DECISION SUMMARY
What happened
On 16 July 2021, Luxembourg's Commission Nationale pour la Protection des Données (CNPD) adopted a decision imposing an administrative fine of €746 million on Amazon Europe Core S.à.r.l., the Luxembourg-headquartered entity through which Amazon operates much of its European business. The decision did not become public knowledge through a CNPD announcement; instead it surfaced when Amazon disclosed the fine in its quarterly filing with the US Securities and Exchange Commission on 30 July 2021. At the time, no public GDPR fine had exceeded €100 million, and the €746 million figure was roughly 15 times the previous record (Google's €50 million CNIL fine of January 2019).
The substantive decision concerns Amazon's processing of personal data for targeted advertising. The complaint chain originates with 10,000 individual complaints coordinated in 2018 by the French consumer-rights organisation La Quadrature du Net, targeting four large US technology platforms (Google, Facebook, Amazon and Apple) for alleged consent and lawful-basis failures. Because Amazon Europe Core is established in Luxembourg, the case was assigned under the one-stop-shop mechanism to the CNPD as lead supervisory authority. La Quadrature du Net's complaints alleged that Amazon was processing personal data for behavioural advertising without obtaining freely given, specific, informed and unambiguous consent from data subjects.
The CNPD's decision is one of the few major GDPR decisions never published in full text. Luxembourg's administrative-court procedure treats decisions as confidential during the appeal period, and Amazon's appeal has remained on foot for several years. As a result, the public understanding of the decision's legal reasoning is reconstructed from Amazon's own brief characterisation in its SEC filings, statements from La Quadrature du Net, and subsequent CNPD enforcement notes that reference the case. The published register entries on this site reflect that limited public record.
What is publicly known about the legal reasoning
The core legal question was Amazon's lawful basis under Article 6(1) for processing personal data to deliver personalised advertising. Amazon had argued that its processing for advertising purposes was either necessary for the performance of the contract under Article 6(1)(b) or supported by its legitimate interests under Article 6(1)(f). On the publicly available record, the CNPD concluded that neither basis was tenable on the facts. Behavioural advertising processing of the kind Amazon undertook was not strictly necessary to perform the underlying retail contract with the customer, and the data subject's fundamental-rights interests in not being profiled outweighed Amazon's commercial interest in personalisation. That conclusion, if upheld on appeal, would mean Amazon required affirmative Article 6(1)(a) consent for the relevant processing.
The CNPD's analysis is consistent with the European Data Protection Board's Guidelines 8/2020 on the targeting of social media users and with subsequent EDPB Binding Decisions in the Meta cases (December 2022) that rejected Article 6(1)(b) as a basis for personalised-advertising processing on Facebook and Instagram. The Amazon decision predates those Meta findings but reaches the same structural conclusion: consent is the only viable lawful basis for behavioural-ad processing of personal data in normal commercial contexts.
Why the fine was this size
Article 83(5) GDPR provides a maximum administrative fine of €20 million or 4% of total worldwide annual turnover for upper-tier infringements (including infringements of Article 6 lawful-basis requirements). Amazon's global net sales in 2020 were approximately US$386 billion, which puts the 4% statutory ceiling for the relevant undertaking in the region of €14 billion. The €746 million fine is therefore in the upper-middle band of what Article 83(2) factors might support, given the scale of the processing and the number of EU data subjects affected.
Without access to the full decision, the CNPD's specific Article 83(2) weighting is not on the public record. Inference from the fine size and contemporary EDPB guidance suggests the CNPD treated as aggravating factors the systematic and large-scale nature of the processing, the central role of behavioural advertising in Amazon's business model, the duration of the alleged infringement (continuing from May 2018 onwards), and the failure to revisit the lawful-basis position in response to evolving DPA guidance. Likely mitigating factors would include the absence of any actual data breach, the quality of Amazon's data-protection governance, and cooperation with the regulator during the investigation.
Operational orders and Amazon's response
The CNPD decision also imposed operational corrective orders requiring Amazon to bring its advertising-related processing into compliance. Amazon publicly stated that it disagreed strongly with the decision, that it considered its data-handling practices appropriate, and that no data breach was alleged. Amazon implemented revisions to its EU consent and personalisation interfaces over the course of 2021-2023 in response both to the CNPD decision and to broader regulatory trajectory (including the CNIL Google Analytics rulings and the Meta EDPB binding decisions).
Appeal status
Amazon appealed the CNPD decision to the Luxembourg administrative tribunal. As of April 2026 the appeal has not been resolved. Luxembourg administrative proceedings can run for several years, and any final-instance judgment could be subject to appeal to the Conseil d'État of Luxembourg, with further potential preliminary references to the Court of Justice of the European Union on points of EU law. The fine therefore remains on this register as under appeal. Should the decision be upheld in substance, the €746 million figure (or any amount left after appeal-stage reduction) becomes payable; should it be vacated, no fine is due. Should the decision be reduced rather than vacated, the register entry will be updated to reduced on appeal with the new amount and date.
Why the case matters
Three threads make the Amazon CNPD case important beyond its size. First, it was the first GDPR decision to push a fine into the hundreds of millions, normalising the idea that the upper-tier €20 million absolute cap is a floor rather than a ceiling for the largest controllers. Second, it foreshadowed the EDPB's 2022 Meta binding decisions on contract-as-lawful-basis for personalised advertising: the legal reasoning the CNPD relied on (consent required for behavioural ad processing) became consensus EDPB doctrine within 18 months. Third, the case illustrates the limits of public scrutiny when DPAs decline to publish reasoning during appeals. Practitioners must work from inferences and SEC filings rather than the formal decision, which limits the precedential value of an otherwise headline ruling.
For comparator purposes, the Amazon fine sits alongside the Meta €1.2 billion fine (different DPA, different legal question), the WhatsApp €225 million fine (transparency), the Google €90 million CNIL fine (cookies UX), and the various CNIL ad-tech fines of 2022-2024. The cluster of advertising-and-consent fines that began with this CNPD decision now totals over €3 billion in disclosed amounts across the EU. The era when ad-tech compliance was a back-burner issue ended on 30 July 2021 when Amazon's 10-Q filing reached the wire.