April 15th, 2025

Luxembourg Administrative Court confirms an unprecedented €746,000,000 and a daily penalty of €746,000 inflicted on Amazon by Luxembourg’s national data protection authority.

An Examination of GDPR Enforcement and Due Process

Introduction. In a significant legal battle concerning data protection and regulatory compliance, Amazon Europe Core Europe SARL (Amazon) has challenged the decision of the Luxembourg National Commission for Data Protection (CNPD) following a substantial fine imposed for alleged violations of the General Data Protection Regulation (GDPR). This article delves into the intricacies of the case, highlighting the legal arguments presented, the court’s reasoning, and the broader implications for data protection enforcement.

Background. The case emanates from a complaint lodged in May 2018 by the French advocacy association, La Quadrature du Net (LQDN) with the Commission Nationale de l’Informatique et des Libertés (CNIL) in France in relation to Amazon’s processing of personal data practices. In the context of the European cooperation governed by Articles 60 and 62 of GDPR, the Luxembourg CNPD was identified as the lead supervisory authority competent in accordance with article 56 of GDPR.

The CNPD undertook an analysis of Amazon’s compliance with GDPR in respect of gathering information via “cookies” to determine the relevant advertising based of its customers’ interest.

On 15 July 2021, the CNPD issued a decision against Amazon, imposing a fine of €746,000,000 for breaches of various GDPR provisions while requiring it to take corrective measures within 6 months of notifications, subject to a daily penalty of €746,000. Subsequently, Amazon lodged an appeal with the administrative court on 15 October 2021, seeking both the annulment of the CNPD’s decision and a suspension of its enforcement pending the appeal’s outcome.

CNPD’s Findings. Primarily, Amazon’s practices were failing to comply with the most basic principle of GDPR being a lawful basis for processing of personal data under article 6 of GDPR; furthermore, failures to comply with transparency obligations, and violations of data subjects’ rights, particularly Articles 12 to 17, and 21 of the GDPR. The CNPD rejected Amazon’s use of article 6(1)(f) of GDPR being based on a “legitimate interests pursued by the controller or by a third party” as a lawful basis for processing.

Amazon failings. Transparency, complexity, impact on individuals, inadequacy of corrective measures.

Severity of Breaches: The CNPD emphasized the seriousness and duration of the breaches in its analysis, asserting that the violations persisted from at least May 25, 2015, until the start of the investigation. It also highlighted that the number of affected data subjects and the potential harm they could suffer were significant factors justifying the sanctions imposed.

In 2019, Amazon created a substantial number of advertising profiles as follows:

  1. 560,300,000 active European advertising profiles linked to terminal equipment associated with an authenticated visits to an Amazon site, with an additional 317,900,000 profiles that have been inactive for 9 months.
  2. 1,591,000,000 active profiles relating to non-authenticated visits to an Amazon site, with an additional 979,300,000 profiles that have been inactive for 9 months.
  3. 5,786,600,000 active profiles established based on unauthenticated terminal equipment that has not visited an Amazon site visit, with 7,813,900,000 profiles that have been inactive for 9 months.

Justification of Sanctions: The CNPD defended the imposition of a substantial fine, arguing that it was necessary to ensure compliance and deter future violations. The CNPD contended that the fine was effective, dissuasive, and proportionate based on the criteria established in Article 83 of the GDPR.

Quantum. Under GDPR (Article 83(4)) Amazon was exposed to a maximum of 4% of its worldwide turnover of its United State Parent, however the CNPD chose to impose a fine corresponding to 0.24% of the said turnover. We note that 0.24% corresponds to the current lower range of registration tax (droit d’enregistrement) for certain Luxembourg transactions.

Amazon’s Due Process Arguments. In its defense, and surprisingly, Amazon heavily relied on due process arguments rather than tackling the challenges that the CNPD posed to its “cookies” practices.

