that perception.
According to WIRED UK, “[Amazon’s fine] is more than double the amount of every other GDPR fine combined…[and] comes at a time when GDPR is feeling the strain of lax enforcement and measly fines.”
What’s going on with GDPR enforcement?
Amazon is no stranger to accusations of data security and privacy violations.
In 2020, they were fined by the French watchdog agency CNIL for improper use of cookies and lawsuits have been filed in multiple US states citing concerns around the company’s voice-activated Alexa devices.
Naturally, Amazon will appeal the decision, noting that they believe the “decision to be without merit and intend to defend ourselves vigorously in this matter.”
If history is anything to go by, the final payout is unlikely to be the full €746 million euros. For instance, British Airways was originally fined $256 million for a data breach but eventually settled with the UK’s ICO at $28 million.
Past performance is no guarantee of future results, however, as GDPR enforcement has only increased in the last few years and appears to be gaining more traction.
A 2021 survey by DLA Piper on data security and privacy breaches found that there has been double-digit growth year over year in both the total number and value of fines issued under GDPR.
Moreover, Ross McKean, Chair of DLA Piper’s UK Data Protection & Security Group Fines, commented that “European data privacy law regulators have shown their willingness to use their enforcement powers. They have also adopted some extremely strict interpretations of GDPR setting the scene for heated legal battles in the years ahead.”
How your organization can comply with European data privacy law to avoid GDPR fines
As we’ve written about before, adhering to data security and privacy standards is more than just following the rules laid out in legislation—data protection and privacy are frequently and specifically called out in business agreements and contracts. This means everyone from your employees to business partners and vendors could be on the hook and liable for leaked or stolen information.
With EU regulators clearly ramping up the pressure on organizations to stay compliant with keeping information safe and accessible only to the right parties, risk mitigation hinges on having an effective record retention schedule and integrated information governance program.
In short, it comes down to three major things:
- Only collect the data you need
- Understand exactly where the data is stored and how it is used
- Be prepared to show proof that you are protecting your data and responsibly managing/destroying it according to an applicable retention schedule.
To learn more about how you might best protect and manage your information and prevent GDPR fines, check out this guide: Data Privacy for the Information Professional.
