TL;DR: On March 12, 2026, Luxembourg's Administrative Court threw out the €746 million fine against Amazon, the largest GDPR penalty ever issued. The court confirmed Amazon actually violated GDPR with its behavioral advertising practices. But regulators didn't properly analyze whether Amazon acted "intentionally or negligently" before issuing the fine, so the whole thing gets a do-over. Amazon already changed its practices to comply. The fine is dead. The message is clear: if you're big enough to afford good lawyers, GDPR fines are negotiable.
The Biggest Privacy Fine Ever Just Disappeared
Back in July 2021, Luxembourg's National Data Protection Commission (CNPD) slapped Amazon with a €746 million fine, the largest GDPR penalty in history.[1] The regulator also threatened daily penalties of €746,000 if Amazon didn't comply.
The violation? Amazon was processing personal data for targeted advertising without a valid legal basis under GDPR. The company claimed "legitimate interests" justified tracking users across its platform to serve personalized ads. The CNPD said no. That's not how consent works.
Amazon appealed. And on March 12, 2026, they won.
Sort of.
The Court Said Amazon Violated GDPR. Then Threw Out the Fine Anyway.
Here's the frustrating part: the Luxembourg court agreed with nearly everything the regulators found.[2]
The court confirmed that:
- Amazon's reliance on "legitimate interests" as a legal basis for behavioral advertising was not justified
- Amazon's information disclosure procedures violated GDPR requirements
- The underlying violations were real
So why did the fine disappear?
Two procedural failures by the regulators:
- Missing fault analysis: The CNPD never examined whether Amazon acted intentionally or negligently. A December 2023 European Court of Justice ruling (the Deutsche Wohnen case) established this as a requirement for GDPR fines. The court applied this standard retroactively.
- Automatic fine selection: The regulator jumped straight to a massive fine without properly evaluating alternative enforcement tools available under GDPR, things like warnings, reprimands, or compliance orders.
The violations were real. The process was flawed. The fine is gone.
Amazon's Statement: "We Strongly Disagreed"
Amazon released a statement expressing satisfaction with the ruling:[3]
"We're pleased the Luxembourg Court of Appeal has overturned the CNPD's decision and recognized our position. We strongly disagreed with the initial ruling and disproportionate fine that had originally been issued in this case, which is why we appealed."
The company emphasized it "worked in good faith" when the GDPR took effect in 2018, a time it described as lacking "clear implementation guidance."
Translation: We didn't know we were doing anything wrong. (The regulator disagreed. The court confirmed Amazon was doing something wrong. But here we are.)
The Regulator's Spin: "We Already Won"
The CNPD put a brave face on the loss. In their official response, they emphasized that Amazon had already complied with their 2021 order to change its advertising practices:[4]
"Prior to the date of the hearing in this case, Amazon had complied with the compliance order."
The regulator claimed victory on the substance: Amazon changed its behavior. The court upheld their findings on the legal violations. Mission accomplished, right?
Well, except for the €746 million that Amazon gets to keep.
What Happens Now
The case goes back to the CNPD for a "fresh review."[5] The regulator must:
- Analyze Amazon's degree of fault (intentional vs. negligent)
- Consider the full range of GDPR enforcement tools before selecting a sanction
- Issue a new decision following the proper process
Here's the catch: Amazon already fixed its advertising practices years ago. At a January 2026 hearing, both parties confirmed Amazon now complies with GDPR requirements for behavioral advertising.
So what happens when the regulator goes through the proper process for violations that no longer exist?
Probably a much smaller fine. Maybe no fine at all. The CNPD will have a hard time arguing Amazon acted with malicious intent when the company has been in compliance for years.
The Problem With GDPR Enforcement
This case exposes a fundamental weakness in how Europe enforces privacy law.
The GDPR gives regulators the power to issue massive fines, up to 4% of global revenue. For Amazon, that could theoretically mean billions. But actually collecting those fines? That's another story.
Consider the timeline:
| Date | Event |
|---|---|
| May 2018 | GDPR takes effect |
| July 2021 | CNPD issues €746M fine |
| 2021-2025 | Amazon appeals (4+ years of litigation) |
| January 2026 | Court hearing; Amazon confirms compliance |
| March 2026 | Fine overturned |
That's nearly five years from fine to dismissal. Amazon had the resources to fight. Most people don't.
The GDPR was supposed to change how Big Tech handles personal data. And to some extent, it has. Amazon did change its practices. But the deterrent effect of massive fines only works if companies believe they'll actually have to pay them.
When a trillion-dollar company can tie up the largest privacy fine in history for five years and then get it thrown out on procedural grounds, what message does that send?
A Pattern of Escape
Amazon isn't alone in successfully fighting GDPR fines:
- Meta (Facebook): Multiple Irish Data Protection Commission fines challenged and delayed through appeals
- Google: French CNIL fines reduced on appeal; continuing to litigate others
- Microsoft: Successfully challenged aspects of enforcement decisions
The companies with the most to lose from GDPR also have the most resources to fight enforcement. The result is a system where the headline-grabbing fines rarely match the final amounts actually collected.
What This Means for Your Privacy
The good news: Amazon actually changed its behavioral advertising practices. Whether motivated by the fine, the compliance order, or just wanting to avoid more regulatory scrutiny, the company now operates differently.
The bad news: The regulatory system that was supposed to make this happen is showing cracks. If the biggest fine ever can be thrown out because a regulator didn't check a box, what happens to smaller cases with fewer resources?
The GDPR remains the strongest privacy law in the world. But enforcement is only as good as the resources and procedures behind it. And right now, Big Tech's legal teams are winning.
References
- PPC Land: Luxembourg Court Annuls Amazon's €746M GDPR Fine (March 2026)
- CNPD: Official Statement on Amazon Administrative Court Ruling (March 2026)
- About Amazon: Amazon's Statement on Luxembourg Court of Appeals Verdict (March 2026)
- MLex: Amazon's €746M GDPR Fine Scrapped (March 2026)
- Law360: Amazon Wins Bid To Void €746M Luxembourg Privacy Fine (March 2026)
Published: March 17, 2026