Luxembourg’s Administrative Court has upheld a €746 million penalty against Amazon issued by the country’s Data Protection Authority (DPA).
When originally issued in 2021, Amazon’s fine was the largest ever received under the General Data Protection Regulation (GDPR). The court backed the DPA’s findings that Amazon had breached the EU’s rules on cookie consent, transparency, and data subject rights.
The origins of the judgment
This case arrived on the Luxembourg DPA’s desk back in May 2018, shortly after the GDPR took effect.
Lodged by French civil society group La Quadrature Du Net (LQDN) and co-signed by over 10,000 individuals, the complaint (in French) alleged that “the targeted ad system that Amazon forces onto us is not based on free consent.”
LQDN said Amazon was collecting data about people’s shopping habits, location, and devices for targeted advertising purposes without specifying an appropriate legal basis.
The DPA’s investigation
Three years after receiving LQDN’s complaint, the Luxembourg DPA issued Amazon a fine of €746 million—at the time, the largest GDPR fine ever (it’s now second place to the Irish DPA’s €1.2 billion fine against Meta).
However, thanks to Luxembourg’s confidentiality rules, the DPA did not announce or publish its decision. News of the penalty came from Amazon itself, which declared it in a 2021 legal filing.
Amazon appealed the fine at Luxembourg’s Administrative Court, which deliberated in secret for a further four years, finally publishing its judgment on 18 March 2025 – nearly seven years after the initial complaint.
The court’s judgment
The court upheld all of the Luxembourg DPA’s findings – and thanks to the judgment, we now know what those findings were.
- Amazon claimed that it relied on “legitimate interests” to set targeted cookies. The court found that this was not a valid legal basis for such activity under Luxembourg’s national privacy law (implementing the EU’s ePrivacy Directive)
- Amazon failed to provide the mandatory information to data subjects under Articles 12-14 of the GDPR, including the purposes for which it processed certain personal data, its legal basis for doing so, and how people could exercise their rights.
- Amazon failed to uphold people’s rights to access, delete, and correct their personal data, and to object to the processing of their personal data. Amazon said they were not required to do so because the data had been pseudonymized, but both the regulator and the court disagreed.
What happens next?
Amazon has a further opportunity to appeal the judgment but has not indicated whether or not it will do so.
In its defense against the DPA’s findings, Amazon argued that the legal process violated its rights to a fair trial under Article 6 of the European Convention on Human Rights (ECHR) and Article 47 of the EU Charter of Fundamental Rights (CFR). The court did not accept these arguments.
The judgment re-establishes some core data protection and privacy rules that have become even clearer since LQDN’s 2018 complaint:
- Setting cookies for non-essential purposes like targeted advertising requires clear, free, specific consent. “Legitimate interests” is not a valid legal basis for such activities.
- You must provide data subjects with all the necessary information set out in Articles 12-14 GDPR if you intend to process (or have already processed) their personal data.
- People do not lose their rights over their data just because it is pseudonymized. While there are circumstances where you do not have to comply with the rights to access, delete, or correct personal data, these apply in very limited circumstances.
