Amazon vs CNPD: record fine annulled and how GDPR fines must be calculated

Summary — On 12 March 2026, Luxembourg’s Administrative Court annulled the CNPD’s €746m fine against Amazon for lack of a sufficient analysis of “fault” as required by the CJEU. Key takeaway: assessments under GDPR Article 83 must expressly consider intent or negligence.

The case

On 12 March 2026, the Administrative Court of Luxembourg (judgment No. 52757C) annulled the CNPD’s decision imposing a €746 million administrative fine on Amazon Europe Core S.à r.l. (original decision July 2021). The Court remitted the case for re‑assessment, finding that the level of “fault” (intentional or negligent) had not been properly evaluated in setting the fine. Official source: Ministry of Justice/La Justice Luxembourg press release “Arrêt de la Cour administrative… 12 mars 2026 (n° 52757C)” (justice.public.lu).

The next day, the CNPD acknowledged the ruling, recalling that its key findings regarding behavioural advertising violations were upheld and that it would continue its work — but the fine is annulled and must be recalculated. Official source: “The CNPD has secured effective data-processing compliance by Amazon… (12/03/2026)” (cnpd.public.lu).

• Amount: €746m (fine annulled, case remitted for re‑assessment). (justice.public.lu)
• Legal basis: GDPR infringements linked to behavioural advertising; investigation and sanction by the CNPD (Articles 58 and 83 GDPR). Reference text: GDPR Article 83 (EUR‑Lex).

Legal reasoning

The decisive issue is not whether infringements occurred (largely upheld) but the fining methodology: the Administrative Court requires the CNPD to substantiate the element of “fault” (intent or negligence) in line with the CJEU’s 5 December 2023 case law.

• C‑807/21, Deutsche Wohnen: a GDPR fine requires that the infringement be intentional or negligent; the substantive conditions for fines are fully governed by EU law (Art. 83(1)-(6)). (curia.europa.eu)
• C‑683/21, Nacionalinis: the Court confirms the fault requirement (intent/negligence) and clarifies the authority’s role when imposing fines. (eur-lex.europa.eu)

Direct consequence: authorities cannot apply “strict liability” to set a fine; they must show, in light of the circumstances (Art. 83(2) GDPR), that the controller “could not have been unaware” of the unlawful nature of the conduct or failed in a duty of care. (curia.europa.eu)

This requirement aligns with EDPB Guidelines 04/2022 (final, 24 May 2023), which set a five‑step method for calculating fines (processing qualification, starting point by gravity and turnover, aggravating/mitigating factors, legal caps under Art. 83(4)-(6), and the final effectiveness/proportionality/dissuasiveness check). The EDPB stresses that fine calculation is not a “pure math exercise”: case circumstances — including intent/negligence — are decisive. Official source: EDPB, Guidelines 04/2022. (edpb.europa.eu)

What changes in practice

For executives, DPOs and CISOs in Luxembourg (and cross‑border):

• Fine decisions must articulate intent or negligence. Practically, “fine files” must include evidence showing the organisation knew (or could not have ignored) the unlawfulness of practices, or failed to act with reasonable care (e.g., ignored internal alerts, audits without follow‑up, lack of controls despite known risks). This analysis must be traceable. (curia.europa.eu)
• The Article 83(2) GDPR factors — nature/severity/duration, intentional or negligent character, mitigation, past infringements, degree of cooperation, data categories, etc. — return to the forefront: each factor must be assessed “case by case” and balanced in the decision. Official text: EUR‑Lex, Art. 83. For local practice, see our overview on GDPR compliance in Luxembourg.
• EDPB Guidelines 04/2022 become the operational roadmap: build an internal “fine file” aligned with the 5 steps (starting point by gravity/turnover, adjustments via mitigating/aggravating factors, legal cap check, final effectiveness/proportionality/dissuasiveness test), with a dedicated chapter on intent/negligence. A DPO mandate can help structure this approach.

Practical examples

• Targeted ads and cookies: if internal/CNIL‑EDPB audits warned about insufficient consent and nothing was fixed, negligence may be established and increase the amount; conversely, a swift, documented remediation plan weighs as a mitigating factor (Art. 83(2)(c)). (eur-lex.europa.eu)
• Security (Art. 32): a breach does not automatically trigger a high fine; the authority must assess whether appropriate measures were in place, whether known gaps were left unaddressed (negligence), and how the organisation responded (mitigation). A documented security audit can be decisive. (eur-lex.europa.eu)
• Privacy governance: traceability of decisions (committees, risk acceptance, documented trade‑offs) can distinguish a characterised fault from a good‑faith error promptly corrected. This traceability informs the EDPB’s proportionality test. (edpb.europa.eu)

Common pitfalls

1. Confusing “late compliance” with absence of fault. Fixing issues after an investigation is not enough; you must evidence prior diligence (monitoring, audits, decisions, trade‑offs). Without proof, negligence may be retained. Reference: CJEU fault requirement (05/12/2023). (curia.europa.eu)
2. Failing to document Article 83(2) factors. Many internal files overlook severity/duration/harm matrices or the level of cooperation. Missing this balancing exercise = shaky methodology on appeal. Official text: GDPR Art. 83.
3. Reducing calculation to a revenue percentage. The EDPB confirms the method is not a rule of three: you need a starting point (gravity/turnover), reasoned adjustments and a final test of effectiveness, proportionality and dissuasiveness. (edpb.europa.eu)
4. Overlooking “intent/negligence” in defence. In litigation, lack of a fault analysis is a ground for annulment (as in Amazon). Dated controls, alerts, decisions and action plans are key to rebut negligence. Sources: Administrative Court 12/03/2026; CJEU 05/12/2023. (justice.public.lu)
5. Underestimating the regulator’s stance. The CNPD indicates it will continue its work after the annulment: the merits may be upheld, but the fine recalculated with a strengthened methodology — potentially high if fault is established. (cnpd.public.lu)

In short, the 12 March 2026 ruling imposes stricter discipline on fining methodology: evidence fault, rigorously balance Article 83(2) factors and apply the EDPB method. For organisations, this calls for “defence by evidence”: governance, audits and traceable decisions — before, during and after supervision. For a Luxembourg‑focused view, see our page on GDPR in Luxembourg.

Luxgap regulatory expertise article. For personalised guidance on this topic, contact us or configure your online quote.