Why Amazon’s GDPR fine really matters

Amazon was recently fined €746 million by the Luxembourg National Commission for Data Protection (CNDP) for violating the EU GDPR. A statement from J Cromack, Lead Product Evangelist at DataGuard:

Details about the ruling are limited due to local laws in Luxembourg prohibiting information being published until the appeal process is concluded. It was only made public because Amazon disclosed the fine in a filing with the US Securities and Exchange Commission, and Bloomberg picked up on it.

But if we look at the initial complaint by the Association La Quadrature du Net (LQDN) and their recent blog, it’s clear the ruling is related to a lack of transparency and control offered to individuals.

The decision, revealed by Bloomberg, suffers from no ambiguity: the targeted ad system that Amazon forces onto us is not based on free consent, which is a violation of the GDPR. As such, the corporation is fined to the tune of €746 million. Amazon’s reaction to this historic sanction is to complain to Bloomberg, pretending to not understand what is at stake: “There has been no data breach, and no customer data has been exposed to any third party”. Rightly so: it is the system of targeted advertising itself, and not merely occasional security breaches, that our legal action attacked. This historic fine hits straight to the heart of Big Tech’s predatory system and should be celebrated as such.

Whilst it is difficult to comment in full without seeing details of the ruling, certain conclusions can be drawn, and businesses need to take note.

  1. Whatever currency you report this fine in ($888 million, £638 million or €746 million) – it’s huge. And one that Amazon will contest. But it is not for the usual headline-grabbing data breach. It’s because the lawful basis required for processing people’s data is deemed to be consent, and consent is being “bundled” into the terms and conditions of service. This is a high-risk strategy as regulators finally appear to be looking at consent mechanisms that violate the GDPR.

As per the original complaint from LQDN.

The fact that certain data processing operations are covered by a contract does not automatically mean that these processing operations are necessary for its execution. For example, article 7,b[1], is not a suitable legal basis for profiling the tastes and lifestyles of a user based on his browsing experience on a website and the products he has purchased. Indeed, the contract was not concluded to carry out a profile, but to provide certain goods or certain services, for example. Even if these treatments were specifically mentioned in the details of the contract, this fact alone would not make them ‘necessary’ for the execution of the contract”.

  1. If it is concluded that consent is the correct lawful basis for Amazon’s processing activity, then for this consent to be valid an organisation must explain to people, in a way they can easily understand, that they are consenting to direct marketing. The latest “draft” guidance for the UK’s Information Commissioners Office (ICO) says;

“The request for consent needs to be prominent, concise, in plain language, and separate from your privacy information or other terms and conditions.”

  1. This indication needs to be unambiguous, and a clear affirmative action must be taken. Too many businesses still rely on lengthy privacy notices to provide this information, which they know very few people will read, and assume they have consent because the individual accepted the terms and conditions of service – this is risky business.

All the mainstream press picked up on this story and therefore, it was likely to have been read by your customers. This is further educating individuals that they have rights when it comes to their data, and they’ll be looking for ways to exercise those rights.

  1. To build trust, individuals need to be given short, easy to understand data processing notices and meaningful control of their data. It is no longer ok to have unclear data processing activities that are difficult to understand as this erodes consumer trust.

It’s a huge win to finally see businesses being challenged on the lawful basis they apply to processing our data. And that checks are finally taking place to ensure the correct mechanisms to collect consent in a way that is both transparent, specific, and controlled have been implemented.

Even if Amazon can argue their processing activities fall under their legitimate interest (unlikely because cookies have been used and consent under e-privacy laws is required to collect this data), then Amazon would still be treading a fine line. Plus, the reputational damage and broken trust in the eyes of those consumers that care about data privacy, (growing every day), will not easily be rectified.

The wording for the ICO’s draft direct marketing code of practice shines further light on this.

“Given that individuals have the absolute right to object to direct marketing, it is more difficult to pass the balancing test if you do not give individuals a clear option to opt out of direct marketing when you initially collect their details (or in your first communication if the data was not collected directly from the individual). The lack of any proactive opportunity to opt-out in advance would arguably contribute to a loss of control over their data and act as an unnecessary barrier to exercising their data protection rights.

