Amazon faces £637 million fine over GDPR violations
If confirmed, the penalty would be almost 15-times larger than the current record fine


Amazon is facing a potential €746 million (approximately £637 million) fine for the unlawful processing of personal data, following a GDPR ruling by Luxembourg’s data protection regulator.
The ruling was initially made on 15 July but only became public knowledge when mentioned as part of Amazon's latest quarterly earnings report. If it goes ahead, the fine would be the largest data protection penalty in industry history.
General Data Protection Regulation (GDPR) GDPR turns three: The biggest fines so far GDPR fines: Where does the money go?
This €746 million fine would represent a sum that’s more almost 15-times greater than the €50 million penalty that French data regulator CNIL administered against Google in 2019.
Amazon didn’t explain the specific basis for such a relatively large penalty in its legal filing, nor has the Luxembourg National Commission for Data Protection (CNPD) made the details around the case public.
The regulator confirmed with IT Pro, however, that the decision was made on the basis of the one-stop-shop principle set out in Article 60 of GDPR.
This means Luxembourg was nominated as the lead supervisory authority in a case against Amazon based on alleged violations that occurred across borders and in several EU territories. The CNPD was chosen to investigate Amazon because the firm’s European headquarters is based in Luxembourg.
The CNPD claims the nation’s own local data protection laws have bound the authority to “professional secrecy” when taking regulatory action. According to these laws, details about the case cannot be published - or publicised - until Amazon’s deadline for appeals expires.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
Amazon said the regulator’s decision has been made without merit, and that it plans to defend itself “vigorously”. Although the firm is able to appeal the decision, the regulator didn’t indicate how long this process might take.
Despite such a large fine cited, there’s also every chance that it can be drastically lowered over the course of regulatory proceedings. For example, the UK’s Information Commissioner’s Office (ICO) had initially issued a notice of intent to fine BA and Marriott £183 million and £99 million respectively in July 2019. This was eventually watered down to £20 million and £18.4 million in October 2020, with the ICO citing a number of mitigating circumstances, including the economic effects of the pandemic.
RELATED RESOURCE
The controversial CLOUD Act
The effect on data protection and data security in Germany and the EU
Prior to GDPR coming into force, many businesses widely expected the new data protection laws to usher in an era of massive, eye-watering fines that would cripple businesses found to have fallen foul of the rules. This was based on the provision that an organisation can face a fine of up to €20 million or 4% annual turnover, whichever is higher.
In practice, however, such fines have been a rarity, despite a high volume of cases.
The Irish data protection regulator too, which is itself the lead supervisory authority in a number of cases against big tech giants, hasn’t yet worked through a lengthy backlog of legal challenges. So far, the Irish Data Protection Commission (DPC) has issued a €450,000 fine against Twitter, alongside a provisional decision in January 2021 to fine WhatsApp €50 million, although this is subject to legal review.

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.
-
M&S suspends online sales as 'cyber incident' continues
News Marks & Spencer (M&S) has informed customers that all online and app sales have been suspended as the high street retailer battles a ‘cyber incident’.
By Ross Kelly
-
Manners cost nothing, unless you’re using ChatGPT
Opinion Polite users are costing OpenAI millions of dollars each year – but Ps and Qs are a small dent in what ChatGPT could cost the planet
By Ross Kelly
-
Hackers are turning Amazon S3 bucket encryption against customers in new ransomware campaign – and they’ve already claimed two victims
News Attackers are using AWS’ server-side encryption to conduct ransomware attacks
By Solomon Klappholz
-
Amazon confirms employee data compromised amid 2023 MOVEit breach claims – but the hacker behind the leak says a host of other big tech names are also implicated
News Millions of records stolen during the 2023 MOVEit data breach have been leaked
By Solomon Klappholz
-
PowerEdge - Cyber resilient infrastructure for a Zero Trust world
Whitepaper Combat threats with an in-depth security stance focused on data security
By ITPro
-
Anticipate, prevent, and minimize the impact of business disruptions
Whitepaper Nine best practices for building operational resilience
By ITPro
-
Three steps to transforming security operations
Whitepaper How to be more agile, effective, collaborative, and scalable
By ITPro
-
Top ten ways to anticipate, eliminate, and defeat cyber threats like a boss
Whitepaper Improve your cyber resilience and vulnerability management while speeding up response times
By ITPro
-
Amazon's Ring agrees to $5.8m settlement over alleged use of its cameras to spy on female customers
The firm will also pay $25m for allegations Alexa stored child voice recordings indefinitely
By Rory Bathgate
-
The complete SaaS backup buyer's guide
Whitepaper Informing you about the realities of SaaS data protection and why an SaaS back up is essential
By ITPro