Why Amazon no longer has to pay its €746M GDPR fine

PPC Land reported the outcome final week: Luxembourg’s Administrative Courtroom annulled the €746 million nice imposed on Amazon by the Nationwide Fee for Knowledge Safety (CNPD) in 2021, sending the case again to the regulator. What the information report couldn’t absolutely discover was the exact authorized structure of that annulment – why, in a case the place the courtroom confirmed Amazon broke the legislation on a number of counts, the corporate nonetheless walks away with out paying a single euro. That query deserves a better look.

The ruling, case quantity 52757C, was issued on March 12, 2026, following a public listening to the identical day. Three separate traces of argument produced the consequence. None of them denied the violations. Collectively, they dismantled the nice from under.

The GDPR violations the courtroom truly confirmed

Earlier than unpacking why the nice fell, it’s value being exact about what the courtroom didn’t contest. In response to the judgment, Amazon’s processing of private information for interest-based promoting (referred to all through the choice as PBI – Publicité Basée sur les Intérêts) lacked a legitimate authorized foundation underneath Article 6(1)(f) of the GDPR. The three-part check for respectable curiosity was not met. The corporate’s privateness notices violated Articles 12 by means of 14 on transparency. The best of entry underneath Article 15 was breached. The rights of rectification and erasure underneath Articles 16 and 17 had been discovered to have been inadequately revered.

These findings survived 5 years of litigation and two ranges of attraction. The courtroom upheld them. But the nice is gone. Why?

Argument one: the nice rested on strict legal responsibility, which GDPR doesn’t allow

The deepest argument – and the one the courtroom recognized as independently adequate to annul the choice – issues the authorized commonplace the CNPD utilized earlier than concluding a nice was warranted.

Below Article 83(2)(b) of the GDPR, when a supervisory authority considers imposing a nice, it should consider “whether or not the infringement was dedicated deliberately or negligently.” The CNPD learn this as one criterion amongst many when figuring out the quantity of a nice it had already determined to impose. The Administrative Courtroom, following two CJEU judgments issued on December 5, 2023 – the Deutsche Wohnen case (C-807/21) and the Nacionalinis case (C-683/21) – held that this studying is incorrect.

The CJEU in these circumstances established that proof of fault will not be merely a consider calculating the nice. It’s a threshold situation that have to be happy earlier than any nice could be imposed in any respect. In response to the judgment, the EU legislature “didn’t deem it needed, so as to guarantee a excessive stage of safety for people with regard to the processing of private information, to offer for the imposition of administrative fines within the absence of fault.” The courtroom in Luxembourg quoted this passage immediately and utilized it.

Negligence, underneath the CJEU commonplace, is established “at any time when the info controller couldn’t have been unaware of the illegal nature of their conduct, no matter whether or not they had been truly conscious of the infringement.” That’s not an unattainable bar to clear – nevertheless it have to be cleared. The CNPD, in line with its personal concession on the January 8, 2026 listening to, by no means tried to clear it. Its 2021 determination acknowledged that the violations weren’t intentional and that Amazon had carried out its accountability evaluation in good religion. It then handled that as a mitigating consider calibrating the nice quantity, relatively than as the place to begin for a fault inquiry which may have supported or blocked the nice altogether.

What makes this argument significantly placing is its retroactive attain. The Deutsche Wohnen and Nacionalinis judgments had been issued in December 2023 – greater than two years after the CNPD’s July 2021 determination. But the Administrative Courtroom utilized them anyway. In response to settled CJEU doctrine, an interpretation of EU legislation by the Courtroom of Justice clarifies the that means of that legislation because it should and will have been understood for the reason that second it entered into drive. This implies the CNPD was certain by the fault requirement in 2021, although the requirement had not but been articulated. The regulator couldn’t treatment the defect by providing extra reasoning on attraction, as a result of the omission was not a spot in its rationalization – it was a spot in its precise evaluation.

The courtroom was equally clear that it couldn’t itself conduct that fault evaluation for the primary time at appellate stage. Doing so would have disadvantaged Amazon of the fitting to have negligence assessed at first occasion, which Article 78 of the GDPR protects as the fitting to an efficient judicial treatment. It is a procedural safety that cuts in Amazon’s favour, and it meant the case had to return.

Argument two: the nice was automated, not proportionate

The second argument that succeeded attacked the CNPD’s decision-making course of from a special course. Even when fault had been correctly established, the courtroom discovered that the CNPD had by no means genuinely requested whether or not a nice was the fitting instrument.

Article 58(2) of the GDPR offers supervisory authorities a large menu of corrective measures: warnings, reprimands, orders to conform, non permanent or everlasting restrictions on processing, and administrative fines. The supply says fines could also be imposed “along with or in lieu of the measures referred to” within the article, “relying on the precise circumstances of every case.” The CJEU, in its September 26, 2024 judgment in TR v. Land Hessen (C-768/21), held that this framework can’t be learn as creating an obligation to nice robotically at any time when a violation is discovered. The measure taken have to be “applicable, needed, and proportionate to treatment the recognized deficiency.”