Other examples of when it is very difficult for you to pass the balancing test include:

  • processing for direct marketing purposes that you have not told individuals about (i.e., invisible processing) and they would not expect; or
  • collecting and combining vast amounts of personal data from various sources to create personality profiles on individuals to use for direct marketing purposes. (Probably applies to the Amazon case)

"Remember if PECR requires consent then in practice it is consent and not legitimate interests that is the appropriate lawful basis.”

This further highlights the need to provide clear notices and meaningful control to the individual ahead of the processing of personal data.

I’m sure many businesses will see this fine and take a view that they’re too small to be picked up by the authorities, but I predict the increasing news flow about these opaque practices will continue to erode trust. This means it will impact even the smallest businesses, and they will see an increase in the number of data subject access requests received. It is essential all businesses review their processes for using, capturing, and recording consent as a lawful basis.

Businesses will need to demonstrate when they use consent as a lawful basis; where and when they captured it, the purpose they captured it, what information was provided at the point of capture, as well as the privacy policy in force at the time. Our recent Attitudes to Data Survey identified that more than 75% of businesses would take longer than a day to pull this information together. Ideally, this information should be visible to the individual at the press of a button. And if using legitimate interests, the ability for individuals to opt-out of the processing activity, as this will make it easier to pass the balancing test, and it’s the right thing to do.

It’s time for businesses to get smart when it comes to consent. No more opaque and dark patterns designed to capture our consent without us noticing. Be open, be upfront, explain why you need individuals’ data and what they’ll get in return. Give them meaningful control and access to their consent history.

Getting Data Protection Right increases trust with consumers, which in turn will improve data quality and profit. We’re seeing our customers who adopt this approach not only increase their consent volume by up to 68%, but also capture improved insights and preferences.

If you would like to chat about improving the way you collect consent from your consumers and see if your approach is likely to upset the authorities, we’d love to hear from you.

Sign up to our newsletter – Get practical tips and invitations to webinars and online Q&A sessions.Subscribe now

 

                                                                                                                                            Back to the top

About the author

J Cromack J Cromack
J Cromack

J is the Co-Founder of MyLife Digital, a consent and preference management business acquired by DataGuard in 2021, as well as founding member of MyData Global and DataIQ Privacy & Trust Champion 2020. J is an advocate of rethinking personal data to reinforce trust and the opportunities emerging from GDPR. He speaks regularly on the subject thanks to his pragmatic approach to data ethics, privacy and data protection. He articulates clearly how organisations can embrace the new regulatory landscape to deliver greater value and build trust with their consumers. In 2020, J was awarded DataIQ’s Privacy and Trust Champion award and is recognised by DataIQ as one of the top 100 most influential people in data-driven businesses and the innovators who support them.

Explore more articles

Contact Sales

See what DataGuard can do for you.

Find out how our Privacy, InfoSec and Compliance solutions can help you boost trust, reduce risks and drive revenue.

  • 100% success in ISO 27001 audits to date 
  • 40% total cost of ownership (TCO) reduction
  • A scalable easy-to-use web-based platform
  • Actionable business advice from in-house experts

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • External data protection officer
  • Audit of your privacy status-quo
  • Ongoing GDPR support from a industry experts
  • Automate repetitive privacy tasks
  • Priority support during breaches and emergencies
  • Get a defensible GDPR position - fast!

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Continuous support on your journey towards the certifications on ISO 27001 and TISAX®️, as well as NIS2 Compliance.
  • Benefit from 1:1 consulting
  • Set up an easy-to-use ISMS with our Info-Sec platform
  • Automatically generate mandatory policies
Certified-Icon

100% success in ISO 27001 audits to date

 

 

TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide consultation and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Proactive support
  • Create essential documents and policies
  • Staff compliance training
  • Advice from industry experts

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Comply with the EU Whistleblowing Directive
  • Centralised digital whistleblowing system
  • Fast implementation
  • Guidance from compliance experts
  • Transparent reporting

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Let's talk