Why Amazon no longer has to pay its €746M GDPR fine - a legal breakdown
The Luxembourg court confirmed Amazon broke GDPR but still annulled the €746M fine. Here is the detailed legal reasoning behind each argument that worked.
Data
PPC Land reported the outcome last week: Luxembourg's Administrative Court annulled the €746 million fine imposed on Amazon by the National Commission for Data Protection (CNPD) in 2021, sending the case back to the regulator. What the news report could not fully explore was the precise legal architecture of that annulment - why, in a case where the court confirmed Amazon broke the law on multiple counts, the company still walks away without paying a single euro. That question deserves a closer look.
The ruling, case number 52757C, was issued on March 12, 2026, following a public hearing the same day. Three separate lines of argument produced the result. None of them denied the violations. Together, they dismantled the fine from below.
The GDPR violations the court actually confirmed
Before unpacking why the fine fell, it is worth being precise about what the court did not contest. According to the judgment, Amazon's processing of personal data for interest-based advertising (referred to throughout the decision as PBI - Publicité Basée sur les Intérêts) lacked a valid legal basis under Article 6(1)(f) of the GDPR. The three-part test for legitimate interest was not met. The company's privacy notices violated Articles 12 through 14 on transparency. The right of access under Article 15 was breached. The rights of rectification and erasure under Articles 16 and 17 were found to have been inadequately respected.
These findings survived five years of litigation and two levels of appeal. The court upheld them. Yet the fine is gone. Why?
Argument one: the fine rested on strict liability, which GDPR does not permit
The deepest argument - and the one the court identified as independently sufficient to annul the decision - concerns the legal standard the CNPD applied before concluding a fine was warranted.
Under Article 83(2)(b) of the GDPR, when a supervisory authority considers imposing a fine, it must take into account "whether the infringement was committed intentionally or negligently." The CNPD read this as one criterion among many when determining the amount of a fine it had already decided to impose. The Administrative Court, following two CJEU judgments issued on December 5, 2023 - the Deutsche Wohnen case (C-807/21) and the Nacionalinis case (C-683/21) - held that this reading is wrong.
The CJEU in those cases established that proof of fault is not merely a factor in calculating the fine. It is a threshold condition that must be satisfied before any fine can be imposed at all. According to the judgment, the EU legislature "did not deem it necessary, in order to ensure a high level of protection for individuals with regard to the processing of personal data, to provide for the imposition of administrative fines in the absence of fault." The court in Luxembourg quoted this passage directly and applied it.
Negligence, under the CJEU standard, is established "whenever the data controller could not have been unaware of the unlawful nature of their conduct, regardless of whether they were actually aware of the infringement." That is not an impossible bar to clear - but it must be cleared. The CNPD, according to its own concession at the January 8, 2026 hearing, never attempted to clear it. Its 2021 decision acknowledged that the violations were not intentional and that Amazon had conducted its accountability analysis in good faith. It then treated that as a mitigating factor in calibrating the fine amount, rather than as the starting point for a fault inquiry that might have supported or blocked the fine altogether.
What makes this argument particularly striking is its retroactive reach. The Deutsche Wohnen and Nacionalinis judgments were issued in December 2023 - more than two years after the CNPD's July 2021 decision. Yet the Administrative Court applied them anyway. According to settled CJEU doctrine, an interpretation of EU law by the Court of Justice clarifies the meaning of that law as it must and should have been understood since the moment it entered into force. This means the CNPD was bound by the fault requirement in 2021, even though the requirement had not yet been articulated. The regulator could not cure the defect by offering additional reasoning on appeal, because the omission was not a gap in its explanation - it was a gap in its actual analysis.
The court was equally clear that it could not itself conduct that fault analysis for the first time at appellate level. Doing so would have deprived Amazon of the right to have negligence assessed at first instance, which Article 78 of the GDPR protects as the right to an effective judicial remedy. This is a procedural protection that cuts in Amazon's favour, and it meant the case had to go back.
Argument two: the fine was automatic, not proportionate
The second argument that succeeded attacked the CNPD's decision-making process from a different direction. Even if fault had been properly established, the court found that the CNPD had never genuinely asked whether a fine was the right instrument.
Article 58(2) of the GDPR gives supervisory authorities a wide menu of corrective measures: warnings, reprimands, orders to comply, temporary or permanent restrictions on processing, and administrative fines. The provision says fines may be imposed "in addition to or in lieu of the measures referred to" in the article, "depending on the specific circumstances of each case." The CJEU, in its September 26, 2024 judgment in TR v. Land Hessen (C-768/21), held that this framework cannot be read as creating an obligation to fine automatically whenever a violation is found. The measure taken must be "appropriate, necessary, and proportionate to remedy the identified deficiency."