The Administrative Courtroom reviewed the CNPD’s determination and located no proof that the authority had truly weighed alternate options. Paragraph 295 of the CNPD’s July 2021 determination listed the Article 83(2) standards and concluded {that a} nice was justified – however that evaluation was framed solely when it comes to whether or not and the way a lot to nice, not whether or not fining relatively than another measure was the fitting response. The CNPD’s litigation place bolstered this studying: in its submissions, the authority repeatedly characterised fines as “the rule” in GDPR violation circumstances.

The courtroom was cautious to not say {that a} nice was essentially incorrect right here. It acknowledged that supervisory authorities retain large discretion in selecting corrective measures. However the train of discretion requires that it truly be exercised. A regulator that treats a nice as the automated output of a violation discovering, with out asking whether or not one thing else would possibly higher serve the GDPR’s goals given the circumstances of the case, has not exercised discretion – it has bypassed it. These circumstances included Amazon’s supply to cooperate through the proceedings, the steps it had already taken to regulate some practices earlier than the choice was issued, and – on the time of the listening to – the confirmed indisputable fact that it was now absolutely compliant.

This argument and the fault argument compound one another. The courtroom put it exactly: the CNPD had did not confirm two vital steps within the decision-making course of resulting in a nice. The fault evaluation is a needed situation. The proportionality evaluation can also be needed. The absence of both independently invalidates the nice. The absence of each means the choice is “so basically flawed that its annulment is required in its entirety.”

Argument three: Article 21 was exterior the investigation’s scope

The third argument operated at a narrower stage however succeeded partially and will have an effect on the dimensions of any future nice. Amazon argued that the CNPD’s discovering of an unbiased violation of Article 21 of the GDPR – governing the proper to object to processing – went past the said scope of the investigation.

The investigation had been opened on April 5, 2019 with a said objective: to confirm compliance with GDPR obligations concerning processing actions for behavioral promoting functions, particularly the authorized foundation for that processing and using cookies. The CNPD in the end discovered violations not simply of Article 6 and cookie-related provisions, however of Articles 12 by means of 17 and 21. For many of these provisions, the courtroom upheld the enlargement as respectable – the evaluation of transparency and entry rights was traceable to the balancing-of-interests check underneath Article 6(1)(f), and Amazon had participated in that a part of the investigation with out formally objecting.

Article 21 was completely different. In response to the courtroom, the assertion of objections had addressed the opt-out mechanism solely within the context of the respectable curiosity balancing check – as an element which may tip the scales a method or one other – and the lead investigator had drawn no unbiased conclusions a couple of stand-alone Article 21 violation. Amazon had not been placed on discover that it confronted a separate cost underneath that provision. The CNPD raised it as an unbiased violation for the primary time in its closing determination of July 15, 2021.

That procedural historical past issues. The courtroom held that as a result of Amazon was confronted with a brand new unbiased cost at determination stage with out having had the chance to reply through the investigation, its rights of defence had been compromised. The courtroom excluded Article 21 from the scope of the evaluation solely. This doesn’t forestall the CNPD from reopening the Article 21 query when it reanalyses the case – nevertheless it can’t be used to assist the nice that was annulled, and any future examination on that time would wish to comply with correct procedural steps.

Why the compliance shift destroyed the need argument

There’s a fourth thread within the judgment that, whereas not independently adequate to annul the nice, has lasting implications for the way respectable curiosity works as a authorized foundation in behavioral promoting.

By the point of the January 8, 2026 listening to, Amazon had shifted from counting on Article 6(1)(f) to processing information for interest-based promoting on the idea of consumer consent underneath Article 6(1)(a). The CNPD confirmed at that listening to that this new method was at present deemed compliant. The courtroom handled this truth as a direct reply to the need situation Amazon had been unable to fulfill.

Below the three-part check for respectable curiosity, processing have to be strictly needed to realize the respectable curiosity pursued – that means the curiosity can’t be achieved simply as successfully by different means which can be much less intrusive to the info topic’s elementary rights. Amazon had argued all through the litigation that consent-based processing was technically attainable however not a genuinely equal different, as a result of it could restrict the info out there for concentrating on to customers who affirmatively consented. The courtroom rejected that framing. The shift to consent had already occurred, and Amazon had not argued it was much less efficient at pursuing its business pursuits. The query answered itself.

That is vital past the Amazon case. The legitimate interest question has shaped enforcement across multiple platforms. The courtroom’s reasoning means that the place a platform has since migrated to consent-based processing for behavioral promoting and never claimed a lack of effectiveness, that migration could be cited retroactively as proof that the need situation was by no means met underneath respectable curiosity. The implication is round however legally coherent: if you are able to do it with consent, you would all the time have executed it with consent, so respectable curiosity was by no means strictly needed.

