Luxembourg’s data protection agency, the CNPD, in July imposed the fine against the internet giant for violations of EU privacy laws. This was enough to place Luxembourg as the country levying the highest fines for data breaches across Europe, way ahead of France.

The grand duchy’s neighbour until now had been in the leading position following a €50m penalty imposed on Google by the French data protection regulator, CNIL. Germany came in third place following a €32m fine imposed on H&M for data breaches in handling and processing employee information.

At the beginning of the year, the grand duchy had issued zero fines for data breaches, although it ly received 545 breach notifications. And Luxembourg has still issued only 11 fines in total, one of the lowest amounts in Europe.

The number compares to 255 fines issued by Spain for a total of around €32m. Italy and Romania follow with 76 and 61 fines issued, respectively. In Luxembourg, aside from Amazon’s record fine, the remaining come to a total of €71m, with the second largest fine of €18,000 imposed on an unknown entity for failure to appoint a data protection officer, a strict requirement under GDPR laws for specific entities and activities.

Since Amazon’s European headquarters is stationed in Luxembourg, the national data protection agency handled the proceedings against the company. However in June, the EU Court of Justice ruled that national data protection authorities can also launch GDPR violation proceedings against firms registered in other EU member states in exceptional circumstances. 

GDPR came into force on 25 May 2018 and is known to be the toughest privacy and security law in the world. So far, over €1bn in GDPR fines have been recorded for a total of 780 violations. Amazon’s fine accounts for over half of the total amount. The smallest single fine of €28 was imposed by Hungary to an unknown entity for not yielding to a persons request to access information within a given timeframe.