Luxembourg's Administrative Court today annulled Amazon's €746 million GDPR fine over behavioral advertising, ordering the CNPD to redo its analysis under updated EU case law.
Luxembourg's Administrative Court today annulled a €746 million fine imposed on Amazon Europe Core S.à r.l. by the Grand Duchy's data protection regulator, ruling that the watchdog had failed to carry out two legally required analyses before issuing its penalty. The decision - published March 13, 2026 under case number 52757C of the roll - does not mean Amazon escapes scrutiny. The court confirmed that most of the underlying GDPR violations it examined were real. Rather, it found the National Data Protection Commission (CNPD) had skipped procedural steps that European Union case law now requires, and sent the matter back to the authority to start those analyses from scratch.
The ruling caps a legal dispute that has wound through Luxembourg's administrative court system for nearly five years, touching on one of the most consequential questions in digital marketing: whether a company can rely on its own commercial interests as the legal basis for processing users' personal data to serve them targeted advertising.
The CNPD issued its original decision on July 15, 2021, following an investigation conducted within the European cooperation and consistency mechanism provided for under Article 60 of the GDPR - Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016. The regulation governs the protection of individuals with respect to personal data processing and the free movement of data across EU member states.
According to the CNPD's August 2021 public statement, Amazon itself disclosed the existence of the fine on July 29, 2021, when it published its quarterly financial results. The company confirmed that Luxembourg's regulator had issued a decision against Amazon Europe Core S.à r.l. The CNPD at the time was constrained by professional secrecy provisions under Article 42 of the national data protection law, preventing it from commenting further on the specifics of the case. Under Article 52 of the same law, full publication of its decisions is treated as a supplementary sanction and cannot occur before appeal deadlines expire.
The core dispute, according to the Luxembourg court, concerned the legal basis for processing personal data for behavioral advertising purposes - specifically, whether Amazon could invoke legitimate interests under GDPR Article 6 to justify how it handled user data to serve interest-based ads. The CNPD concluded it could not. On top of the €746 million fine, the regulator imposed coercive measures carrying a daily penalty of €746,000 for non-compliance.
Amazon launched its appeal against the CNPD's decision on October 29, 2021. A first hearing before the Luxembourg Administrative Tribunal took place on January 9, 2024. On March 18, 2025, the Administrative Tribunal rejected Amazon's appeal in its entirety and upheld the CNPD's original decision, meaning both the fine and the corrective measures remained in force - though the CNPD noted their effects stayed suspended during the further appeal period.
Amazon pressed on. At the hearing of pleadings before the Administrative Court on January 8, 2026, something significant happened: both parties' legal representatives confirmed unanimously to the Court that Amazon had, by that point, brought itself into compliance with the CNPD's requirements on the disputed points relating to personal data protection. The CNPD's own agent expressly confirmed this at the hearing, which led the court to conclude that the parts of the case relating to the coercive daily penalty measures had become irrelevant.
That confirmation matters for the marketing community. Amazon's behavioral advertising practices in Europe - the ones at the heart of this five-year case - have now been adjusted. According to the CNPD, its action "has led to Amazon's practices being brought into full compliance with the relevant provisions of the case regarding online behavioural advertising." Whether those changes are structural or cosmetic remains to be seen when the regulator carries out its new analysis.
The Administrative Court's judgment of March 12, 2026 ran through both procedural and substantive grounds. On procedure, the court largely dismissed Amazon's complaints, though it accepted one specific point: that Article 21 of the GDPR - dealing with the right to object to processing - fell outside the perimeter of the CNPD's investigation and could not give rise to a decision against Amazon on those grounds.
On the substance, the court generally aligned with the first-instance tribunal's findings. The violations the CNPD identified at the time of opening its investigation were confirmed as real by the appellate judges. However, the court then identified two distinct failures in how the CNPD conducted its analysis, either of which was enough to require annulling the contested decision.
