This summer will be surely remembered for the havoc that has wreaked on data protection. Almost on the sly we have learned that the e-commerce colossus Amazon had been fined for EUR 746M! The largest fine so far (previously “only” a EUR 50M was issued to Google), if it is upheld. Little is known about it as both Amazon and the Luxembourgish Authority did not make any further comments. However. it was confirmed that the fine was in relation to a case initiated by La Quadrature du Net, a French group advocating freedom on the internet. It was also indirectly confirmed that more entities are involved as the revenue of Amazon Europe Core SARL alone, the main Luxembourgish company used by the Seattle-headquartered corporation, would not be enough to justify the amount. Amazon called it “out of proportion” and stated that they will appeal. On the other hand the CNPD preferred not to disclose the reasons and to adhere to professional secrecy until the terms of appeals have expired. Surely the fine will result in a huge boost for data protection, if confirmed, or will deflate the field, if not.
Other two fines have been issued to Unser O-Bonus Club GmbH in Austria and to Deliveroo in Italy.
The first fine, amounting to EUR 2M, was mainly related to violation to consent rules. The Company, a provider of bonus club deals, was conducting profiling operations on data subjects and even selling the results of such operation to other entities (including its main promoter: German supermarket chain Rewe) without a proper legal basis, relying on an embedded consent and lacking of transparency. This case reminds us the important of clear policies and proper legal basis when processing data.
The second appertain to a famous delivery app, which has become very popular in Italy and elsewhere during the lockdown. The Garante per la Protezione dei dati Personali fined Deliveroo EUR 2.6M for many violations, including transparency to lawfulness of processing passing through the failure to notify their DPO. The most interesting reason is that Deliveroo’s used a shady algorithm to manage more than 8,000 rider contracts. The algorithm was quite intrusive and it included a never-ending geolocalisation of the riders, which clearly went beyond the scope of a delivery purpose. This case is an interesting example on how a company should have a clear idea of what to do with the data.
Data Protection changes outside the European Union
It is interesting to mentioned that Serbia, after two years, has finally adopted its new data protection law in line with GDPR. Whether the law will remain on paper (like the previous Serbian one) or will be enforced, time will tell.
In the United States, the famous video provider Zoom Video Communications Inc agreed to pay USD 86M in order to settle the lawsuit against them for having illegally shared data to Facebook, Google and LinkedIn. The preliminary arrangement was approved by the district judge of San Jose, California, USA. Some critics have cast doubt on the arrangements as they could pass the message that - if corporations agree to pay millions, they are able to do whatever they want with data.