Amazon disclosed Friday that it had been fined €746 million by the Luxembourg National Commission for Data Protection (CNPD) because Amazon’s processing of personal data did not comply with the EU’s General Data Protection Regulation (GDPR).
The GDPR regulates data protection and privacy in the EU and the European Economic Area. It was passed in 2016 and implemented in May 2018. It levies fines, which are intended to be harsh, against those who violate its privacy and security standards.
Amazon disclosed the €746 million fine Friday in a US Securities and Exchange Commission (SEC) filing. This is the largest fine that has ever been issued, although regulators are allowed to issue fines up to four percent of a company’s revenue.
The fine was actually issued on July 16, and the CNPD ordered Amazon to revise some of its business practices. Amazon noted these only as “corresponding practice revisions,” without disclosing which business practices it was ordered to revise.
In the filing, Amazon asserted that it intends to appeal the ruling, writing: “We believe the CNPD’s decision to be without merit and intend to defend ourselves vigorously in this matter.” An Amazon spokesperson said that there was no data breach, nor had any customer data been exposed to third parties.