The EU's Biggest GDPR Fine Just Got Thrown Out—But Amazon Still Lost

The Second Largest GDPR Fine, Erased

On March 12, 2026, Luxembourg's Administrative Court annulled the EUR 746 million ($858 million) fine that the country's National Commission for Data Protection (CNPD) had imposed on Amazon in July 2021. At the time, it was the second largest penalty ever issued under the EU's General Data Protection Regulation.

The original investigation began in 2018, after a French privacy advocacy organization filed a complaint about how Amazon obtained consent for targeted advertising. The CNPD found that Amazon could not rely on "legitimate interests" as a legal basis for processing personal data for behavioral advertising—and slapped the company with a fine that made global headlines.

The Violations Still Stand

This is the part Amazon probably does not want you to focus on. The court endorsed the CNPD's substantive findings "almost in their entirety." Specifically:

• Amazon's use of "legitimate interests" to justify behavioral advertising was not legally valid.
• Amazon's privacy information procedures did not comply with GDPR requirements at the time.

Amazon has since changed its practices. At a January 2026 hearing, both sides confirmed the company had brought itself into compliance with the CNPD's original requirements. But the court's ruling makes clear: what Amazon was doing before 2021 violated European privacy law.

A Pattern Across Europe

This is not an isolated case. European courts are increasingly overturning or reducing GDPR fines while upholding the underlying violations. In December 2025, a French court cut Amazon France Logistique's EUR 32 million employee surveillance fine to EUR 15 million. In November 2025, a Madrid court ordered Meta to pay EUR 479 million for advertising violations—but only after years of procedural wrangling.

The pattern reveals a structural weakness in GDPR enforcement: regulators can identify real violations, but courts demand rigorous procedural frameworks that many data protection authorities have not yet built. Companies with deep legal budgets are exploiting these gaps to escape penalties even when the privacy harm is undisputed.

What Amazon Said

Amazon spokesperson Conor Sweeney called the ruling a vindication: "We're pleased the Luxembourg Court of Appeal has overturned the CNPD's decision and recognised our position."

The company framed the original fine as a misunderstanding, stating that "when an ambiguous new privacy law came into force in the EU without clear guidance on how to show customers relevant advertising, we worked in good faith to give customers control."

The CNPD, meanwhile, noted that "the main regulatory action it had taken has borne fruit" and left open the possibility of issuing a new fine after further review.

What This Means for Privacy

For compliance teams, this ruling reinforces that regulators must show their work when imposing fines. But it also signals that the substantive privacy standards under GDPR remain robust. Companies cannot rely on "legitimate interests" to justify large scale behavioral advertising without a genuine, defensible balancing test.

For everyone else, the takeaway is more sobering. The EU's flagship privacy law can identify when your data is being misused, but the enforcement machinery is still catching up. The biggest tech companies can afford to fight procedural battles for five years while continuing to profit from the data practices that were ruled illegal.

The fine may be gone, but the violations are on the record. And the CNPD has not ruled out trying again.