The introduction of the General Data Protection Regulation (GDPR) has changed the legal world around the internet. It represents the establishment of a common strategy within the European Union to oversee internet activities and regulate the digital market. The European institutions, through the RGPD, have taken the party to opt for a financial strategy: article 83 of the RGPD provides that the national supervisory authorities can impose administrative fines provided they are “ effective , proportionate and dissuasive ”. One of the objectives of the GDPR was to fight against the power of GAFAM These large groups accumulate data on users that feeds algorithms to predict behaviors, even to guide them. The collection and use of data gives them a considerable competitive advantage and is one of the elements that has enabled the development of these giants. Consequently, the regulation of the circulation of personal data constitutes a gigantic danger for these firms, whose main capital consists of personal data which they have managed to monetize.
Data Protection in France
But we have seen that the entry into force of the GDPR did not prevent GAFAM from continuing to exploit user data in a sometimes abusive manner. Several times, GAFA have been sanctioned for non-compliance with the obligations imposed by European data protection regulations. And we can see that this is not the first time that GAFAMs have considered themselves above the law. In December 2020, Amazon and Google were condemned for non-compliance with the legislation on advertising tracers by the French National Commission for Informatics and Liberties (CNIL), also called “cookies”, to the payment of a fine of 35 million euros. The French authority noted that cookies were placed on Internet users’ computers without their prior consent when they went to one of these two platforms.
More recently, on July 16, 2021, the Luxembourg National Commission for Data Protection (CNPD) fined the company Amazon Europe in the amount of 746 million euros.
This decision was issued following a collective complaint </ a > filed by the association La Quadrature du Net (LQDN) at the CNIL. She accuses Amazon “ of announcing that certain personal data processing operations have been carried out concerning individuals […] without, however, basing these processing operations on one of the legal bases required by law, thus rendering them illegal </ em > ”.
Amazon is criticized in particular for its behavioral analysis and advertising targeting treatments which are based on the Amazon contract and not on consent or legitimate interest: “ Now, submit to this behavioral analysis and this advertising targeting is not the goal that Amazon users pursue by using its services. ”. Consequently, LQDN accuses Amazon of its lack of a legal basis concerning its behavioral analysis and advertising targeting treatments which cannot be based either “ on the need to perform a contract with users ” , nor on a legitimate interest because the analysis of a behavior can only be done with the prior consent of the person concerned.
European data protection rules
Pursuant to the cooperation procedures established by the GDPR, it was the CNPD that was competent to rule on the case of Amazon. Article 55 of the GDPR provides that: “ Each supervisory authority is competent to exercise the missions and powers with which it is vested in accordance with this Regulation on the territory of the Member State to which it falls. “. As Amazon Europe is located in Luxembourg, the handling of the complaint falls within the competence of the Luxembourg supervisory authority. In addition, in accordance with article 61 of the RGPD which provides that “ The supervisory authorities communicate useful information to each other and provide mutual assistance in order to implement and apply this regulation in a consistent manner, and put in place measures to cooperate effectively. ”, the CNIL cooperated with the CNPD to check and analyze the evidence obtained, then, in a second part, examine the draft decision within the framework of the single window procedure.
Luxembourg law provides that publicity only takes place once the remedies have been exhausted, so the decision has not been made public for the time being. But pursuant to article 77 of the GDPR, LQDN, as the complainant was informed of the authorities’ decision regarding his complaint. It appears from this decision that the behavioral analysis and advertising targeting system is carried out without the users’ consent and violates European data protection rules.
Amazon commented on the sanction in Bloomberg magazine saying that “ There has been no data breach and no customer data has been exposed to a third party” . The Amazon group plans to appeal this decision.
The Luxembourg authority retained in its decision the violation of numerous provisions of the GDPR. Initially, Amazon violated article 6.1 of the GDPR  in that its advertising targeting treatments are neither based on consent of the data subject or on a legitimate interest. Legitimate interest is one of the legal bases provided for by the GDPR on which the processing of personal data may be based. This assumes that the interests pursued by the body processing the data, whether for example commercial or security of goods, do not create an imbalance to the detriment of the rights and interests of the persons whose data is processed. This meant that Amazon had to weigh the rights and interests involved, that is, the interest it pursued in recovering data and the protection of users’ personal data. However, it emerges from the CNPD’s decision that Amazon had no legitimate interest in its commercial activity in collecting data from its users. So what are the conditions for the processing of personal data to be lawful?
The CJEU has already had the opportunity to rule on this notion of legitimate interest in a judgment of May 4, 2017 where it states the three conditions that must be met for that the processing of personal data is lawful: “ firstly, the pursuit of a legitimate interest by the controller or by the third party or third parties to whom the data are communicated, secondly, the need for the data processing of a personal nature for the realization of the legitimate interest pursued ”this means that the interest cannot be realized if the data is not exploited. “ and, thirdly, the condition that the fundamental rights and freedoms of the person concerned by data protection do not prevail. ” These fundamental rights and freedoms refer in particular to the rights protected by the Charter of Rights fundamental principles of the European Union which guarantees in particular the right to respect for private life.
