A European Union privacy regulator has proposed a fine of more than $425 million against Amazon.com Inc., part of a process that could yield the biggest-yet penalty under the bloc’s privacy law, people familiar with the matter said.
Luxembourg’s data-protection commission, the CNPD, has circulated a draft decision sanctioning Amazon’s privacy practices and proposing the fine among the bloc’s 26 other national authorities, the people said. The CNPD is Amazon’s lead privacy regulator in the EU because Amazon has its EU headquarters in the Grand Duchy.
The Luxembourg case relates to alleged violations of Europe’s General Data Protection Regulation, or GDPR, linked to Amazon’s collection and use of personal data, and isn’t related to its cloud-computing business, Amazon Web Services, one of the people familiar with the matter said. The person declined to elaborate on the specific allegations against Amazon.
An Amazon spokesman declined to comment. The company has previously said the privacy of its customers is a priority and it complies with the law in all countries where it operates. A spokesman for the CNPD said the regulator wasn’t allowed to comment on individual cases.
Before the draft decision can become final, it must effectively be agreed by other EU privacy regulators, a process that could take months and lead to substantive changes, including a higher or lower fine.