The Administrative Court reviewed the CNPD's decision and found no evidence that the authority had actually weighed alternatives. Paragraph 295 of the CNPD's July 2021 decision listed the Article 83(2) criteria and concluded that a fine was justified - but that analysis was framed entirely in terms of whether and how much to fine, not whether fining rather than some other measure was the right response. The CNPD's litigation position reinforced this reading: in its submissions, the authority repeatedly characterised fines as "the rule" in GDPR violation cases.
The court was careful not to say that a fine was necessarily wrong here. It acknowledged that supervisory authorities retain wide discretion in choosing corrective measures. But the exercise of discretion requires that it actually be exercised. A regulator that treats a fine as the automatic output of a violation finding, without asking whether something else might better serve the GDPR's objectives given the circumstances of the case, has not exercised discretion - it has bypassed it. Those circumstances included Amazon's offer to cooperate during the proceedings, the steps it had already taken to adjust some practices before the decision was issued, and - at the time of the hearing - the confirmed fact that it was now fully compliant.
This argument and the fault argument compound each other. The court put it precisely: the CNPD had failed to verify two important steps in the decision-making process leading to a fine. The fault analysis is a necessary condition. The proportionality analysis is also necessary. The absence of either independently invalidates the fine. The absence of both means the decision is "so fundamentally flawed that its annulment is required in its entirety."
Argument three: Article 21 was outside the investigation's scope
The third argument operated at a narrower level but succeeded partially and may affect the scale of any future fine. Amazon argued that the CNPD's finding of an independent violation of Article 21 of the GDPR - governing the right to object to processing - went beyond the stated scope of the investigation.
The investigation had been opened on April 5, 2019 with a stated purpose: to verify compliance with GDPR obligations regarding processing activities for behavioral advertising purposes, specifically the legal basis for that processing and the use of cookies. The CNPD ultimately found violations not just of Article 6 and cookie-related provisions, but of Articles 12 through 17 and 21. For most of those provisions, the court upheld the expansion as legitimate - the analysis of transparency and access rights was traceable to the balancing-of-interests test under Article 6(1)(f), and Amazon had participated in that part of the investigation without formally objecting.
Article 21 was different. According to the court, the statement of objections had addressed the opt-out mechanism only in the context of the legitimate interest balancing test - as a factor that might tip the scales one way or another - and the lead investigator had drawn no independent conclusions about a stand-alone Article 21 violation. Amazon had not been put on notice that it faced a separate charge under that provision. The CNPD raised it as an independent violation for the first time in its final decision of July 15, 2021.
That procedural history matters. The court held that because Amazon was confronted with a new independent charge at decision stage without having had the opportunity to respond during the investigation, its rights of defence were compromised. The court excluded Article 21 from the scope of the analysis entirely. This does not prevent the CNPD from reopening the Article 21 question when it reanalyses the case - but it cannot be used to support the fine that was annulled, and any future examination on that point would need to follow proper procedural steps.
Why the compliance shift destroyed the necessity argument
There is a fourth thread in the judgment that, while not independently sufficient to annul the fine, has lasting implications for how legitimate interest works as a legal basis in behavioral advertising.
By the time of the January 8, 2026 hearing, Amazon had shifted from relying on Article 6(1)(f) to processing data for interest-based advertising on the basis of user consent under Article 6(1)(a). The CNPD confirmed at that hearing that this new approach was currently deemed compliant. The court treated this fact as a direct answer to the necessity condition Amazon had been unable to satisfy.
Under the three-part test for legitimate interest, processing must be strictly necessary to achieve the legitimate interest pursued - meaning the interest cannot be achieved just as effectively by other means that are less intrusive to the data subject's fundamental rights. Amazon had argued throughout the litigation that consent-based processing was technically possible but not a genuinely equivalent alternative, because it would limit the data available for targeting to users who affirmatively consented. The court rejected that framing. The shift to consent had already happened, and Amazon had not argued it was less effective at pursuing its commercial interests. The question answered itself.
This is significant beyond the Amazon case. The legitimate interest question has shaped enforcement across multiple platforms. The court's reasoning suggests that where a platform has since migrated to consent-based processing for behavioral advertising and not claimed a loss of effectiveness, that migration can be cited retroactively as evidence that the necessity condition was never met under legitimate interest. The implication is circular but legally coherent: if you can do it with consent, you could always have done it with consent, so legitimate interest was never strictly necessary.
