Last updated on 18 August 2021

The thunder has been rumbling for some time, but now the administrative lightning has finally struck. The Wall Street Journal reported in its 10 June 2021 edition that the CNPD (i.e. the Luxembourg data protection supervisory authority) was about to impose a penalty of no less than 425 million euros for Amazon.

In principle, the Wall Street Journal was correct: a sanction has indeed been imposed on Amazon on the 15th of July 2021. Only a slight detail was off. In lieu of a fine of 425 million euros, it was eventually a sanction of 746 million euros which Amazon now has to deal with.

This is the first administrative sanction of such intensity in Luxembourg for a violation of the European General Data Protection Regulation (“GDPR”). The first one of a long series?

First in size, not in spirit

Long-time mocked by its neighbours for not issuing any sanctions almost three years after the GDPR took effect, the CNPD has now turned the corner. The most attentive observers may have noted that the Luxembourg commission has already imposed a few sanctions in the past weeks (notably by decisions of 8 April and 12 May 2021), but for much less intimidating amounts (between 1,000 and 3,000 euros on average).

This time, the national authority has struck hard and has thus sent a crystal clear signal: the most severe sanctions provided for by the GDPR are also applicable in Luxembourg. Indeed, Article 83, §5 of this European Regulation provides for fines “up to EUR 20,000,000 or, in the case of a company, up to 4% of the annual worldwide turnover of the previous financial year, whichever is higher”. It is indeed this highest sum of 4% of yearly turnover of Amazon (far more superior than the sum of 20.000.000 euros) which was decided by the Luxembourgish regulator.

A decision subject to change before publication 

The CNDP is the so-called “lead authority” of this Big Tech, because of its nationality and its Luxembourg establishment.

***

The concept of lead authority, in brief:

Mainly addressed in Recitals 124 et seq. of the GDPR, the notion of “lead authority” refers to the national supervisory authority to which an entity’s main or unique establishment is subject. This authority leads the process of supervision and/or sanctioning of entities subject to the GDPR established on its territory. It is assisted in this task by the other national authorities concerned (to a lesser extent) by the data processing operations of the entity concerned.

***

If the CNPD is therefore in the lead to judge the appropriateness and nature of a sanction against Amazon, it also had to consult with other national authorities to reach a final decision. Pursuant to Articles 60 et seq. of the GDPR, data processing violations that impact several EU member states may trigger the obligation for the national authorities concerned to coordinate. The aim is to arrive at a common and coherent solution. Given Amazon’s influence on the online shopping market and the size of its European customer base, the relevance of this coordination ought to be acknowledged in this case.

To date, and in the absence of the full decision’s publication, only Amazon and the CNDP know the extent and exact nature of the alleged violations. The publication of the CNPD’s decision in its entirety, or even explicitly referencing the name of Amazon, is still far from being achieved. The article 52 of the Law of 1 August 2018 on the organisation of the National Commission for Data Protection and the implementation of the GDPR in the Grand Duchy of Luxembourg provides, to this effect, that the CNPD “may” publish its decisions “on the condition that” all means of appeal against the decision have been exhausted and that the publication does not risk causing disproportionate damage to the parties concerned.

The publication of an administrative decision accessible to the general public (fully or not) is therefore only an option for the CNPD. This option even disappears for the supervisory authority if certain specific circumstances are met (means of recourse possible or disproportionality of the measure). In this case, Amazon’s fame and the impact of its data processing on European citizens could lead the regulator to lean towards the option of full publication.

The CNPD has recalled this principle in one of its public communication dated 6 August 2021, stating that “the full and clear publication of the decisions of the CNPD is considered as a supplementary sanction (Article 52). Therefore, it cannot publish any decision before the deadlines for appeals have expired.”

Whatever the decision of the Luxembourg Commission on this point, it is interesting to note that the ramifications of its forthcoming decision do not stop at the mere payment of a sum of money. The reputational and therefore economic impact of such a sanction will also be felt in terms of its publicity and possible limitations on its distribution.

Is the online retail giant helpless in the face of this decision?

Well-known means of recourse

The subject of data protection can sometimes seems esoteric for uninitiated people. Filled with autonomous concepts that are sometimes antithetical to the classic civil law, one constant remains: the resulting sanctions are administrative decisions subject to the usual administrative remedies. It is therefore not only possible to request their annulment in court, but the administrative procedure relating to them has remained unchanged since the “amended law of 21 June 1999 on the rules of procedure before the administrative courts”.

This submission to usual administrative law is expressly recognised by Article 55 of the aforementioned Luxembourg law of 1st August 2018. Key point here, the reformation procedure (which is distinguished from annulment by the possibility for the administrative judge to modify and commute the sanction without simply annulling it) is not expressly provided for by the Luxembourg law for sanctions pronounced by the CNPD.

Nevertheless, a doubt remains in this regard. Indeed, Article 55 of the aforementioned Luxembourg law of 1st August 2018 states that the Tribunal administratif judges “on the merits of the case” (“comme juge du fond”, in French) regarding decisions rendered by the CNPD. It can be noted that some sparse case-law decisions consider that those terms should be interpreted as an indirect reference to the reformation procedure (see, for instance, Trib. Adm., 18 December 2003, n° 15096).

However, to the best of our knowledge, there is no case-law which would confirm such interpretation for the specific Article 55 of the aforementioned Luxembourg law of 1st August 2018. It is unfortunate that the legislator has not taken upon itself to clarify this particular point, especially given the fact that an express unambiguous reference to the “reformation procedure” did exist under Article 33, §2 of the now old and repealed Luxembourg law of 2002 on data protection before the entry into force of the GDPR.

By contrast, the possibility to introduce an annulment procedure is certain. The outcome of  such administrative proceedings in data protection matters will be radical by nature. Either the sanction will disappear without a trace (granting that no appeal has been launched), or it will be applied in full force against the entity which has been deemed to have violated data protection law.

In the event of an appeal against such an administrative decision, data controllers and other data processors will be able to rely on the assistance of a lawyer at the Court to represent them in the administrative procedure.

***

What can we learn from this decision?

  • Like its neighbours, the CNPD is now sanctioning violations of the GDPR, and no longer settles for simple recommendations.
  • The pronouncement of a sanction by the CNPD is only a step within a long process, which can be appealed and which publication (in whole or in part) marks the final outcome.
  • The CNPD’s sanctions are embodied in administrative decisions that can be challenged before the Luxembourg administrative courts.

In the context of such administrative proceedings and even at the pre-litigation stage of exchanges with the CNPD, the advice of a lawyer qualified in this area is a valuable asset.

We are at your disposal to assist you in this respect.

***

Article written by Me Florian Poncin – Avocat à la Cour

Point of contact : florian.poncin@barreau.lu