Tag: Amazon

Amazon facing potential record GDPR fine

18. June 2021

Luxembourg’s National Commission for Data Protection, the CNPD, has proposed a $ 425 million (€ 348.7 million) fine against Amazon.com Inc. for alleged GDPR violations, the Wall Street Journal reports. It would be the highest penalty to date under EU data protection law, exceeding the current record penalty of € 50 million against Google LLC.

It is not yet clear to the public what exactly the allegations are since the statements are based on a confidential source. Amazon also declined to comment on the case. The charges are apparently related to Amazon’s data collection and usage practices, but do not involve the Amazon Web Services cloud computing business.

The CNPD is Amazon’s competent data protection authority as the international retail company has its regional headquarters in the Grand Duchy of Luxembourg. According to the Article 64 GDPR procedure, the CNPD submitted its draft decision to data protection authorities of the other EU member states, which will have to approve the sanction before it can be officially imposed. Based on comparable cases in the past, the process could take months and lead to substantive changes, including an increased or reduced fine.

Though the proposed amount would set a record, it is far below the maximum of 4 % of the total worldwide annual turnover of the preceding financial year allowed by Article 83 (5) GDPR. It amounts to only about 0.1 % of Amazon’s annual revenue. As some critics say, this illustrates a pattern of data protection authorities favoring big-tech companies and often reducing large initial proposals after a long deliberation period. Given the companies’ massive incomes, such penalties are easy to recover from and ultimately, they run counter to the preventive purpose of the punishment.

As a result, these companies could soon fall under the terms of the Digital Services Act and the Digital Markets Act, which were proposed by the European Commission at the end of 2020 to upgrade rules governing digital services in the EU. This new set of regulations, which specifically targets tech companies, increases potential fines to 10 % of the global turnover.

CNIL fines Google and Amazon

10. December 2020

The French Data Protection Authority Commission Nationale de l’Informatique et des Libertès – “CNIL” – announced that it has fined the big tech companies Google and Amazon due to violations of the GDPR and the French Data Protection Act.

Regarding Google CNIL announced financial penalties of an combined record breaking amount of € 100 million. € 60 million are against Google LLC, the US-based mother company, and € 40 million against Google Ireland Limited, the Irish daughter company. According to the statement of CNIL the fines are based on violations regarding the Cookie requirements on the website google.fr. Due to an online investigation, conducted on March 16th, 2020, CNIL considers it as proven that Google “placed advertising cookies on the computers of users of the search engine google.fr, without obtaining prior consent and without providing adequate information”.

Besides the findings on Cookies, CNIL also critizes a lack of information on the processed personal data and a partial failure of the opposition mechanism.

The high amount of the financial penalties is justified with the seriousness of the violation, the high amount of concerned data subjects and the significant profits of the companies arising of the advertisements.

CNIL also considers the fact, that this procedure is no longer in place since an update in September 2020, because the newly implemented banner does not allow to understand the purposes for which the cookies are used and does not let the data subject know that they can refuse the coolies.

This is already the second, financial penalty CNIL imposes against Google.

Also for violations in connection with cookies CNIL fines Amazon Europe Core a financial penalty of € 35 million. The accusation is the same as with Google and based on several investigations conducted between December 12th, 2019 and May 19th, 2020. CNIL found out, that when a user visited the website, cookies were automatically placed on his or her computer, without any action required on the users part. Several of these cookies were used for advertising purposes. Also a lack of information has been conducted.

The high amount of the financial penalties is in all cases justified with the seriousness of the violation, the high amount of concerned data subjects and the significant profits of the companies arising of the advertisements.

Amazon lets Alexa recordings evaluate by timeworkers in home-office

5. August 2019

According to a report by German newspaper “Welt am Sonntag”, Amazon has Alexa’s voice recordings listened to not only by its own employees, but also by Polish temporary workers.

For some time now, Amazon has been the subject of criticism because the recordings of the Alexa language assistant are listened to and typed in by employees in order to improve speech recognition. For a long time, however, the users were unaware of this long-standing practice.

It has now become known that temporary workers in the home office listen to and evaluate the recordings using a remote work program. Until recently, a Polish recruitment agency advertised “teleworking all over the country”, although Amazon had previously assured that the voice recordings would only be evaluated in specially protected offices. However, one of the Polish temporary workers stated that many of them would work from home and that among the records were personal data such as names or places that allowed conclusions to be drawn about the person.

