Amazon has secured a major legal victory in Europe after a Luxembourg court canceled a record privacy penalty that had stood as one of the largest sanctions imposed under the European Union’s data protection framework.
According to the article “Win for Amazon as Luxembourg court scraps record $854 million privacy fine,” published by The Economic Times, an administrative court in Luxembourg annulled the massive fine previously levied against the US technology giant by the country’s data protection authority. The penalty, issued in 2021 by Luxembourg’s National Commission for Data Protection (CNPD), accused Amazon of violating the EU’s General Data Protection Regulation in how it handled personal data for advertising purposes.
At the time, the €746 million penalty—reported in the Economic Times article as roughly $854 million—represented the largest fine ever issued under the GDPR, the European Union’s landmark privacy regulation that took effect in 2018. The CNPD had concluded that Amazon’s advertising practices did not adequately comply with EU requirements governing the collection and use of personal data, particularly in relation to user consent for targeted advertising.
The Luxembourg administrative court has now set aside that decision, siding with Amazon’s challenge to the regulator’s findings. While detailed legal reasoning has not been widely disclosed, the ruling effectively removes the record sanction and marks a significant reversal for European data regulators seeking to enforce stricter privacy standards across major technology platforms.
Amazon welcomed the ruling, reiterating its long‑standing position that it had complied with EU privacy rules and that the CNPD’s interpretation of the law had been flawed. The company has previously argued that it does not rely on advertising systems that profile individuals in ways that violate GDPR and that there had been no misuse of personal data.
The dispute originated from complaints filed by privacy advocates, including the French digital rights organization La Quadrature du Net, which had alleged that Amazon’s advertising practices relied on personal data processing that failed to meet the regulation’s strict consent requirements. These complaints ultimately prompted the CNPD investigation that led to the record penalty.
Despite the court’s decision, the legal fight may not yet be fully resolved. Luxembourg’s data protection authority has the option to appeal the ruling to a higher administrative court, a move that could prolong one of the most closely watched GDPR enforcement cases involving a global technology firm.
The outcome underscores the complex legal terrain surrounding GDPR enforcement. Regulators across the European Union have increasingly imposed hefty penalties on technology companies in recent years, reflecting the bloc’s determination to assert stronger control over how personal data is collected, processed, and monetized. At the same time, companies have aggressively challenged major sanctions through national courts, testing the limits and interpretations of the regulation.
For Amazon, the annulment represents a significant reprieve from a penalty that had stood as a landmark symbol of Europe’s push to hold major digital platforms accountable for privacy violations. Whether the case proceeds to further legal review may determine how far regulators can go when applying GDPR rules to targeted advertising and large-scale data processing by global technology companies.
