Amazon fined £636 million for GDPR breach

Jargon Buster

Amazon is facing a fine of £636 million for breaching the General Data Protection Regulation (GDPR). The huge fine is being issued by Luxembourg’s data protection regulator. It is the biggest GDPR penalty issued to date and is more than double every other GDPR fine combined. The ruling was made on 15 July. But the fine only became public knowledge when Amazon published its latest quarterly earnings.

Why has Amazon been fined?

According to an Amazon spokesperson “There has been no data breach, and no customer data has been exposed to any third party”.

But when it comes to GDPR, it’s not just data breaches that matter.

The Regulation also sets out how organisations can use your personal information. Very little is known about this case, but Luxembourg’s National Commission for Data Protection claims Amazon’s processing of personal data breaches EU law as its advertising system isn’t based on “free consent”. Under GDPR, “consent must be freely given, specific, informed and unambiguous. To obtain freely given consent, it must be given on a voluntary basis.”

Amazon will appeal, and it is possible that the fine will be reduced. In the UK, the ICO’s fine against British Airways dropped from £184 million to £20 million, while Marriott’s was reduced from £99 million to just £18 million.

Nevertheless, with complaints that some tech giants have abused their power, this is a significant ruling against Big Tech, and 15-times larger than the current record fine against Google (€50 million). So it shows that regulators are willing to scrutinise and punish large tech companies over privacy and misinformation concerns.

More than data breaches

Today, too many companies are failing to uphold our individual data rights. If you have suffered financial loss, distress or a loss of privacy caused by an organisation breaching any part of the GDPR/Data Protection Act (DPA), you have the right to claim compensation.

GDPR/DPA breaches include:

  • Not informing people that their personal data is being processed and obtaining the right consent. Under GDPR, people have a right to be notified if their personal data is being used or stored. A failure to do this is a data protection breach.
  • Failing to tell people how their personal data is being processed when asked. People have the right to ask how their data is being processed. This is called making a data subject access request (DSAR/SAR). A refusal to answer such a request within the legal timeframe is a GDPR breach.
  • Refusing to keep accurate records on a person. Individuals can challenge the accuracy of any personal data that an organisation holds about them and ask for it to be corrected, added to, or deleted. If an organisation fails to respond to such a request (without a good reason), this is a GDPR breach.
  • Not limiting how data is used on request. Individuals can request restrictions on the way an organisation uses their personal data. In some circumstances, they can also object to an organisation using their data at all. If an organisation fails to respond to such a request (without a good reason), this is a GDPR breach.
  • Making automated decisions that harm people and profiling individuals without their knowledge or consent. Under the GDPR, the processing of biometric data (such as images of a person’s face) and the use of automated decision-making, including profiling, are only allowed in very explicit circumstances. If an organisation uses technology that discriminates against individuals and automatically makes decisions that harm them, such technology would not be GDPR compliant.

Under the GDPR, an organisation can be fined a maximum of €20 million or 4% of annual global turnover – whichever is greater – for infringements of the data protection regulations. In the UK, GDPR fines are issued by the ICO. But this money goes directly to Treasury, not to the victims of a personal GDPR breach. The only way to get GDPR breach compensation is to make a claim.

We make sure our clients are compensated for any GDPR breaches that impact their legal rights. When it comes to GDPR breach compensation amounts, each case will be judged on its own merits. But our expert GDPR lawyers will help you get the maximum compensation possible.


Contact Keller Postman UK to discuss a GDPR data violation.

In March 2024, our firm changed its name to KP Law. 

Share this article: