According to Amazon’s July 2021 quarterly report, the tech giant was found in violation of the EU’s General Data Protection Regulation (GDPR) and fined an eye popping €746 million ($883 million).
While specific details on Amazon’s privacy violation were scant, they join the ranks of Google, H&M and Telecom Italia for running afoul of GDPR’s regulations, with the added distinction of having the single biggest fine levied against it to date.
What does Amazon’s fine mean for the future of GDPR?
On paper, GDPR is one of the strictest privacy laws in the world, with the ability to issue fines equal to 4 percent of global operating revenue which, since coming into effect in May 2018, has amounted to nearly $332 million in fines.
However, given the global scale of some of the companies found in violation, the fines to this point have been mostly bark and a little bite when it comes to holding these organizations to its privacy standards.
EU regulators are clearly looking to change that perception.
According to WIRED UK, “[Amazon’s fine] is more than double the amount of every other GDPR fine combined…[and] comes at a time when GDPR is feeling the strain of lax enforcement and measly fines.”
What’s going on with GDPR enforcement?
Amazon is no stranger to accusations of privacy violations.
In 2020, they were fined by the French watchdog agency CNIL for improper use of cookies and lawsuits have been filed in multiple US states citing concerns around the company’s voice activated Alexa devices.
Naturally, Amazon will appeal the decision, noting that they believe the “decision to be without merit and intend to defend ourselves vigorously in this matter.”
If history is anything to go by, the final payout is unlikely to be the full €746 million euros. For instance, British Airways was originally fined $256 million for a data breach but eventually settled with the UK’s ICO at $28 million.
Past performance is no guarantee of future results, however, as GDPR enforcement has only increased in the last few years and appears to be gaining more traction.
A 2021 survey by DLA Piper on data breaches found that there has been double digit growth year over year in both the total number and value of fines issued under GDPR.
Moreover, Ross McKean, Chair of DLA Piper’s UK Data Protection & Security Group Fines, commented that “European regulators have shown their willingness to use their enforcement powers. They have also adopted some extremely strict interpretations of GDPR setting the scene for heated legal battles in the years ahead.”
How your organization can avoid GDPR fines
As we’ve written about before, adhering to privacy standards is more than just following the rules laid out in legislation—data protection and privacy is frequently and specifically called out in business agreements and contracts. This means everyone from your employees to business partners and vendors could be on the hook and liable for leaked or stolen information.
With EU regulators clearly ramping up the pressure on organizations to stay compliant with keeping information safe and accessible only to the right parties, risk mitigation hinges on having an effective record retention schedule and integrated information governance program.
In short, it comes down to three major things:
- Only collect the data you need
- Understand exactly where the data is stored and how it is used
- Be prepared to show proof that you are protecting your data and responsibly managing/destroying it according to an applicable retention schedule.
To learn more about how you might best protect and manage your information and prevent GDPR fines, check out this guide: Data Privacy for the Information Professional.