First, the court accepted Amazon's argument that the CNPD had never examined the criterion of fault. Under case law developed by the Court of Justice of the European Union (CJEU) - specifically two judgments dated December 5, 2023, in cases "DEUTSCHE WOHNEN" (C-807/21) and "NATIONALINIS" (C-683/21) - supervisory authorities are required to analyze whether a GDPR violation involved intentional conduct or at least verified negligence on the part of the data controller. The CNPD, according to its own admission before the court, did not carry out this analysis. Because CJEU judgments on points of EU law apply retroactively to the date the legislation entered into force, the CNPD was bound by this requirement even though it predated the December 2023 rulings.
Second, the court found the CNPD had not properly analyzed what kind of sanction was most appropriate given the full range of corrective options available under the GDPR. According to the judgment, the supervisory authority had taken an approach that amounted to near-automatic issuance of a fine once violations were identified, without weighing whether other measures from the regulation's wide menu of enforcement tools might be more suitable. Both of these analyses - the fault assessment and the sanction-selection process - will have to be conducted for the first time by the CNPD on referral.
The court therefore annulled the CNPD's decision of July 15, 2021, in all its aspects. It also rejected both parties' claims for procedural cost allowances and split the costs of both court instances equally between Amazon and the CNPD.
The scale of the original penalty made this one of the largest GDPR fines ever issued at the time of its imposition. GDPR enforcement data published by PPC Land shows Luxembourg averaging €124 million per year in fines across the GDPR enforcement period, a figure dominated by its role as lead supervisory authority for major technology companies established there under the regulation's one-stop-shop mechanism. Ireland, the other key hub for tech company European headquarters, averaged €475 million annually by the same measure - largely reflecting similarly large individual cases involving major platforms.
The Amazon case is not the only recent instance of European courts reducing or complicating major GDPR enforcement actions. France's highest administrative court cut Amazon France Logistique's €32 million fine to €15 million in a ruling issued December 23, 2025, finding that certain warehouse employee monitoring systems met legal requirements under EU data protection rules - though the court upheld violations related to excessive data retention, citing what it characterized as serious negligence. That separate French case concerned workplace monitoring rather than advertising, but both illustrate a pattern: courts are scrutinizing not just whether violations occurred, but whether the analytical framework applied by regulators was legally complete.
The legitimate interest question at the heart of the Luxembourg case has also shaped enforcement elsewhere. LinkedIn Ireland faced a €310 million fine from the Irish Data Protection Commission in October 2024 following a finding that the platform inappropriately relied on legitimate interests for processing first-party personal data for behavioral advertising - the same legal basis Amazon had used. Madrid's Commercial Court No. 15 ordered Meta to pay €479 million to Spanish publishers in November 2025 for competitive harm arising from its use of an improper legal basis for behavioral advertising between May 2018 and August 2023.
The pattern across these cases points to a consistent regulatory and judicial conclusion: legitimate interest is not an available legal basis for processing personal data for behavioral advertising at scale, at least not without carrying out a genuine balancing test that can withstand scrutiny.
The December 2023 CJEU rulings that featured so prominently in the Luxembourg court's reasoning introduced a requirement that most data protection practitioners did not anticipate would become a standard procedural step in GDPR enforcement. The two cases - Deutsche Wohnen and Nationalinis - established that supervisory authorities must affirmatively examine whether a data controller acted intentionally or with verified negligence before imposing a fine. The existence of a violation is not, on its own, sufficient to trigger an automatic financial penalty.
This is a materially different standard from how many national data protection authorities had previously operated. The CNPD's own concession before the Administrative Court - that it had not conducted this analysis - is a striking admission for a regulatory body that had spent nearly three years defending a record-setting enforcement action. The court noted that because EU case law applies retroactively to the date of the legislation's entry into force, the CNPD was bound by this requirement at the time it issued its original 2021 decision, even though the CJEU had not yet articulated it.
For advertisers and marketing technology companies operating across Europe, this creates an important implication. GDPR enforcement actions remain highly significant. But a company that can demonstrate it acted without intentional wrongdoing, and without clear negligence, now has a meaningful legal argument that an automatic fine was procedurally defective - even if the underlying violations are upheld.