For any platform nonetheless working behavioral promoting on a respectable curiosity foundation throughout Europe, the query will not be theoretical. Meta’s reliance on legitimate interest for AI training data has already drawn a survey finding that only 7% of German users want their data used for that purpose, complicating the corporate’s authorized basis underneath Article 6(1)(f). The Spanish courts ordered Meta to pay €479 million to publishers in November 2025 on associated grounds. The Luxembourg courtroom’s reasoning provides one other layer to that accumulating case legislation.

What the CNPD should now do in another way

The referral again to the CNPD will not be a clear slate. A number of issues have already been definitively determined. The violations of Articles 6, 12 by means of 17 are confirmed. The discovering on Article 21 is excluded from the renewed evaluation pending correct process. The compliance order is moot as a result of Amazon is compliant. The one stay query is the nice – and even there, the courtroom has set out a exact sequence the regulator should comply with.

First, the CNPD should decide whether or not Amazon acted with not less than negligence concerning every confirmed violation, assessed in opposition to the state of the legislation and follow on the time of the investigation, starting April 5, 2019. This requires a real inquiry, not an automated inference from the discovering of a violation. The CNPD acknowledged it didn’t apply the negligence commonplace in 2021, partly as a result of the CJEU had not but articulated it. The courtroom was clear this doesn’t matter: the duty existed from the GDPR’s entry into drive.

Second, if negligence is established, the CNPD should conduct a real proportionality evaluation throughout the complete vary of measures out there underneath Article 58(2). Provided that Amazon is now absolutely compliant – confirmed by each events on the listening to – the sensible query for the regulator is what measure or mixture of measures is acceptable purely in relation to previous conduct. Germany’s unified fine procedures adopted in June 2025 signify one European method to standardising this sort of evaluation; Luxembourg should do it by itself phrases however throughout the identical CJEU framework.

No timeline has been introduced. The sensible impact, for now, is that one of many largest fines in GDPR historical past has been put aside, the violations it was primarily based on have been confirmed, and the regulator should begin the penalty evaluation from a standing begin.

Timeline

• Could 28, 2018 – La Quadrature du Internet information criticism with France’s CNIL concerning Amazon group firms’ behavioral promoting practices
• April 5, 2019 – CNPD opens investigation concentrating on authorized foundation for interest-based promoting and cookie practices
• June 25, 2020 – CNPD lead investigator serves assertion of objections on Amazon
• July 15, 2021 – CNPD points €746,000,000 nice with €746,000 each day penalty for GDPR violations; Luxembourg’s total fine history at the time dominated by this single case
• October 15, 2021 – Amazon information attraction with Administrative Tribunal
• December 17, 2021 – President of Administrative Courtroom suspends enforcement of corrective measures
• December 5, 2023 – CJEU points Deutsche Wohnen (C-807/21) and Nacionalinis (C-683/21) judgments establishing fault as prerequisite for GDPR fines
• March 18, 2025 – Administrative Tribunal dismisses Amazon’s attraction and upholds the complete CNPD determination
• April 25, 2025 – Amazon information additional attraction with Administrative Courtroom (Case No. 52757C)
• December 23, 2025 – France’s Council of State reduces Amazon France Logistique’s separate €32 million GDPR fine to €15 million after making use of necessity and negligence evaluation
• January 8, 2026 – Public listening to; each events verify Amazon now absolutely compliant; CNPD acknowledges it by no means carried out the fault evaluation the CJEU requires
• March 12, 2026 – Administrative Courtroom points judgment annulling the CNPD determination of July 15, 2021 in its entirety and remanding to the CNPD
• March 13, 2026 – Judgment revealed; PPC Land reports the outcome

Abstract

Who: Amazon Europe Core S.à r.l., represented by Allen Overy Shearman Sterling SCS, efficiently appealed earlier than Luxembourg’s Administrative Courtroom in opposition to the CNPD’s determination. The CNPD was represented by NautaDutilh Avocats Luxembourg.

What: Three authorized arguments produced the annulment of Amazon’s €746 million GDPR nice: the CNPD utilized a type of strict legal responsibility by by no means assessing negligence as a threshold situation for the nice; it by no means genuinely evaluated whether or not a nice was the proportionate measure given the circumstances; and it discovered an unbiased violation of Article 21 with out giving Amazon the chance to reply through the investigation. The violations of Articles 6, 12, 13, 14, 15, 16, and 17 of the GDPR had been confirmed and stay intact. The case has been referred again to the CNPD to conduct fault and proportionality analyses.

When: The CNPD’s unique determination was issued July 15, 2021. The Administrative Courtroom’s annulling judgment was issued March 12, 2026 and revealed March 13, 2026.

The place: Luxembourg. The CNPD is Amazon Europe Core’s lead supervisory authority underneath the GDPR’s one-stop-shop mechanism. The CJEU case legislation that formed the result originates from Luxembourg Metropolis.

Why: Amazon not has to pay the nice as a result of the CNPD did not comply with two obligatory analytical steps – the fault evaluation and the proportionality evaluation – earlier than issuing it. These steps weren’t non-compulsory formalities. Below the CJEU’s interpretation of the GDPR, they’re circumstances of legality. With out them, the nice couldn’t stand, no matter whether or not the underlying violations had been actual.