We were promised huge fines and GDPR has finally delivered. Last week, Amazon’s financial records revealed that officials in Luxembourg are fining the retailer €746 million (£636m) for breaching the European regulation.

The fine is unprecedented: it’s the biggest GDPR fine issued to date and is more than double the amount of every other GDPR fine combined. The financial penalty, which Amazon is appealing, comes at a time when GDPR is feeling the strain of lax enforcement and measly fines. Experts say companies are allowed to get away with abusing people’s privacy as GDPR investigations are too slow and ineffective. Some people even want GDPR to be ripped up entirely.

But Luxembourg’s action against Amazon stands out for two reasons: first, it shows the potential power of GDPR; second, it exposes cracks in how inconsistently such regulations are applied across the EU. And for both of these reasons it is arguably the most important GDPR decision issued.

“With so many large cases piling up in front of regulators, we were really waiting for one of those cases to be resolved to show that the GDPR basically has teeth,” says Estelle Massé, the global data protection lead at non-profit internet advocacy group Access Now. La Quadrature du Net, the French civil liberties group that originally made the complaint against Amazon, said that regulators had given it “hope” that legal action could be brought “against Big Tech”.

Despite the headline-grabbing fine, little is really known about the details of what Amazon has been fined for. The case was taken on by officials in Luxembourg as the country acts as Amazon’s main base in Europe. The tiny nation has historically been labelled as a tax haven – although accusations of Amazon avoiding tax in the country have been rejected by the European courts. But by fining Amazon, Luxembourg’s National Commission for Data Protection has, at least for the short-term, launched itself into the pro-privacy spotlight.

La Quadrature du Net’s original May 2018 complaint, which was filed on behalf of 10,000 people, claimed that Amazon’s advertising system isn’t based on “free consent”. But that’s about all we know. The Luxembourg regulator says it issued a decision against Amazon on July 15 but it hasn’t published any more details. A spokesperson for the authority says that “professional secrecy” laws in Luxembourg mean it can’t publish any details until an appeal process has been completed. And Amazon – which is incredibly data hungry – says it will appeal the fine.

“There has been no data breach, and no customer data has been exposed to any third party,” an Amazon spokesperson says. That’s all well and good, but companies don’t need to have suffered a data breach to break GDPR rules. The spokesperson goes on to claim that the ruling in Luxembourg, which is based on how it shows customers “relevant advertising” is based on “subjective and untested interpretations of European privacy law, and the proposed fine is entirely out of proportion with even that interpretation”.

Amazon may have a point. It’s possible that any appeal process or negotiations may bring the fine down – last year the UK data protection regulator’s fine against British Airways dropped from £184m to just £20m. Another, against hotel group Marriott, was reduced from £99m to £18m.

The €746m Amazon fine is far bigger than anything that’s come before – a €50 million fine against Google holds the current record. While GDPR allows potentially huge fines to be issued, the reality is that it was always unlikely regulators would issue them. Up to the start of 2021, a total of €272m in GDPR fines had been issued by all of Europe’s regulators combined, according to analysis from law firm DLA Piper. Italy’s data protection body, which had issued €69.3m in fines, has led the way. Germany (€69m), France (€54m) and the UK (€44m) follow.

While that list contains some of the most populous countries in Europe, it doesn’t include Europe’s most important data protection authorities – Luxembourg and Ireland. Under GDPR laws, companies that operate across multiple countries in Europe can select one country – where their main office is based – to act as the nation where complaints are funnelled through. This process is called the one-stop-shop mechanism. Before a decision – which can include a fine or enforcement action that can make companies change their behaviour – is issued, all the European nations that are interested in the case are given a right to reply.

Amazon has selected Luxembourg as its main data protection regulator and the complaint against it, which was first raised in France, was passed to authorities there. A number of major complaints against Facebook, Google, Twitter and Apple have been made to Ireland’s Data Protection Commission (DPC), where the companies have their European headquarters. To date, the Irish office has only made one ruling against a Big Tech firm since GDPR was introduced in May 2018 – a €450,000 fine against Twitter in December 2020, another against WhatsApp is pending.

Multiple people say the one-stop-shop is failing. “It’s not working,” says Romain Robert, a program director at European data rights group NYOB. Robert claims the one-stop-shop system has caused GDPR complaints to become lost or resulted in lengthy delays and breakdowns in communication. “There is no deadline in the one-stop-shop,” he says. “The procedure is so different in each member state that you have to know where you go.”

GDPR regulators, which are often underfunded and overworked, also aren’t happy about the setup. GDPR analysis published by Access Now in May 2021 shows the concerns of regulators. Those in Germany pointed to long delays. Ireland said it can be hard to determine which data protection group should be the ‘lead authority’ in each case. Sweden said different national approaches made it hard for countries to “cooperate effectively”. The complaints go on.

“It is a cumbersome system because it adds additional complexity to already very complex enforcement situations,” says Hielke Hijmans, chairman of the litigation chamber of Belgium’s data protection authority. A case involving the Belgium regulator, Facebook and how the one-stop-shop is applied went to one of Europe’s top courts and reiterates it is possible for countries to avoid the mechanism in some circumstances. “There is a lot of discussion around whether the system is sustainable in the long term, because of its cumbersome character and also because most big tech companies are concentrated in one or two member states,” Hijmans says.

The European Data Protection Board (EDPB), an independent body that was setup to promote cooperation between the EU’s data protection regulators, acknowledges that the system isn’t perfect. “Enforcing at a national level and at the same time resolving cross-border cases is time and resource intensive,” an EDPB spokesperson says. “While we are aware of these challenges and of others, the EDPB is not in favour of an overhaul of the GDPR or the one-stop-shop mechanism.” It says that “slowly, but steadily, we are seeing results” and that there have been 254 final decisions where the one-stop-shop has been successfully used.

So is there anything that can be done to improve the system? The EDPB spokesperson says that GDPR is a “long-term project” and it is working to “strengthen cooperation” between Europe’s regulators. But both Massé and Robert say things should go further. They say that some GDPR investigations should have timelines placed upon them – to stop them dragging on for years – and that regulators also need to move more swiftly. “We need to address those seemingly boring bureaucratic issues to make sure this actually works,” Massé says. “Those are issues that should be resolved and addressed at the EU level”.

 

Written by Matt Burgess, Wired