The CNPD has reportedly circulated a draft decision, with the case relating to Amazon’s use of personal data and violations against the EU’s General Data Protection Regulation (GDPR), which came into effect in May 2018.

The CNPD is the lead regulator for Amazon in the EU, with the company’s EU headquarters located in Luxembourg. The draft decision must be approved by the EU’s other 26 national regulators before a fine can be imposed.

This process could stretch for months. If implemented, it would be the highest-ever penalty under EU privacy laws.

Under GDPR rules, companies can be fined up to 4% of total global turnover of the preceding financial year. Amazon’s annual revenue amounted to $386bn in 2020 with net income of $21.33bn.

Spokespersons for both Amazon and the CNPD declined to comment on the case to the Wall Street Journal and other media outlets.

Luxembourg faced criticism from data protection activist Max Schrems for its slow pace in fining companies for GDPR violations. The CNPD this week published its first ever fines for entities in Luxembourg, between €1,000 and €18,000.

France issued the largest GDPR fine so far, against Google, in 2019 for an amount of €50m. Google appealed the decision but a court in March 2020 upheld the fine. Ireland in December 2020 fined Twitter €450,000 over a data breach disclosed in 2019. The country’s regulator opened an investigation into a leak of personal data of more 533m Facebook users in April.