For any platform still operating behavioral advertising on a legitimate interest basis across Europe, the question is not theoretical. Meta's reliance on legitimate interest for AI training data has already drawn a survey finding that only 7% of German users want their data used for that purpose, complicating the company's legal foundation under Article 6(1)(f). The Spanish courts ordered Meta to pay €479 million to publishers in November 2025 on related grounds. The Luxembourg court's reasoning adds another layer to that accumulating case law.
What the CNPD must now do differently
The referral back to the CNPD is not a clean slate. Several things have already been definitively decided. The violations of Articles 6, 12 through 17 are confirmed. The finding on Article 21 is excluded from the renewed analysis pending proper procedure. The compliance order is moot because Amazon is compliant. The only live question is the fine - and even there, the court has set out a precise sequence the regulator must follow.
First, the CNPD must determine whether Amazon acted with at least negligence regarding each confirmed violation, assessed against the state of the law and practice at the time of the investigation, beginning April 5, 2019. This requires a genuine inquiry, not an automatic inference from the finding of a violation. The CNPD acknowledged it did not apply the negligence standard in 2021, partly because the CJEU had not yet articulated it. The court was clear this does not matter: the obligation existed from the GDPR's entry into force.
Second, if negligence is established, the CNPD must conduct a genuine proportionality analysis across the full range of measures available under Article 58(2). Given that Amazon is now fully compliant - confirmed by both parties at the hearing - the practical question for the regulator is what measure or combination of measures is appropriate purely in relation to past conduct. Germany's unified fine procedures adopted in June 2025 represent one European approach to standardising this kind of analysis; Luxembourg must do it on its own terms but within the same CJEU framework.
No timeline has been announced. The practical effect, for now, is that one of the largest fines in GDPR history has been set aside, the violations it was based on have been confirmed, and the regulator must start the penalty analysis from a standing start.
Timeline
- May 28, 2018 - La Quadrature du Net files complaint with France's CNIL regarding Amazon group companies' behavioral advertising practices
- April 5, 2019 - CNPD opens investigation targeting legal basis for interest-based advertising and cookie practices
- June 25, 2020 - CNPD lead investigator serves statement of objections on Amazon
- July 15, 2021 - CNPD issues €746,000,000 fine with €746,000 daily penalty for GDPR violations; Luxembourg's total fine history at the time dominated by this single case
- October 15, 2021 - Amazon files appeal with Administrative Tribunal
- December 17, 2021 - President of Administrative Court suspends enforcement of corrective measures
- December 5, 2023 - CJEU issues Deutsche Wohnen (C-807/21) and Nacionalinis (C-683/21) judgments establishing fault as prerequisite for GDPR fines
- March 18, 2025 - Administrative Tribunal dismisses Amazon's appeal and upholds the full CNPD decision
- April 25, 2025 - Amazon files further appeal with Administrative Court (Case No. 52757C)
- December 23, 2025 - France's Council of State reduces Amazon France Logistique's separate €32 million GDPR fine to €15 million after applying necessity and negligence analysis
- January 8, 2026 - Public hearing; both parties confirm Amazon now fully compliant; CNPD acknowledges it never conducted the fault analysis the CJEU requires
- March 12, 2026 - Administrative Court issues judgment annulling the CNPD decision of July 15, 2021 in its entirety and remanding to the CNPD
- March 13, 2026 - Judgment published; PPC Land reports the outcome
Summary
Who: Amazon Europe Core S.à r.l., represented by Allen Overy Shearman Sterling SCS, successfully appealed before Luxembourg's Administrative Court against the CNPD's decision. The CNPD was represented by NautaDutilh Avocats Luxembourg.
What: Three legal arguments produced the annulment of Amazon's €746 million GDPR fine: the CNPD applied a form of strict liability by never assessing negligence as a threshold condition for the fine; it never genuinely evaluated whether a fine was the proportionate measure given the circumstances; and it found an independent violation of Article 21 without giving Amazon the opportunity to respond during the investigation. The violations of Articles 6, 12, 13, 14, 15, 16, and 17 of the GDPR were confirmed and remain intact. The case has been referred back to the CNPD to conduct fault and proportionality analyses.
When: The CNPD's original decision was issued July 15, 2021. The Administrative Court's annulling judgment was issued March 12, 2026 and published March 13, 2026.
Where: Luxembourg. The CNPD is Amazon Europe Core's lead supervisory authority under the GDPR's one-stop-shop mechanism. The CJEU case law that shaped the outcome originates from Luxembourg City.
Why: Amazon no longer has to pay the fine because the CNPD failed to follow two mandatory analytical steps - the fault assessment and the proportionality analysis - before issuing it. These steps were not optional formalities. Under the CJEU's interpretation of the GDPR, they are conditions of legality. Without them, the fine could not stand, regardless of whether the underlying violations were real.