The Administrative Court has just handed down a long-awaited decision in one of Europe's most important data protection disputes. In a ruling delivered on Thursday 12 March, it annulled the decision adopted on 15 July 2021 by the restricted panel of the National Data Protection Commission (CNPD), which had imposed an administrative fine of €746m on Luxembourg-based Amazon Europe Core for breaches of the General Data Protection Regulation (GDPR).

This decision followed an investigation opened in 2019 by the Luxembourg authority under the European co-operation mechanism provided for by the GDPR, following a complaint lodged in France. The CNPD notably accused the company of processing personal data for interest-based advertising purposes on the legal basis of “legitimate interest”, without meeting the requirements of the European regulation.

On 18 March 2025, the administrative tribunal dismissed Amazon's appeal against this decision and upheld the CNPD's analysis. The company then appealed to the higher Administrative Court.

Two shortcomings in the CNPD’s decision

In its ruling of 12 March 2026, the Court first broadly upheld the analysis adopted by the lower court on the substance of the case. It held that, at the time the investigation was opened in 2019, the processing arrangements for personal data used for targeted advertising could not validly rely on legitimate interest within the meaning of Article 6 of the GDPR. The court also confirmed breaches of the obligations of transparency and of the rights of access, rectification and objection granted to data subjects.

However, the Court identifies two major shortcomings in the decision adopted by the CNPD. Firstly, it considers that the supervisory authority did not carry out the analysis required by the recent case law of the Court of Justice of the European Union regarding the existence of wrongful conduct on the part of the controller, i.e. verification of an intentional breach or negligence. Now, since the judgments handed down by the CJEU on 5 December 2023 in the "Deutsche Wohnen" and "Nacionalinis" cases, this analysis is a necessary prerequisite for the imposition of an administrative fine in relation to the GDPR.

The Court then criticised the methodology adopted by the CNPD in selecting the penalty. In its view, the Luxembourg authority took an approach that consisted in imposing a fine almost automatically after finding breaches of the regulation, without carrying out a full assessment of the various measures provided for under the GDPR in order to determine which would have been the most appropriate.

Amazon now compliant

In those circumstances, the court held that it could not itself rule definitively on the penalty. In order to safeguard the principle of an effective remedy, it therefore referred the case back to the CNPD so that it could, for the first time, carry out those assessments and, where appropriate, adopt a new decision. The Court therefore annulled the decision of 15 July 2021 in all its aspects, while upholding the substance of the GDPR breaches identified at the time.

The judgment also notes an important development in the group's practice. At the oral hearing on 8 January 2026, the parties confirmed that the disputed processing operations had since been modified and that the company no longer relied on legitimate interest, but on user consent as the legal basis for data processing. The CNPD has indicated that it considers these new arrangements to be compliant with the GDPR.

In these circumstances, the Court considers that the compliance injunctions issued in 2021, together with a daily penalty of €746,000, have become moot. The court also dismisses both parties' claims for procedural damages and apportions half the costs of the two proceedings.

The ruling does not therefore put a definitive end to this emblematic case. It confirms the breaches identified in the platform's past practices, but requires the CNPD to repeat its analysis before it can possibly issue a new penalty in one of Europe's biggest data protection disputes.

A spokesperson for Amazon told Paperjam: “We’re pleased the Luxembourg Court of Appeal has overturned the CNPD’s decision and recognised our position. At Amazon, we work hard to earn customer trust and customer privacy is a top priority. We’re proud to innovate and continually improve the services we offer customers. As we innovate, we work with regulators to ensure new services are fully understood and legally compliant.”

The spokesperson added: “In 2018, when an ambiguous new privacy law came into force in the EU with no clear guidance on what this meant for how we show customers relevant advertising, we worked in good faith to give customers control over whether they see personalised advertising based on their interests. We strongly disagreed with the initial ruling and disproportionate fine originally issued in this case, which is why we appealed.”

“The CNPD notes that the main regulatory action it had taken has borne fruit. Indeed, the Administrative Court has endorsed the CNPD’s approach almost in its entirety and, in particular, confirmed that Amazon’s reliance on legitimate interests as the legal basis for the processing operations in question was not justified. The Administrative Court also upheld the CNPD’s analysis that, at the time of its decision, the information procedures did not comply with the relevant provisions of the GDPR,” the regulator said in a statement.

“The CNPD notes that its action has led to Amazon’s practices being brought into full compliance with the relevant provisions of the case regarding online behavioural advertising. Building on this progress, it will continue to handle the case in a way to ensure the efficient application of the GDPR.”