CNPD – Court Ruling (Luxembourg, 2026)

In 2018, the French non-profit organisation La Quadrature du Net filed a complaint against Amazon (the controller). The organisation claimed that Amazon could not rely on the legal basis of legitimate interest for processing personal data for targeted advertising. It also claimed that Amazon failed to respect several rights of the data subjects. On 15 April 2019, the Luxembourg Data Protection Authority (CNPD) opened an investigation as the lead DPA under the cooperation mechanism. The CNPD examined whether Amazon had a valid legal basis under Article 6 GDPR and whether it complied with transparency obligations and data subject rights under Articles 12 to 17 GDPR and Article 21 GDPR. On 15 July 2021, the CNPD adopted a decision finding multiple infringements of the GDPR. It held that Amazon did not have a valid legal basis for behavioural advertising under Article 6(1) GDPR at the time of the investigation. The CNPD also found breaches of transparency obligations and failures to respect the rights of data subjects, including the right of access, the right to erasure, and the right to object. The CNPD imposed an administrative fine of €746,000,000. It also ordered Amazon to bring its processing operations into compliance within six months and imposed a periodic penalty payment in case of non-compliance. Amazon challenged the decision before the Administrative Court (Luxembourg), arguing that the CNPD violated procedural rules, including the right to a fair procedure, the right of defence, and the principle of impartiality. Amazon also argued that the CNPD exceeded the scope of its investigation and denied access to parts of the file. On the merits, Amazon claimed that it could rely on Article 6(1)(f) GDPR (legitimate interests) and that it had complied with transparency and data subject rights obligations. The Administrative Court rejected Amazon’s action and upheld the CNPD’s decision. Amazon appealed to the higher Administrative Court. In its judgment of 12 March