The thunder has been rumbling for some time, but now the administrative lightning has finally struck. The Wall Street Journal reports in its 10 June 2021 edition that the CNPD (i.e. the Luxembourg data protection supervisory authority) will impose a penalty of no less than 425 million euros for Amazon. This is the first administrative sanction of such intensity in Luxembourg for a violation of the European General Data Protection Regulation (“GDPR”). The first one of a long series?
First in size, not in spirit
Long-time mocked by its neighbours for not issuing any sanctions almost three years after the GDPR took effect, the CNPD has now turned the corner. The most attentive observers may have noted that the Luxembourg commission has already imposed a few sanctions in the past weeks (notably by decisions of 8 April and 12 May 2021), but for much less intimidating amounts (between 1,000 and 3,000 euros on average).
This time, the national authority has struck hard and has thus sent a crystal clear signal: the most severe sanctions provided for by the GDPR are also applicable in Luxembourg. Indeed, Article 83, §5 of this European Regulation provides for fines “up to EUR 20,000,000 or, in the case of a company, up to 4% of the annual worldwide turnover of the previous financial year, whichever is higher”. The CNPD has therefore shown restraint in this case since, as the Wall Street Journal points out, the amount of EUR 425 million stands for “only” 2% of the 2020 Internet giant turnover.
A decision subject to change before publication
In the particular case of Amazon, it should nevertheless be noted that the CNPD’s sanction is still at a preliminary stage. It has not yet been published and the more prosaic considerations of this decision (i.e. exact amount, recommendations, motivation of the commissioners, …) have yet to be decided. The press and the rumours express even more severe amounts, or on the contrary a lesser penalty by almost 100 million euros. Only the principle of a sanction seems to be anchored in the mind of the Luxembourg regulator.
The CNDP is the so-called “lead authority” of this Big Tech, because of its nationality and its Luxembourg establishment.
The concept of lead authority, in brief:
Mainly addressed in Recitals 124 et seq. of the GDPR, the notion of “lead authority” refers to the national supervisory authority to which an entity’s main or unique establishment is subject. This authority leads the process of supervision and/or sanctioning of entities subject to the GDPR established on its territory. It is assisted in this task by the other national authorities concerned (to a lesser extent) by the data processing operations of the entity concerned.
If the CNDP is therefore in the lead to judge the appropriateness and nature of a sanction against Amazon, it will also have to consult with other national authorities to reach a final decision. Pursuant to Articles 60 et seq. of the GDPR, data processing violations that impact several EU member states may trigger the obligation for the national authorities concerned to coordinate. The aim is to arrive at a common and coherent solution. Given Amazon’s influence on the online shopping market and the size of its European customer base, the relevance of this coordination ought to be acknowledged in this case.
To date, and in the absence of the decision’s publication, only Amazon and the CNDP know the extent and exact nature of the alleged violations. The publication of the CNPD’s decision in its entirety, or even explicitly referencing the name of Amazon, is still far from being achieved. The article 52 of the Law of 1 August 2018 on the organisation of the National Commission for Data Protection and the implementation of the GDPR in the Grand Duchy of Luxembourg provides, to this effect, that the CNPD “may” publish its decisions “on the condition that” all means of appeal against the decision have been exhausted and that the publication does not risk causing disproportionate damage to the parties concerned.If the CNDP is therefore in the lead to judge the appropriateness and nature of a sanction against Amazon, it will also have to consult with other national authorities to reach a final decision. Pursuant to Articles 60 et seq. of the GDPR, data processing violations that impact several EU member states may trigger the obligation for the national authorities concerned to coordinate. The aim is to arrive at a common and coherent solution. Given Amazon’s influence on the online shopping market and the size of its European customer base, the relevance of this coordination ought to be acknowledged in this case.
The publication of an administrative decision accessible to the general public (fully or not) is therefore only an option for the CNPD. This option even disappears for the supervisory authority if certain specific circumstances are met (means of recourse possible or disproportionality of the measure). In this case, Amazon’s fame and the impact of its data processing on European citizens could lead the regulator to lean towards the option of full publication. Whatever the decision of the Luxembourg Commission on this point, it is interesting to note that the ramifications of its forthcoming decision do not stop at the mere payment of a sum of money. The reputational and therefore economic impact of such a sanction will also be felt in terms of its publicity and possible limitations on its distribution.
Is the online retail giant helpless in the face of this decision, not finalised yet, but inevitable?
Well-known means of recourse
The subject of data protection can sometimes seems esoteric for uninitiated people. Filled with autonomous concepts that are sometimes antithetical to the classic civil law, one constant remains: the resulting sanctions are administrative decisions subject to the usual administrative remedies. It is therefore not only possible to request their annulment in court, but the administrative procedure relating to them has remained unchanged since the “amended law of 21 June 1999 on the rules of procedure before the administrative courts”.
This submission to usual administrative law is expressly recognised by Article 55 of the aforementioned Luxembourg law of 1 August 2018. Key point here, the reformation procedure (which is distinguished from annulment by the possibility for the administrative judge to modify and commute the sanction without simply annulling it) is not provided for by the Luxembourg law for sanctions pronounced by the CNPD. In the absence of an express legal provision to this effect, the outcome of administrative proceedings in data protection matters will therefore be radical by nature. Either the sanction will disappear without a trace (granting that no appeal has been launched), or it will be applied in full force against the entity which has been deemed to have violated data protection law.
In the event of an appeal against such an administrative decision, data controllers and other data processors will be able to rely on the assistance of a lawyer at the Court to represent them in the administrative procedure.
What can we learn from this decision?
- Like its neighbours, the CNPD is now sanctioning violations of the GDPR, and no longer settles for simple recommendations.
- The pronouncement of a sanction by the CNPD is only a step within a long process, which can be appealed and which publication (in whole or in part) marks the final outcome.
- The CNPD’s sanctions are embodied in administrative decisions that can be challenged before the Luxembourg administrative courts.
In the context of such administrative proceedings and even at the pre-litigation stage of exchanges with the CNPD, the advice of a lawyer qualified in this area is a valuable asset.
We are at your disposal to assist you in this respect.
Article written by Me Florian Poncin – Avocat à la Cour at Brucher Thieltgen and Partners.
Point of contact : email@example.com
For further information
Do not hesitate to contact in particular :
Me Nicolas Thieltgen- Avocat à la Cour
Me Florian Poncin – Avocat à la Cour