In this case, the CNPD considered that Amazon did not meet any of these three conditions.
What is the purpose of this information and transparency obligation?
Then, the Luxembourg supervisory authority ruled on the transparency obligation incumbent on data controllers. Articles 12, 13 and 14 of the GDPR require complete and precise information. What is the purpose of this information and transparency obligation? This transparency obligation allows people whose data is used to know the reason for the data collection, to understand the treatment that will be done of their data and to ensure control of their data in order to be able to exercise their rights more easily, by example the right to erasure enshrined in l ‘ Costeja judgment of May 13, 2014 which in which the European judges recalled the obligation for the operator of a search engine “ to remove from the list of results, displayed following a search carried out from the name of a person, links to web pages, published by third parties and containing information relating to this person »as soon as the latter requests it. This right to erasure was incorporated into the GDPR in Article 17 that the company Amazon has viole in that it does not allow these users to know all the information relating to the processing of their personal data. Likewise, this lack of transparency prevents data subjects from implementing their right to object (Article 21 of the GDPR) which allows anyone to object to the processing of personal data.
Finally, the LQDN, as a complainant, commented on this decision and considers that, “ in contrast, this historic sanction makes even more flagrant the generalized resignation of the Irish data protection authority which, in three years, has not been able to close any of the other four complaints that we had brought against Facebook, Apple, Microsoft and Google. ”Indeed, when the LQDN filed a complaint against Amazon in 2018, 4 other complaints were brought at the same time against Facebook, Apple, Microsoft and Google. The association considered that the causes of the failure to prosecute against GAFAM were primarily political: “ GAFAM are the loyal partners of states in maintaining order on the Internet “. Therefore, keeping them above the law allows states to ensure that they continue to manage censorship and mass surveillance. However, this decision by Luxembourg offers the hope of seeing the emergence of more extensive supervision of GAFAMs and in particular their submission to the rules of the GDPR. As stated by the CNIL, “ this CNPD decision is nevertheless of an unprecedented scale and marks a turning point in the application of the GDPR and the protection of the rights of European nationals. ”.
How to ensure compliance with competition rules in this context?
Yet violations of the law on Amazon’s part appear to be on the rise. The European Commission has also opened an investigation into the use of non-public data from third-party sellers in the Amazon marketplace. To understand this problem, we have to go back to how Amazon works. It has a dual role: it allows independent sellers to have a marketplace where they can sell their products and it sells products as a retailer in the same marketplace. So Amazon competes with other sellers in its marketplace. How to ensure compliance with competition rules in this context? This is the issue that arises because, as a marketplace service provider, Amazon has access to the non-public business data of third-party sellers. For example, she has access to the salespeople’s receipts, the quantity of products sold, etc. The Commission accuses Amazon of systematically using this information for the benefit of its own retail activity, which competes directly with that of these third-party sellers. The preliminary findings of this investigation showed that “ considerable volumes of non-public data from sellers are available to employees of Amazon’s retail activity “, noted the Commission in its press release. .
This situation would allow the company to take advantage of its dominant position in the marketplace service provision in France and Germany by using this data to adapt its business decisions for example Amazon focuses its offers on products that sell on the market. better in different categories and adjusts its offerings based on non-public data from competing sellers. If these practices are confirmed, they violate article 102 of the Treaty on the Functioning of the EU which provides that “Is incompatible with the internal market and prohibited, insofar as trade between Member States is likely to be affected, the fact that one or more undertakings abusively exploit a dominant position on the internal market or in a substantial part of it. “This article prohibits the abuse of a dominant position on the market European Union, which have an impact on competition.
Finally, we see that the national authorities finally want to act to limit the abuse of their position by the GAFAM and the abuses that could result from it. The GDPR has brought a significant advance in the protection of user data, now it is necessary to ensure that its provisions are respected by tous and establish equal treatment between all actors.
Eternoscorp remains at your disposal both in the event of a sanction for violation of data protection rules and in a situation in which your rights as a user have not been respected.
 “ Processing is only lawful if, and insofar as, at least one of the following conditions is met: < / em>
- a) the data subject has consented to the processing of their personal data for one or more specific purposes;
- b) the processing is necessary for the performance of a contract to which the data subject is a party or for the execution of pre-contractual measures taken at the request of the latter; </ li >
- c) the processing is necessary for compliance with a legal obligation to which the controller is subject;
- d) the processing is necessary to protect the vital interests of the data subject or of another natural person;
- e) the processing is necessary for the performance of a task of public interest or falling within the exercise of official authority vested in the controller; </ li >
- f) the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, unless the interests or fundamental rights and freedoms of the data subject prevail which require protection of personal data, in particular when the data subject is a child. “