The Docket: Amazon Just Dodged €746M-Here's What Changed
Luxembourg court annuls record GDPR fine. If the biggest penalty in history gets thrown out, what does 'reasonable' compliance actually mean?
The Docket: Amazon Just Dodged €746M-Here's What Changed
The Luxembourg court just annulled Amazon's €746 million GDPR fine. Not reduced. Not suspended. Annulled.
If the biggest privacy penalty in history can be thrown out entirely, every compliance team needs to understand what just shifted.
What Happened
In July 2021, Luxembourg's data protection authority hit Amazon with a record €746 million fine for GDPR violations related to targeted advertising and consent mechanisms.
Amazon appealed. This week, Luxembourg's administrative court sided with Amazon and scrapped the entire penalty, sending the case back to the regulator.
The court didn't rule Amazon was compliant. It ruled the regulator didn't prove its case properly.
The Legal Problem
GDPR fines require regulators to prove three things:
- The violation (what law was broken)
- The harm (actual or potential)
- Proportionality (why this fine amount)
Luxembourg's DPA apparently failed on proportionality. The court found the authority didn't adequately justify why €746 million was the right number versus €400 million or €200 million.
This matters because GDPR allows fines up to 4% of global revenue. For Amazon, that ceiling is roughly $23 billion. The regulator picked €746 million-about 3% of the maximum-but couldn't explain the math clearly enough for court.
What This Changes
For regulators:
If you're going to swing for a record fine, your paperwork better be airtight. Vague reasoning about "severity" and "deterrence" won't survive judicial review when the defendant has Amazon-grade legal teams.
For companies:
Appeals work. Amazon didn't argue they were GDPR-compliant. They argued the regulator's process was flawed. The court agreed.
Meanwhile, France's Conseil d'État just upheld Criteo's €40 million GDPR fine the same week. That one stuck because French regulators documented their reasoning precisely.
For compliance teams:
"Reasonable" GDPR compliance now has two definitions: what regulators think and what courts will uphold. Those are not the same thing.
The gap creates planning risk. You can't budget for regulatory enforcement if courts might annul the penalties three years later.
What Gets Logged
When a case like this goes to court, three artifacts matter:
- The initial violation report (what you disclosed, when, how)
- The regulator's investigation file (how they calculated harm and proportionality)
- Your remediation evidence (what you fixed, when, how you proved it)
Amazon's defense likely wasn't "we did nothing wrong." It was "the regulator's math doesn't hold up under scrutiny."
That defense requires your incident response and remediation documentation to be court-grade, not just regulator-grade.
The Evidence Standard
Luxembourg's court made one thing clear: if you're issuing the largest privacy fine in history, you need to document exactly why it's not the second-largest or the tenth-largest.
For companies, the inverse holds: if you're defending against a fine, your best shot is proving the regulator's process was sloppy, not that you were perfectly compliant.
Courts care about procedural fairness. Make sure your incident response creates a clean record that supports procedural arguments, not just technical ones.
What to Do This Week
- Check your GDPR incident playbook. Does it create court-defensible documentation or just regulator-friendly summaries?
- Review your consent mechanisms. Amazon's original violation involved targeted advertising consent. If you're in adtech, assume your consent flows will get the same scrutiny.
- Map your proportionality exposure. If you got fined 4% of revenue tomorrow, could you defend why it should be 2% or 0.5%? Regulators have to make that case. So should you.
Courts are not rubber-stamping record fines anymore. Make sure your compliance posture is built for judicial review, not just regulatory checkbox-ticking.
Sources
- Win for Amazon as Luxembourg court scraps record $854 million privacy fine (Reuters)
- Luxembourg court annuls Amazon's €746M GDPR fine, sends case back to regulator
- Conseil d'État upholds Criteo's €40M GDPR fine (noyb.eu)
- GDPR Fines and Penalties Explained (2026 Update)
- Age verification provider Yoti vows to fight Spanish GDPR fine (Lexology Pro)