Amazon argued that the fines imposed by the CNPD were criminal in nature, thus entitling them to procedural guarantees under Article 6 of the European Convention on Human Rights (ECHR) and Article 47 of the Charter of Fundamental Rights of the European Union. They contended that the CNPD had failed to provide a fair trial, citing procedural flaws and insufficient reasoning in the CNPD’s decision.

Specifically, Amazon pointed out that the sanctions imposed under Article 83 of the GDPR are of general application, apply to any controller, and require a finding of guilt and liability. They noted that the amount of the fine was substantial (€746 million), and they argued that this fine represented a severe penalty, which reinforced their claim that the sanctions should be viewed as criminal.

In the context of arguing that the fines imposed by the CNPD were criminal in nature, which would require the associated procedural guarantees, including the principle of culpability, Amazon contended that the concept of culpability necessitates determining the degree of culpability—whether it was intentional, reckless, or negligent. Amazon asserted that conduct that does not reach the threshold of negligence should not serve as the basis for a criminal fine. Furthermore, Amazon maintained that the CNPD’s decision did not establish that it had culpably infringed the GDPR.

Amazon went on to claim that the administrative procedure lacked objectivity and impartiality, asserting that the CNPD’s structure created a conflict of interest, given that the same body conducted investigations and made adjudications. Additionally, the plaintiff criticized the CNPD for failing to allow access to crucial documents from other supervisory authorities, which they argued hindered their ability to defend against the allegations effectively.

Astonishingly, Amazon challenged the composition of the CNPD’s panel by arguing that one of the commissioners, had served beyond the maximum legal term of 12 years, which violated the provisions set out in the Law of 1st August 2018. Amazon contended that due to this unlawful duration of office, the panel was not competent to take the disputed decision, rendering the decision itself unlawful. They framed this situation as a “usurpation of power,” indicating that decisions made by a person whose term had expired would be considered void or non-existent.

Amazon further asserted that the independence of the CNPD was compromised because a commissioner serving beyond the legal limit undermined the institution’s integrity and independence, which is essential for ensuring fair and impartial adjudication. They cited that the irregularity in the composition of the panel violated their rights to a fair trial and defense.

Amazon’s defenses to it GDPR breaches.

The Luxembourg court recalled the CJEU’s ruling in Fashion ID (C-40/17) three cumulative conditions for being able to rely on “legitimate interest” (article 6(1)(f) of GDPR) as a lawful basis for data processing and notably i) the pursuit of a legitimate interest by the controller or by the third party or parties to whom the data is disclosed, ii) the necessity of the processing of personal data for the realization of the legitimate interest pursued, and iii) the condition that the fundamental rights and freedoms of the data subject do not prevail.

Legitimate interest. Amazon put forward four legitimate interests: (i) Amazon’s own interest in providing useful and tailored advertising to its customers enabling them to browse the vast catalog, (ii) the interest of brands, manufacturers, vendors and other businesses relying on the plaintiff to advertise their products online, (iii) the interest of website publishers relying on the plaintiff to generate revenue from the sale of their advertising space to advertisers and other interested buyers and finally (iv) the interest of the European community at large, materialized, according to Amazon, by the growth of the Internet economy in the European Union. It should be noted that the CNPD refused to take that final element into account.

Necessity. Amazon argued that it adopted multiple protection measures that determine that “there would have been no less intrusive means of achieving its legitimate interest effectively” and notably the following technical and organizational measures were undertaken: (i) opt-out option, (ii) pseudonymization of personal data, (iii) accessible information notices (iv) restrictions on the processing of personal data revealing certain categories of personal data (inter alia race, ethnic origin, political opinions), (v) “short storage” periods of a maximum of 13 months (vi) restrictions on contracts concluded with third parties, and (vii) a ceiling on the frequency with which a person would be exposed to a given advertisement.

Amazon further criticized the CNPD that it failed to take due account of the fact that it would have used only the minimum amount of data for its processing activity in the context of behavioral advertising; arguing that it eliminated over 99% of the available information on its customers’ purchasing behavior and integrated only the remaining percentage into the pseudonymized profiles.

