Amazon’s GDPR Penalty

Amazon has had a rough go of it this past week, as punitive measures came down from Luxembourg’s National Commission for Data Protection for an alleged violation of GDPR.  A major case, the fine imposed is around $887 million, setting the high mark of fines so far under the European data security regulation.

Amazon is accused of having improperly obtained customers’ personal data, accessing it without getting permission first.  People like to think their information is secure when browsing the biggest online platforms, but the reality can clearly be otherwise.  It’s mind-boggling that Amazon would have been so cavalier about such a basic measure of data security, but here we are.  The corporate giant has, of course, objected to the decision, and vowed to fight “vigorously” against it.  It insists that its actions do not warrant a penalty of this scale, which the Luxembourg data authorities overstepped in levying.  Based on what we know so far, this seems hard to believe.

Nevertheless, cases like this one show the teeth of the three year old standard, unafraid to go after the biggest names around.  GDPR enforcement has been constantly escalating as companies of all sizes find themselves out of compliance, providing insufficient protection around the collection, storage and use of user data.  Recent years have already seen massive fines against giant firms like British Airways, Google, and Marriott Hotels, after each ran afoul of the EU’s aggressive regulations.  It’s not so surprising that organizations are still scrambling to reach compliance with GDPR, CCPA, or their many local derivatives worldwide.  Since stolen data consistently provides hackers with more and easier profits, every effort must be made to prevent a fruitful breach.

Whatever ultimately comes of this case, the lesson is that if an entity like Amazon can be held accountable for data negligence, no one is above responsibility.