What you need to know:

• Amazon has been fined €746 million for breaching Europe’s GDPR by a regulator in Luxembourg.
• Amazon said the case is “without merit” and it will appeal.
• The fine stems from a May 2018 complaint by French organisation La Quadrature du Net on behalf of 10,000 people. The group claims the ruling is related to Amazon’s use of targeted advertising.   
• Luxembourg’s regulator initially proposed a smaller fine, but it was doubled after other European regulators saw details of the case.
• Experts say it has profound implications on Amazon’s business model.

Amazon has been fined more than $1.2 billion Australian dollars (€746 million) by a European privacy watchdog for breaching General Data Protection Regulation through its use of targeted advertising, but few details about the breach have been released.

Luxembourg’s National Commission for Data Protection said "Amazon’s processing of personal data did not comply" with GDPR and has ordered Amazon to revise some undisclosed business practices. Amazon strongly disputes the ruling or the fine, which emerged as part of a financial update released by the company. 

The fine comes after legal action taken by French organisation La Quadrature du Net (“Squaring the Net”) on behalf of 10,000 people in May 2018.

In a statement, the group said: “The targeted ad system that Amazon forces onto us is not based on free consent, which is a violation of GDPR… It is the system of targeted advertising itself, and not merely occasional security breaches, that our legal action attacked. This historic fine hits straight to the heart of Big Tech’s predatory system, and should be celebrated as such.”

Amazon says no data breach, fine “out of proportion”

Amazon said it intended to appeal the fine and that it “strongly disagrees” with the ruling.

“Maintaining the security of our customers’ information and their trust are top priorities,” an Amazon spokesperson told CNBC.

“There has been no data breach, and no customer data has been exposed to any third party,” they added.

“These facts are undisputed. We strongly disagree with the CNPD’s ruling, and we intend to appeal. The decision relating to how we show customers relevant advertising relies on subjective and untested interpretations of European privacy law, and the proposed fine is entirely out of proportion with even that interpretation.”

GDPR laws allow watchdogs to levy fines as much as 4 per cent of a company’s annual global sales. The fine against Amazon is almost 15 times larger than the previous highest fine, €50 million for Google by France’s watchdog, CNIL.

Amazon's share price plunged more than 7 per cent with the release of its results last week, with revenue below what analysts expected. Over the last five days share price is down 9.5 per cent, wiping some $170bn off its market cap.

Beyond necessary data harvesting

Wayne Matus, a privacy compliance lawyer and co-founder of SafeGuard Privacy, said the decision has major implications for Amazon’s business model. He said La Quadrature du Net alleged Amazon does not need to use personal data beyond the performance of the contract to deliver goods, and there is no legal basis to profile users’ tastes and lifestyles.

“Plainly, the Luxembourg regulator agreed. More significantly, since the fine originally proposed was increased from $425 to $885 million after a draft decision was circulated among all EU regulators, the consensus among EU regulators is that Amazon’s business model is inconsistent with the GDPR,” he wrote.

“This is not an aberrant decision by a rogue regulator, and Amazon has a steep hill to climb.”

A Europe-based privacy lawyer, Jan Spittka, said the fine works out to be “only” 1.7 per cent of Amazon’s Luxembourg-based entity, Amazon EU S.a.r.l, which earned €44 billion last year. “If we take last year’s global group turnover (€87.9 billion) its only 0.85 per cent. Maximum fine would be 4 per cent,” he said.

Amazon is also facing an anti-trust investigation from EU regulators, which have accused it of violating competition law by using non-public data. 

GDPR laws have posed issues for targeting for other big tech companies. Google has been testing its post-cookie alternatives around the world, but has not tested its Federated Learning of Cohorts (FLoC) in Europe due to concerns it may be in breach of GDPR. There are increasing questions whether it can push ahead with a solution that could be excluded from the lucrative European ad market.