Move over, Dublin. It’s Luxembourg that’s kicking off Europe’s era of big-ticket privacy enforcement.
More than three years since the EU’s General Data Protection Regulation came online, the hefty fines it promised are finally materializing.
In financial filings out Friday, tech giant Amazon said the Grand Duchy had fined it a record €746 million after finding that the way the e-commerce giant handles people’s personal information falls afoul of Europe’s strict privacy code.
The figure is the highest ever levied under the code, way ahead of France’s €50 million penalty for Google, the second-highest, and sees Luxembourg emerge as Europe’s unlikely new privacy sheriff.
The tiny, tax-light country has long been accused of being soft on the corporations that make it their home. In light of a POLITICO investigation in February that revealed evidence of data protection lapses at Amazon, an official at the regulator maintained that big penalties were not the way to go. Viviane Reding, an opposition MP in the country and a former EU commissioner who was chief architect of the GDPR, had raised questions about the way the regulator handles privacy complaints, while the clamor of voices criticizing the watchdog grew.
But the record sum for a U.S. heavyweight has thrust Luxembourg to the front line of Europe’s war on Big Tech. In doing so, it asks tough questions of Ireland, which regulates the lion’s share of Silicon Valley companies. So far, Dublin has mustered just a single fine against their ranks: a €450,000 penalty for Twitter.
“This historic sanction highlights even more the complete abdication of the Irish data protection authority which, in three years, has not been able to wrap up any of the other four complaints we have brought against Facebook, Apple, Microsoft and Google,” said French NGO La Quadrature du Net, whose complaint led to Luxembourg’s Amazon fine.
With the mega fine, Luxembourg could even supplant France as Europe’s toughest privacy enforcer. “The exemplary posture of the Luxembourg authority is also a cold shower for the CNIL [France’s data enforcer] in France which, for a long time, was a leader in Europe for data protection. Today, the CNIL is no more than a shadow of itself,” the French NGO added.
Luxembourg also seems to have dodged much of the bureaucratic wrangling that has thwarted Europe’s privacy enforcers against Big Tech.
The Twitter penalty, for instance, only materialized after Ireland was forced to trigger a formal mechanism to resolve disputes between Europe’s regulators, some of whom complained that the figure proposed by the Irish was too low. Ireland’s second Big Tech decision — a possible €50 million fine for WhatsApp — is embroiled in a similar tussle.
Luxembourg’s Amazon fine, however, faced a much smoother ride.
Luxembourg’s initial proposal, reported at around €360 million, was far lower than the figure eventually meted out, but it still managed to finalize the decision without resorting to formal dispute resolution mechanisms.
Luxembourg’s relatively smooth process throws doubt on Ireland’s claims that it is the European enforcement mechanism — known as the one-stop-shop — rather than its own actions that result in enforcement bottlenecks.
But Ireland’s caution may have its benefits.
Amazon has already said it intends to defend itself against Luxembourg’s decision “vigorously,” and said Luxembourg’s fine was predicated on “subjective and untested interpretations of European privacy law,” that are “entirely out of proportion.”