Upon request, Amazon confirmed the research results. A spokesman said that some employees were allowed to work from other locations than the Amazon offices, but that particularly strict rules would have to be observed. In particular, working in public places is not allowed.

On the same day, the online job advertisements were deleted and Amazon offered a new data protection option. Users can now explicitly object and block their recording for post-processing by Amazon employees.

Other language assistants have also been or are to be suspended from language evaluation, at least for European users. According to Google, around 0.2 % of the recordings are listened to subsequently, while Apple and Amazon say it is less than 1 %. Google already deactivated the function three months ago and Apple also wants to suspend the evaluation and explicitly ask its users later whether an evaluation may be resumed.

Reuters: U.S. companies ask Trump to support encryption

17. November 2016

This week, Reuters reported that U.S. internet companies, such as Facebook and Amazon have sent a detailied letter including a list of their policiy priorities to President-elect Donald Trump. Among the topics of these policies are encryption, immigration reform and maintaining liability protections from user’s content.

The mentioned letter was sent by the so called Internet Association, which is a group of 40 members, also including Alphabet’s Google, Uber and Twitter. The letter tries to repair the relationship between the internet giants and Trump due to the fact that he was almost universally disliked during the presidential campaign.

The president of the Internet Association, Michael Beckermann signed the letter talking about “The internet industry looks forward to engaging in an open and productive dialogue”. Furthermore, Beckerman issued a statement  syaing that the internet industry looked forward to working closely with Trump and lawmakers in Congress in order to “cement the internet’s role as a driver of economic and social progress for future generations.”

The letter describes some of the policies which go along with Trump’s prior statements, for example easing the regulation on the sharing economy and applying pressure on Europe to not erect too many barriers that restrict U.S. internet companies from growing in that market.

However, other topics are likely to be opposed with Trump’s campaign as he offered numerous broadsides against the tech sector.

 

 

Dropbox: new server location in Germany

27. September 2016

Heise online released an article last week talking about a new possibility for Dropbox users, namely to select a German server location.

As already announced, EU citizens are now able to save their data on a server located in Germany. However, this new storage possibility is only available for business use so far. The requirement is that more than 250 employees use Dropbox. Therefore, the new server location is not applicable for private use.

However, Dropbox did not build the new server location on its own. In fact, the infrastucture is provided by Amazon though AWS.

 

The European Court of Justice ruled on the question which Member State’s data protection laws should apply

29. July 2016

As already published the European Court of Justice had to clarify which Member State’s data protection laws should apply to data processing established within the EU but directed at a number of EU Member States.

Yesterday, the European Court of Justice ruled in the case VKI v. Amazon EU that “ (…) the processing of data (…) is governed by the law of the Member State in whose territory that establishment is situated.”

However, the European Court of Justice did not discuss the respective contract between Amazon and its customers stating that “Luxembourg law shall apply.”

Nevertheless, the European Court of Justice came to the conclusion that “It is for the national court to determine (…) whether Amazon EU carries out the data processing in question in the context of the activities of an establishment situated in a Member State other than Luxembourg.”

Which European DPA is in charge of supervising Amazon?

28. July 2016

In the case Verein für Konsumenteninformation v. Amazon, the Court of Justice of the European Union has to decide which Member State’s data protection law should apply in case goods are sold across national borders but within the EU. In the respective case goods are sold from a German or Luxembourgish website to an Austrian consumer.

This can be seen as one of the more significant data protection cases of 2016. The judgement will be significant due to the fact that the EU is in the process of implementing the new General Data Protection Regulation. As a consequence an European Data Protection Board (EDPB) will be established, which will represent Data Protection Authorities of different Member States. The EDPB will also be responsible for conflicts of jurisdiction. However, this process has been described as a “ (…) hyper bureaucratic procedure that will lead to more complexity and longer procedures.”

In case the Court of Justice of the European Union clarifies the jurisdiction of Data Protection Authorities, there may be less need to utilise these hyper-bureaucratic procedures. This could make the EU’s single market more efficient.

The Court of Justice of the European Union will probably rule on this matter today.