Amazon's Record €746 Million GDPR Fine Just Got Thrown Out on a Technicality

The Biggest GDPR Fine in History, Erased

In July 2021, Luxembourg's data protection authority, the Commission Nationale pour la Protection des Données (CNPD), issued a €746 million fine against Amazon Europe Core S.à r.l.—the largest GDPR penalty ever recorded at that point. It was celebrated as a landmark moment: proof that European regulators were finally willing to hold the biggest technology companies accountable for systematic privacy violations. Years later, a Luxembourg Administrative Court has annulled that fine entirely. Amazon did not win because it was found innocent. The court confirmed the violations were real. The fine was thrown out because the regulator made procedural mistakes.

That distinction matters enormously. It is not the outcome privacy advocates were expecting, and it has significant consequences for how data protection enforcement will work across the European Union going forward.

What Amazon Was Actually Fined For

The original investigation centered on Amazon's behavioral advertising practices. The CNPD found that Amazon had been relying on "legitimate interests" as its legal basis for targeting users with personalized advertisements. Under the GDPR, "legitimate interests" is one of six lawful bases a company can use to process personal data without explicit consent—but it is not a blank check. The regulation requires that the company's interests be weighed against the rights and freedoms of the individuals whose data is being used.

The CNPD concluded that Amazon's use of this legal basis for targeted advertising failed that balancing test. Users were being profiled and served personalized ads through a process that did not meet the GDPR's requirements. The violations, according to the court that later reviewed the case, were genuine. Nobody disputed that Amazon's practices were unlawful.

Why the Court Threw Out the Fine

The Administrative Court identified two distinct procedural failures in how the CNPD had conducted its enforcement action, either of which would have been sufficient to annul the penalty.

The first failure involved fault analysis. EU case law—specifically rulings from the Court of Justice of the European Union in late 2023, including the Deutsche Wohnen and Nationalinis decisions—established that regulators must examine whether a company acted with intent or negligence before imposing a fine. The CNPD's decision against Amazon contained no such analysis. The regulator identified violations and moved directly to a financial penalty without addressing whether Amazon knew it was breaking the rules or how deliberately it had acted.

The second failure involved sanction selection. The court found that the CNPD had applied a fine in a manner that was, in effect, automatic. GDPR enforcement does not require a fine as the first or only remedy. Regulators have a range of corrective powers: warnings, reprimands, orders to bring processing into compliance, temporary or permanent bans on processing, and financial penalties. By moving to a maximum scale fine without meaningfully considering alternatives, the CNPD failed to exercise proportionate judgment.

The Deutsche Wohnen Ruling and Its Ripple Effects

The Deutsche Wohnen case, decided by the Court of Justice of the European Union in December 2023, arose from a German data protection case but established a principle with continent wide implications. The court held that GDPR fines cannot be imposed on organizations as abstract legal entities. There must be an assessment of whether a natural person in a position of authority—a manager, a director, someone with decision making power—acted with intent or negligence.

This was a significant shift. Many data protection authorities across Europe had been treating GDPR fines as a form of strict liability: find the violation, calculate the fine, issue the penalty. Deutsche Wohnen and the related Nationalinis ruling said that framework was legally insufficient. Regulators now need to examine the internal decision making process and make a judgment about culpability—not just compliance failure.

The Luxembourg court applied exactly that framework to the Amazon case and found the CNPD's original decision wanting. The fine, issued in 2021, predated the Deutsche Wohnen ruling, but the court applied the legal standard as it now stands.

What This Means for GDPR Enforcement Across Europe

The immediate practical effect is limited. The case returns to the CNPD for reassessment. Amazon remains obligated to comply with the GDPR, and the CNPD noted that its enforcement actions had already resulted in Amazon bringing its practices into full compliance.

But the broader implications are troubling. The ruling establishes that even a clearly documented, large scale violation can result in a fine being annulled if the procedural steps were not followed precisely. A company facing a significant GDPR penalty now has clear grounds to challenge the decision on procedural grounds regardless of whether the underlying violation is disputed. The questions become: Did the regulator conduct a sufficient fault analysis? Did it genuinely consider alternatives to a financial penalty? Did it document its reasoning adequately at every step?

These are not trivial requirements, and not every data protection authority has the legal resources or institutional capacity to satisfy them perfectly in every case.

The Chilling Effect on Regulators

There is an uncomfortable irony embedded in this outcome. The CNPD spent years investigating Amazon, issued a landmark fine, and ultimately achieved its stated goal: Amazon changed its practices. But the legal instrument it used—the fine itself—has been struck down, and the regulator must now start a portion of that process over again.

Data protection authorities across Europe are already stretched thin. Most are underfunded relative to the scale of their mandates and the size of the companies they are tasked with regulating. The prospect of having major enforcement actions annulled on procedural grounds after years of investigation creates a powerful disincentive to pursue the most ambitious cases. If a regulator knows that a well funded company will challenge every procedural step in court, the rational response may be to pursue smaller, lower stakes cases rather than the large scale investigations that would have the most impact.

Amazon stated publicly that it had "strongly disagreed with the initial ruling and disproportionate" fine. That framing—emphasizing the proportionality of the penalty rather than the existence of the violation—is revealing. The company was not arguing it had done nothing wrong. It was arguing the punishment did not fit the conduct.

For compliance professionals, researchers, and privacy advocates watching European data protection enforcement, the Amazon ruling is a reminder that the GDPR's enforcement architecture is still being tested through litigation. The law's substance has not changed. The violations remain violations. But the procedural requirements for turning those violations into enforceable penalties have grown more demanding—and companies with the resources to litigate have every incentive to exploit that complexity.