Amazon has said it may lodge a further appeal after losing a legal challenge to a record 746 million euro (£625.6m) fine handed down four years ago by Luxembourg regulators over violations of European privacy law.

The Luxembourg National Commission for Data Protection (CNPD) said the country’s administrative court dismissed Amazon’s appeal in a ruling handed down on 18 March.

The CNPD said the fine and measures for Amazon to carry out to remedy the violations would remain suspended during the appeal period.

‘Unprecedented’

Amazon said the CNPD had “imposed an unprecedented fine based on subjective interpretations of the law about which they had not previously published any interpretive guidance” and that it was considering an appeal.

The July 2021 fine was the largest up to that time under the GDPR privacy law, but has since been surpassed by a 1.2bn euro penalty delivered to Facebook parent Meta by Ireland’s data protection regulator in May 2023.

The CNPD alleged at the time that Amazon’s processing of personal data broke the GDPR, which is also implemented in UK law.

Amazon didn’t reveal details of the alleged violations, but said the CNPD had taken issue with the way it uses customers’ data to personalise advertising.

Informed consent

The GDPR requires companies to obtain users’ informed consent before making use of their personal data, and authorises steep fines for violations.

The previous largest under the 2018 law had been a 50m euro fine imposed on Google in 2019.

The CNPD reportedly circulated a draft of its sanction of Amazon’s privacy practices to the EU’s 26 other data-protection authorities, proposing a fine of more than $425m, and at least one of the other regulators are reported to have pushed for a higher fine.

National authorities are meant to take into account the gravity, duration and character of the infringement when deciding on a penalty.