With respect to “cookies” on third-party websites, Amazon argued that “as of December 2020, 99.5% of “cookies” displays by it on third-party websites would concern customers who had given their consent, so that for these advertisements, the company would no longer rely, as a legal basis for personal data processing, on the concept of legitimate interest within the meaning of Article 6(1)(f) of the GDPR.”

Court Findings. The administrative court examined the admissibility of the appeal and the substantive arguments raised by Amazon. The court noted that the CNPD had sufficient grounds for its decision and that the imposition of a fine was legally justified under the GDPR. It was also found that the CNPD had adequately explained the reasoning behind the fine, which was deemed proportionate and necessary given the extent of the violations. Amazon was not successful in any of its arguments.

The court did not accept Amazon’s claim that the penalty imposed by the CNPD was a criminal sanction. It concluded that the nature of the violations and the penalties under the GDPR were administrative in nature, which meant that the CNPD was not classified as a judicial body under Article 6 of the ECHR. The court found that while the penalties could be severe, they were consistent with administrative enforcement rather than criminal law. It emphasized that the CNPD had the discretion to impose fines and that such administrative fines do not necessarily carry the same procedural guarantees as criminal penalties. The court also noted that the CNPD’s actions were within the framework of the GDPR and Luxembourg law, which allows for such administrative penalties without requiring the same guarantees as criminal law.

The court ultimately dismissed the Amazon’s plea regarding the breach of principles of due process and the right to a fair trial. It noted that Amazon had been given ample opportunity to present its case and that the CNPD’s decision had met the necessary legal standards of reasoning.

The court found that Amazon acted negligently in breach of several articles of the GDPR, specifically Articles 6, 12 to 17, and 21. The court noted that the breaches were duly established and indicated that the company had not adopted sufficient corrective measures to comply with the requirements of the GDPR.

Court’s attitude towards Amazon mitigating protective measures.

Pseudonymization. The court found that pseudonymization did not sufficiently mitigate the breaches that were established against Amazon. The court emphasized that the breaches of the GDPR were serious, affecting a large number of individuals and persisting over several years, which outweighed the mitigating circumstances presented by Amazon.

Opt-out mechanism. Did not fully comply with the requirements of Article 21 of the GDPR. Specifically, the court noted several criticisms regarding the mechanism:

  1. Limited Scope: The opt-out mechanism did not cover certain treatments, such as personalized recommendations. It was pointed out that individuals wishing to stop the processing of their personal data for personalized recommendations had to take additional steps beyond simply opting out of behavioral advertising.
  2. Accessibility: The court mentioned that the accessibility of the opt-out mechanism via the “AdChoices” icon was inadequate, as the icon was small and did not provide clear information about the possibility of accessing the web page to exercise the right to object.
  3. Retention of Choices: The court highlighted that the opt-out mechanism did not retain the choices made by the data subjects effectively. If a data subject exercised their right to opt-out and then logged in from a new device or after deleting cookies, the preferences page would revert to indicating that they wished to receive behavioral associated advertising.
  4. Delay in Data Deletion: The court also pointed out that the company did not delete personal data as soon as possible following the opt-out exercise, which is a requirement outlined in Article 17 of the GDPR.

Overall, the court concluded that the opt-out mechanism was insufficient and did not meet the established requirements.

Information received from third parties’ website. The court found that the Amazon failed to comply with its obligations under Articles 12 to 14 of the GDPR, specifically regarding transparency and providing information to data subjects. The court noted that Amazon’s notices did not adequately inform data subjects about the categories of third parties receiving data or the specific details of those third parties. For example, it was held that the references to third parties were too vague, stating merely that personal data were transmitted to “advertisers, publishers, social networks, search engines, ad publishing companies” which did not meet the requirement for specificity as outlined in the GDPR.

Moreover, the court emphasized that Amazon’s notices did not clearly indicate the sources of demographic data collected from third parties, failing to provide sufficient detail regarding the types of data and the third parties involved. This lack of specificity in informing data subjects about third-party involvement and the nature of data collection was a crucial factor in the court’s conclusion that Amazon did not meet its transparency obligations under the GDPR.

