Amazon announced that it has been fined 746 million euros -- $887 million -- for violating the EU's General Data Protection Regulation (GDPR) rules on how to process personal data.
The notice, buried within the latest SEC filing from Amazon, said the decision was made by the Luxembourg National Commission (CNPD) for Data Protection on July 16. The CNPD did not respond to requests for comment.
Alongside the fine, Amazon said the decision also imposes "corresponding practice revisions."
In the SEC filing, Amazon said, "We believe the CNPD's decision to be without merit and intend to defend ourselves vigorously in this matter."
In a statement to ZDNet, Amazon said, "There has been no data breach, and no customer data has been exposed to any third party. These facts are undisputed. We strongly disagree with the CNPD's ruling, and we intend to appeal."
"The decision relating to how we show customers relevant advertising relies on subjective and untested interpretations of European privacy law, and the proposed fine is entirely out of proportion with even that interpretation," the company added.
The GDPR has been in effect across the EU since 2018 and has made quick work of fining hundreds of companies for data privacy violations.
The Amazon fine is the biggest that has ever been issued. British Airways was fined more than $254 million in 2019 before the fine was reduced to about $30 million. Google faced a $57 million fine in 2019, which so far was considered the highest fine until Amazon's. Regulators are allowed to issue fines up to 4% of a company's revenue.
The Amazon fine was the result of a 2018 collective complaint filed by French privacy rights group La Quadrature du Net on behalf of 10,000 others.
In a blog post, the group said the "advertising targeting system imposed by Amazon" was being carried out "without our free consent." They bashed Amazon for implying that the ruling was connected to a breach and said their real target was Amazon's targeted advertising methods.
"It is the targeted advertising system itself that our complaints intend to wipe out as a whole, and not a few occasional security breaches. This historic sanction strikes at the heart of the GAFAM predation system and should be applauded as such," La Quadrature du Net said.
"While the enthusiasm of 2018 began to leave us and we feared that the legal fight against GAFAM had become impossible, it is from Luxembourg that our initial hope returns to us. The model of economic domination based on the exploitation of our privacy and our free will is deeply illegitimate and contrary to all the values that our democratic societies claim to defend. We will therefore continue to fight against this domination, with your help."
Privacy expert Cillian Kieran added that there was symbolic value to the fine issued against Amazon but echoed what La Quadrature du Net said about the need to transform the way companies deal with personal data.
He noted that multiple companies, like British Airways, have been able to appeal fines and reduce them significantly due to the small budgets of regulator offices and armies of lawyers at the beck and call of companies like Amazon.
Kieran, CEO of privacy company Ethyca, added that the high amount of this fine suggests what privacy observers have noted over the last eighteen months, which is that the hands-off approach during COVID-19 was fading and an era of more aggressive enforcement measures was beginning.
Regulator actions are reflecting the "maturation of the law and the expectation that privacy is now 'table stakes' for business operations in Europe.
"Transformation of the underlying problem -- the data practices -- is what's necessary: compelling the organizations to correct their practices, better respect users' data, and face enforced penalties for non-compliance," Kieran said.
"The fine makes the headlines, and it is significant whether it comes to fruition. But for a company as well-resourced as Amazon, systemic changes to how they treat individuals' data will be more consequential in the long term."