On March 18, 2025, Amazon faced a significant legal setback after losing its appeal against a €746 million fine (approximately 3 billion SAR) imposed by Luxembourg’s Data Protection Authority. This fine was originally issued by the Luxembourg National Commission for Data Protection (CNPD) on July 16, 2021, due to violations related to processing personal data without obtaining the necessary consent.

The fine imposed on Amazon is the second largest in the history of the General Data Protection Regulation (GDPR). The largest and unprecedented fine was issued on May 22, 2023, against Meta, amounting to €1.2 billion (approximately 4.884 billion SAR), due to its violation of personal data transfer regulations.

In relation to Amazon’s case, the Administrative Court of Luxembourg upheld the decision of the CNPD, confirming that Amazon had violated several provisions of the GDPR.

The violations included:

  • Non-compliance with transparency obligations
  • Rights of access to data
  • Correction and deletion

Amazon was also ordered to take corrective measures, with daily fines of €746,000 (approximately 3,036,220 SAR) imposed in case of non-compliance.

Specifically:

  • Amazon has a 40-day deadline to decide on pursuing further legal action.
  • The company described the CNPD’s decision as “imposing an unprecedented fine based on subjective interpretations of the law for which they had not previously published any interpretive guidance.”
  • Amazon’s reaction highlights the ongoing challenges faced by technology companies in dealing with the complex regulatory environment in Europe, especially regarding data protection and privacy laws.
  • The company’s consideration of additional legal action underscores the financial and reputational importance of the case, as well as its potential impacts on Amazon’s business practices in the European market.
  • The outcome of this case and any potential appeal could have far-reaching implications for how data protection regulations are interpreted and enforced in the European Union, potentially setting precedents for future cases involving major technology companies and their data handling practices.

This decision highlights the importance of complying with data protection laws, especially for large technological companies dealing with vast amounts of personal data. It also indicates the commitment of European authorities to protect users’ privacy rights and ensuring transparency in data processing.

Amazon now faces a significant challenge in modifying its practices to comply with GDPR requirements, with the possibility of incurring a huge fine if its appeal fails. This situation reflects the delicate balance between technological innovation and protecting individual rights in the digital age.

Privacy Professionals

Joined November 15, 2025
Posts 3
View All Posts

You Might Also Like

Data DataProtection privacy

Updates to the Children’s Online Privacy Protection Act (COPPA) for 2025

Data DataProtection Deepfake privacy

A New Legal Weapon Against #Deepfake Abuse

Data DataProtection privacy

A New Framework for DATA PROTECTION Service Providing

Cookies Data DataProtection privacy

Cookies and Privacy Compliance: Lessons Learned from the Honda Settlement

Data DataProtection Uncategorized

َUpdate to the U.S. Privacy Law: A New Context for Data Protection

Would you like to share your thoughts?

Your email address will not be published. Required fields are marked *