Sources told the newspaper that Luxembourg’s data protection agency, the CNPD, has drafted a decision sanctioning Amazon’s privacy practice and proposing the fine among 26 other EU nations. The CNPD serves as the EU’s top privacy regulator for Amazon, because the eCommerce giant has its EU headquarters in Luxembourg.
The case stems from Amazon’s collection and use of personal data in a way that allegedly violates Europe’s General Data Protection Regulation (GDPR), sources said, although they declined to provide specifics. Amazon declined to comment, but has previously said it complies with the law in every country in which it does business.
The Journal notes that the decision is not yet final. It must be approved by other EU privacy bodies, which could take months and could lead to a higher or lower fine. EU law allows regulators to fine up to 4 percent of a company’s yearly revenue. The fine proposed in Luxembourg would be half that amount.
A source told the Journal that the CNPD has received some objections to its decision, including at least one saying that the fine should be greater.
The CNPD investigation is part of a new push to enforce privacy laws against Big Tech in Europe. In Ireland — where Google, Apple and Facebook all have EU headquarters — the privacy regulator expects to make draft decisions against Big Tech companies in the coming year.
In one case, Facebook could face fines of between 30 million and 50 million euros for alleged data-sharing violations involving its WhatsApp app.
Amazon is already facing another legal battle in the EU, filing suit against the body in a case involving the Italian Competition Authority.