Why Amazon’s £636m GDPR fine really matters

We were promised huge fines and GDPR has finally delivered. Last week, Amazon’s financial records revealed that officials in Luxembourg are fining the retailer €746 million (£636m) for breaching the European regulation.

The fine is unprecedented: it’s the biggest GDPR fine issued to date and is more than double the amount of every other GDPR fine combined. The financial penalty, which Amazon is appealing, comes at a time when GDPR is feeling the strain of lax enforcement and measly fines. Experts say companies are allowed to get away with abusing people’s privacy as GDPR investigations are too slow and ineffective. Some people even want GDPR to be ripped up entirely.

But Luxembourg’s action against Amazon stands out for two reasons: first, it shows the potential power of GDPR; second, it exposes cracks in how inconsistently such regulations are applied across the EU. And for both of these reasons it is arguably the most important GDPR decision issued.

Online reputation rating: it is lawful if the operating mechanism of the algorithm is disclosed, says the Italian Supreme Court

By Order no. 14382/2021 the Italian Supreme Court ruled on the lawfulness of the personal data processing carried out through an online platform for measuring the reputation rating.

The Order was issued following the appeal brought by the Italian Data Protection Authority (DPA) against a decision of the Court of Rome of 4 April 2018, which had accepted the appeal brought by the association Mevaluate Onlus. The latter had challenged the decision of the DPA (commented upon here in our blog), which had prohibited any processing operation carried out by Mevaluate in connection with the services offered through the “Mevaluate Immaterial Infrastructure for Professional Qualification”.

New rules on protection of transfers of personal data outside European Union

Recently, there have been a number of important developments that affect how organisations facilitate the transfer of personal data out of the European Union in accordance with the EU General Data Protection Regulation (GDPR).

In brief, the developments are as follows:

  • A new set of official template clauses has been published by the European Commission to help organisations ensure that personal data transferred out of the European Union is protected – organisations that are considering implementing these clauses should be aware of some key dates.
  • The European Data Protection Board has released final form recommendations to help organisations assess the risks involved in transferring personal data outside the European Union and identify the appropriate supplementary measures to be implemented where needed.

Organisations that are subject to the GDPR and that are transferring personal data outside of the European Union and organisations that are receiving personal data from within the European Union are highly likely to be affected by these developments.

GDPR 3 years on – The greatest hits (and misses)


More than three years have passed since the GDPR applied and a lot has happened in the world of data protection during that time – fines, class actions, court challenges and more. We give our “playlist” of the greatest hits (and misses). Our previous article marking 12 months of GDPR had a cinematic theme. Now, we’re giving the three-year anniversary of GDPR a musical twist.

1. All the Single Ladies (credit to Beyoncé Knowles, Terius Nash, Thaddis Harrell, and Christopher Stewart)

Brexit: “If you liked it, you should[n’t] have put a [referendum] on it…”

The United Kingdom left the European Union and now has its own data protection regime in the form of the Data Protection Act 2018 and the UK GDPR. For now, this is largely based on the EU GDPR but we expect further divergence in future as the UK seeks to establish itself as a favourable place for overseas companies to do business.

Spain: the SDPA confirms that the clinical trials monitors should not sign a commissioning contract about the processing of data with the healthcare centers


The Legal Office of the Spanish Data Protection Agency (the “SDPA”) has issued on 17 June 2021 a legal report addressing various issues related to the processing of data in the context of health research in the form of clinical trials.

Specifically, this report analyzes the legal position of the sponsor, the monitor and the healthcare centers in relation to the processing of trial patient data, and in particular of the clinical history.

Amazon Gets Record $888 Million EU Fine Over Data Violations

Amazon.com Inc. faces the biggest ever European Union privacy fine after its lead privacy watchdog hit it with a 746 million-euro ($888 million) penalty for violating the bloc’s tough data protection rules.

CNPD, the Luxembourg data protection authority slapped Amazon with the record fine in a July 16 decision that accused the online retailer of processing personal data in violation of the EU’s General Data Protection Regulation, or GDPR. Amazon disclosed the findings in a regulatory filing on Friday, saying the decision is “without merit.”

The European Data Protection Board adopts guidelines on codes of conduct as a tool for transfers

During its 51st plenary session on 7th July 2021, the European Data Protection Board (EDPB) adopted guidelines on codes of conduct as tools for transfers (CoC Guidelines). The CoC Guidelines are available here.

The CoC Guidelines support and complement the previous EDPB Guidelines on CoCs published in 2019 (2019 Guidelines) that established the general framework for the adoption of CoCs. We have previously written about the 2019 Guidelines here.

GDPR: European Commission adopts adequacy decision permitting data transfers to UK, but challenges likely

Monday, days before the deadline of 30 June, the Commission published its implementation decision deeming the UK adequate for the purposes of onward transfers under the GDPR. The Commission’s decision followed on from its draft adequacy finding published in February and a largely positive opinion from the European Data Protection Board in April.

Data transfers: What if data localisation is NOT the answer?

Vivienne Artz OBE, Chief Privacy Officer & Managing Director at London Stock Exchange Group, talks less costly, more secure and commercially viable ways to secure data transfers, rather than investing in data localisation.

London Stock Exchange Group is a stock exchange and financial information company headquartered in London, UK.

Interview conducted by Samantha Gilbert, content editor for Lexology PRO.