Luxembourg’s top privacy watchdog has issued a fine of 746 million euros, or about $887 million, to Amazon.com Inc. over its user data processing practices, the company disclosed in a regulatory filing today.

The Luxembourg National Commission for Data Protection found that Amazon processed personal information in a way that breached the European Union’s General Data Protection Regulation. The $887 million fine is the largest penalty issued to date over a GDPR privacy breach since the law was implemented in May 2018.

“On July 16, 2021, the Luxembourg National Commission for Data Protection (the “CNPD”) issued a decision against Amazon Europe Core S.à r.l. claiming that Amazon’s processing of personal data did not comply with the EU General Data Protection Regulation,” Amazon said in the regulatory filing. “The decision imposes a fine of €746 million and corresponding practice revisions. We believe the CNPD’s decision to be without merit and intend to defend ourselves vigorously in this matter.”

Besides paying a fine, Amazon has also been ordered to change certain business practices.

It’s unclear exactly what aspect of Amazon’s data processing practices was found to have breached GDPR. However, a spokesperson for Amazon provided a number of key details in a statement issued to CNBC. “There has been no data breach, and no customer data has been exposed to any third party,” the spokesperson said. 

The company also disclosed that the data processing practices cited as the reason for the fine relate to its advertising business. Amazon, best known for its online e-commerce marketplace and cloud computing platform, also has a multibillion-dollar online advertising unit. That unit is believed to account for the bulk of the “Other” segment of Amazon’s revenue, which jumped 83% in constant currency last quarter to $7.9 billion.

“We strongly disagree with the CNPD’s ruling, and we intend to appeal,” the Amazon spokesperson told CNBC. “The decision relating to how we show customers relevant advertising relies on subjective and untested interpretations of European privacy law, and the proposed fine is entirely out of proportion with even that interpretation.”

“In view of the recent GDPR-related litigation in the EU and available jurisprudence, the fine, however, indeed seems to be excessive and will likely be significantly reduced on appeal,” commented Ilia Kolochenko, founder and chief executive of cybersecurity company ImmuniWeb. “Amazon will undoubtedly endeavor to win the case in court on appeal.”

Online advertising providers collect data on users’ interests to deliver personalized promotions and thus help advertisers generate more sales. The way tech giants collect this data has also come under scrutiny on another occasion recently.

Google LLC earlier this year announced plans to phase out a technology called third-party cookies that brands use to deliver personalized ads. The search giant is looking to remove third-party cookies from Chrome in favor of a new machine learning system dubbed FLoC aimed at improving privacy, while enabling brands to continue delivering personalized ads. But FLoC has faced criticism from other tech companies and, in June, the European Commission announced plans to look into the system as part of a broader antitrust probe focused on Google’s ad business.

Shortly after the probe was launched, Google said it would delay the rollout of FLoC until mid-2023.

The second-largest GDPR privacy fine ever issued behind the $887 million penalty that Amazon disclosed today was received by Google in 2019. Like the Amazon decision, that 2019 fine related to targeted advertising.

France’s data protection regulator ordered Google to pay 50 million euros for not disclosing with sufficient clarity the way it collects users’ information and how the information to deliver ads. Officials also found that the search giant didn’t meet certain regulatory requirements when asking for consumers’ permission to use their data.

In the case of Amazon, the $887 million fine was issued by the Luxembourg National Commission for Data Protection because the company’s European Union headquarters is based in Luxembourg. The fine was not entirely unexpected. Last month, the Wall Street Journal reported that the watchdog circulated a draft version of its privacy decision against Amazon with other national data protection agencies.

Image: Amazon