Amazon vs CNPD (12 March 2026): Legitimate interest is not enough

On 12 March 2026, Luxembourg’s Administrative Court annulled Amazon’s record €746M fine while confirming that behavioral advertising could not rely on legitimate interest. Key takeaway: intrusive marketing requires consent; and GDPR fines now require proof of fault.

The case

• Parties and authority: Amazon Europe Core S.à r.l. and the CNPD.
• Challenged decision: the €746M fine and corrective measures imposed in summer 2021 for behavioral advertising–related processing.
• Judgment: Administrative Court of Luxembourg, 12 March 2026 (No. 52757C). The Court upheld the CNPD’s analysis rejecting legitimate interest and noting information shortcomings, observed that corrective measures had been implemented before the hearing, but annulled the fine alone in light of post‑2021 CJEU case law requiring fault (intent or negligence) for GDPR fines. See the official press release of the Luxembourg Ministry of Justice and the CNPD notice of 13 March 2026. justice.public.lu · cnpd.public.lu
• Ground for annulling the fine: the requirement to assess fault (negligence/intent) stemming from the CJEU’s 5 December 2023 rulings (C‑807/21 Deutsche Wohnen; C‑683/21 Nacionalinis), which must be integrated under Article 83 GDPR. curia.europa.eu · ipcuria.eu

Legal reasoning

1) Legal basis (Article 6 GDPR)

The Court confirmed that behavioral advertising—on the facts challenged in 2021—could not rely on Article 6(1)(f) legitimate interest. Given the intrusive nature of profiling and cross‑service tracking, consent was required. The Court aligned with the CNPD’s view and also noted information deficiencies. References: CNPD position, Article 6 GDPR. This fits broader EU work: in 2024, the EDPB’s draft Guidelines 1/2024 on Article 6(1)(f) tightened necessity and balancing tests. edpb.europa.eu

2) Fines (Article 83 GDPR) and the fault requirement

The fine was annulled in light of post‑2021 CJEU case law. The 5 December 2023 judgments require that GDPR fines be based on intentional or negligent infringement, excluding strict liability; they also reaffirm the “undertaking” concept for turnover‑based caps. CJEU press release No. 184/23 · Case C‑807/21. Calculation method: the EDPB (24 May 2023) sets a five‑step process to be combined with the fault requirement. EDPB Guidelines 04/2022

3) Luxembourg focus

The judgment remits the case to the CNPD: substantive duties (lawfulness, transparency) stand, and legitimate interest is rejected for behavioral targeting; only the fine must be reassessed in light of fault. Ministry of Justice release

What changes in practice

1. Marketing and behavioral ads: by default, rely on consent—not legitimate interest—especially with cross‑service or third‑party data. Consent flows must be granular, specific, freely given and documented; provide clear information at collection. CNPD
2. Fine governance: the authority must prove fault (intent/negligence) before imposing monetary sanctions. Organizations should evidence absence of negligence: decision logs, necessity and balancing tests, DPIAs, privacy‑by‑default proofs. See the CJEU and the EDPB five‑step framework. To operationalize this, a structured DPO mandate helps secure analysis and documentation.
3. Litigation and remediation: prompt execution of corrective measures can render parts of a dispute moot even if the merits (lawfulness) are upheld.

Examples in Luxembourg:

• E‑commerce platform: cross‑device retargeting and deep personalization using other group services → consent.
• Online media: strictly necessary audience measurement (cookie‑exempt or server‑side without retargeting) → legitimate interest may be viable with a rigorous test; any marketing expansion requires consent.
• Bank/insurance: fraud prevention and network security (Recital 49) → legitimate interest is possible, documented, with minimization and preserved rights. See GDPR Articles 6 and 83.

Common pitfalls

1. Labeling “legitimate interest” to move faster: for intrusive profiling, both the CNPD and the Court reject it absent strict necessity and a robust balancing test.
2. Confusing “consent” with “accepting T&Cs”: Article 6(1)(b) does not cover non‑essential marketing/tracking.
3. Ignoring the fault element in fine risk: document good‑faith decisions, DPO advice, internal controls, fixes, and training.
4. Poor or misleading information: clear notices (Arts. 12–13 GDPR) underpin a valid legal basis and weigh in EDPB 04/2022 gravity assessment.
5. Underestimating swift corrective measures: delays worsen exposure and remove a key argument during enforcement.

Official sources

• Administrative Court (Luxembourg), press release of 12 March 2026
• CNPD, notice of 13 March 2026
• CJEU, press release No. 184/23 (5 Dec. 2023) and Case C‑807/21
• EDPB, Guidelines 04/2022
• EDPB, Guidelines 1/2024 (public consultation)
• GDPR (EU) 2016/679 – Articles 6 and 83

Summary and next steps

The 12 March 2026 judgment draws a clear line: intrusive marketing requires consent, and any fine requires proof of fault. Strengthen necessity, balancing and DPIA work, and formalize decisions. For Luxembourg operations, refer to the GDPR legal bases and fines, consider our DPO Luxembourg resources, and reach out via contact if you need support.

Luxgap regulatory expertise article. For personalised guidance on this topic, contact us or configure your online quote.