Limitation on retention period. The court dismissed Amazon’s argument regarding the limitation on the retention period for personal data. It stated that Amazon did not assert, and that it did establish that it deletes the personal data at issue as soon as possible following the exercise of the opt-out by the person whose data was collected and processed. The court noted that the company’s explanations were limited to arguing that such deletion would have no tangible impact on the data subjects and that it would no longer provide personalized behavioral advertising once the right to object had been exercised, which was deemed irrelevant concerning the right to erasure. Consequently, the court found that the breach of Article 17 of the GDPR still existed at that time.

In its assessment of Amazon’s practices, the court noted that, with regard to the nature, volume and retention period of the personal data collected and processed by the applicant, Amazon has failed to establish the necessity of the processing of the said personal data, as carried out by it in practice, in the context of its behavioral advertising or otherwise “cookies” practices.

Quantum. The court upheld the fine imposed on Amazon by the CNPD, declaring that the main action brought by amazon was unjustified. The court found that the CNPD had properly established the breaches of the GDPR and that the fine of €746,000,000 was effective, proportionate, and dissuasive.

The court rejected Amazon’s claims that the fine was disproportionate and emphasized that the CNPD had taken into consideration all relevant factors set out in Article 83(2) of the GDPR when determining the amount of the fine. It noted that the breaches had affected a significant number of individuals over several years and that the fine was within the permissible limits set by the GDPR.

Furthermore, the court found that Amazon had acted negligently in relation to the processing of personal data and that the CNPD’s decision to impose the fine was justified. The court also dismissed Amazon’s arguments regarding the need for additional reasoning related to the fine and the daily penalty payments associated with corrective measures.

Our take. Notwithstanding Amazon’s extensive attempts to use procedural tactics to thwart the CNPD’s fine, the most bizarre of which, in our view, was the use of the ECHR, Amazon failed to establish the basic premise of GDPR being the need to have a lawful basis for processing of personal data. Amazon could have easily resorted to “consent” as a lawful basis for processing but chose not to; in this respect, we take the view, that Amazon was not just “negligent” (using the court’s words), it was reckless in that it took risk with its approach to what constitutes a lawful basis of processing and stretched the definition to a breaking point practices. Historically, Amazon built a significant customer base by way of “cookies” and third party “cookies”, third-party web referrals which generate significant traffic to its site(s). Amazon failed to adapt to a post GDPR world where enforcement was stricter with more draconian measures available to data protection authorities to enforce data privacy and deter misconduct. In this context, we note that in our newsletter of October 2018 we highlighted the high potential for litigation following the implementation of GDPR.

The Luxembourg’s court’s affirmation of the CNPD’s authority to impose significant fines reflects a robust commitment to upholding data protection standards in the EU. After lengthy proceedings that lasted close to 4 years amazon was defeated on all grounds.

Furthermore, although the Luxembourg Administrative Court responded thoroughly to procedural fairness and due process arguments, Amazon ought to have “read the writing on the wall” following the €35,000,000 fine imposed on it by the CNIL and focus its efforts on a revised compliance program.

Amazon indicated its desire to appeal the case, and the administrative court approved suspending the imposed fine, we take the view that, unless Amazon can demonstrate a lawful basis for processing, its appeal is unlikely to be successful.

Conclusion. The legal dispute between Amazon and the CNPD illustrates the ongoing tension between commercial objectives and the strict framework of GDPR compliance. The case provides a good illustration of the strict and rigorous analysis that data controllers need to undertake prior to processing personal data. In addition, the case highlights the current challenges of using the digital advertising technology of “cookies” personalization use cases depend on third-party cookies. If a user opts out of this tracking application, e-commerce actors lose the ability to track them across platforms, and subsequently, deliver tailored ads. The current trend in the market is to abolish third-party cookies so e-commerce actors will no longer be able to track users across different websites.