Luxembourg Court Annuls €746M Amazon Fine, Exposing Cracks in EU’s GDPR Enforcement Model

Luxembourg’s Administrative Court on 12 March 2026 overturned a €746 million GDPR fine against Amazon, ruling that the country’s data protection authority failed to assess whether violations were intentional or negligent before imposing what was Europe’s second-largest privacy penalty.

The decision, published 13 March, does not exonerate Amazon of wrongdoing. The court confirmed most of the underlying GDPR violations but found the National Data Protection Commission (CNPD) had skipped procedural steps that European Union case law now requires, and sent the matter back to the authority to start those analyses from scratch, according to PPC Land. The regulator must now redo its analysis under updated legal standards before reissuing any sanction.

The case originated from a July 2021 enforcement action over Amazon’s behavioural advertising practices. The CNPD penalised Amazon over its online behavioural advertising practices, saying its processing of users’ personal data breached EU privacy rules known as the General Data Protection Regulation, per The Star. The authority argued Amazon lacked a valid legal basis for processing personal data to serve interest-based advertisements—a core revenue driver for the platform.

The Deutsche Wohnen Effect

Amazon’s victory hinges on a December 2023 ruling by the Court of Justice of the European Union that reshaped GDPR fine calculations. A company that is a controller under the GDPR can only be fined under Art. 83 GDPR if it is proven that the company committed the infringement intentionally or negligently. This is what the ECJ decided in the current judgment (C-807/21, judgment of 5 December 2023), notes Heuking. The Deutsche Wohnen precedent established that regulators must analyse fault—intent or negligence—before imposing administrative fines, rejecting strict liability interpretations.

The Luxembourg regulator issued its Amazon decision in mid-2021, eighteen months before the Deutsche Wohnen judgment clarified these requirements. Judges accepted the U.S. tech giant’s argument that the watchdog had failed to analyse whether the company had intentionally violated the GDPR or was merely negligent, according to Reuters. The court also found the CNPD failed to properly justify why a fine rather than alternative corrective measures was most appropriate.

Ripple Effects Across Enforcement Landscape

The reversal arrives amid broader judicial pushback on aggressive penalty escalation. France’s Council of State in December 2025 reduced a separate Amazon warehouse monitoring fine from €32 million to €15 million. Spain’s courts in November 2025 ordered Meta to pay €479 million to publishers for unfair competition linked to GDPR violations—a judgment that combines privacy enforcement with competition law in novel ways, per PPC Land.

The Luxembourg decision does not prevent future fines against Amazon. Whilst upholding the core work of the CNPD, the judgment nevertheless establishes that the CNPD must analyse the imposition of a financial penalty in the light of this case law, particularly with regard to the question of whether Amazon demonstrated a certain degree of negligence in its practices, the CNPD stated in a 13 March release. The regulator noted Amazon has already brought its advertising practices into compliance with GDPR requirements.

Implications for Pending Enforcement Actions

The ruling’s methodology matters more than its headline figure. Companies facing large GDPR penalties can now challenge whether regulators conducted the two-part analysis the Luxembourg court found lacking: whether violations were intentional or negligent, and whether less punitive corrective measures would suffice. This procedural requirement applies retrospectively to decisions issued before Deutsche Wohnen clarified the standard.

Ireland’s Data Protection Commission, which serves as lead regulator for many US tech firms under GDPR’s one-stop-shop mechanism, has issued multiple nine-figure fines against Meta properties. This year alone the Irish Data Protection Commission issued fines of EUR310 million (USD326 million/GBP257 million) against LinkedIn and EUR251 million (USD264 million/GBP208 million) against Meta, according to DLA Piper’s January 2025 enforcement survey. Similar appeals invoking fault-analysis requirements are pending across multiple jurisdictions.

The Amazon decision also highlights divergent approaches among national regulators. While Luxembourg imposed the bloc’s second-largest fine, the court found the authority’s legal reasoning insufficient under current standards. The European Data Protection Board coordinates cross-border enforcement, but national courts retain final say over whether regulators followed proper procedure when calculating penalties.

What to Watch

The CNPD must now restart its fault analysis while Amazon’s compliance changes remain in effect. Whether the regulator imposes a new fine—and at what level—will test how Deutsche Wohnen constrains penalty calculations when violations are confirmed but procedural gaps exist. French courts are reviewing similar cases involving Meta advertising practices, offering parallel test cases for the fault-analysis requirement.

Broader enforcement trends show no slowdown despite high-profile reversals. GDPR fines pushed past the £1 billion (€1.2 billion) mark in 2025 as Europe’s regulators were deluged with more than 400 data breach notifications a day, according to a new survey. The figures come from the latest GDPR Fines and Data Breach Survey published by DLA Piper, per The Register. The challenge for tech platforms is no longer whether enforcement will intensify, but whether penalties will survive appellate review under evolving case law that demands more rigorous legal justification before imposing nine-figure sanctions.