The Luxembourg fine was the largest single data protection penalty Amazon had faced, but it sits within a broader picture of regulatory pressure on the company across Europe. Germany's Bundeskartellamt banned Amazon from using algorithmic price control mechanisms on its marketplace in a February 5, 2026 enforcement order, ordering disgorgement of €58.8 million in economic benefits - the first application of provisions reformed under Germany's 11th amendment to the Competition Act. Separately, UK class action lawsuits against Amazon representing approximately 52 million consumers and more than 200,000 sellers were approved in July 2025, raising competition law claims about marketplace practices.
On the data side, the Irish Council for Civil Liberties wrote to European Commission officials in July 2025 demanding rapid enforcement action against Amazon's data consent practices, alleging the company's single "Accept" button for cross-service data sharing violated both the Digital Markets Act and GDPR. The Commission has designated Amazon as a gatekeeper under the DMA since September 2023.
Against this backdrop, the annulment of the €746 million Luxembourg fine does not represent a clean break from regulatory pressure. The CNPD must now redo its analysis, this time applying the CJEU's fault framework and conducting a proper sanction-selection process. A new decision - potentially carrying a different fine amount, possibly higher or lower depending on the authority's conclusions about negligence and proportionality - remains a live possibility.
The referral back to the CNPD opens a new administrative phase. The regulator must now determine, for the first time, whether Amazon's GDPR violations involved intentional conduct or at least a verifiable degree of negligence. It must also assess, from the full range of enforcement tools the regulation provides, which measure or combination of measures is most appropriate - a fine, a reprimand, a temporary or permanent ban on processing, or some other corrective measure.
The CNPD said it took note of the ruling. It reiterated that its enforcement action succeeded in bringing Amazon's behavioral advertising practices into compliance with GDPR requirements. The regulator indicated it will continue handling the case to ensure the efficient application of the regulation. Amazon, for its part, welcomed the court judgment. "We strongly disagreed with the initial ruling and disproportionate fine that had originally been issued in this case, which is why we appealed," a company spokesperson said, as reported by Reuters.
Given the compliance changes Amazon has already made - confirmed by both sides at the January 8, 2026 hearing - the practical question for the CNPD is primarily about the past: what penalty, if any, is proportionate for violations that have since been remedied, taking into account the fault analysis the CJEU now requires. The timeline for that new decision has not been announced.
Who: Amazon Europe Core S.à r.l., the Luxembourg-registered entity through which Amazon operates its European commerce business, was the appellant. The National Data Protection Commission (CNPD) of Luxembourg was the respondent authority. Luxembourg's Administrative Court issued the ruling. The Court of Justice of the European Union's prior case law - particularly the Deutsche Wohnen and Nationalinis judgments of December 5, 2023 - shaped the legal reasoning.
What: Luxembourg's Administrative Court annulled the CNPD's July 15, 2021 decision, which had imposed a €746 million fine (approximately $854 million at the time of the Reuters report) on Amazon for GDPR violations related to behavioral advertising. The court confirmed most violations were real but found the regulator had not analyzed fault as required by CJEU case law, and had not properly evaluated the full range of available sanctions before issuing its fine. The case has been referred back to the CNPD to conduct those analyses for the first time. Amazon has already brought its practices into compliance.
When: The original CNPD decision was issued on July 15, 2021. Amazon filed its appeal on October 29, 2021. The Administrative Tribunal upheld the fine on March 18, 2025. The Administrative Court issued its annulling judgment on March 12, 2026, published today, March 13, 2026.
Where: The proceedings took place in the Grand Duchy of Luxembourg, where Amazon Europe Core S.à r.l. is established and where the CNPD functions as the lead supervisory authority under the GDPR's one-stop-shop mechanism. The CJEU, seated in Luxembourg City, provided the legal framework through its December 2023 rulings.
Why: The CNPD originally acted because Amazon's processing of personal data for interest-based advertising was found to lack a valid legal basis under GDPR. The court annulled the decision not because the violations were wrong, but because the CNPD failed to assess fault - a step mandated by CJEU case law - and failed to properly justify why a fine rather than other corrective measures was the most appropriate response. Those procedural failures meant the court could not itself rule on the appropriate sanction and was required to refer the matter back.