For nearly five years, the €746 million penalty levied against Amazon Europe Core S.à r.l. stood as the single largest fine ever issued under the General Data Protection Regulation. It was a landmark number, the kind of figure regulators point to when they want to convince a boardroom that data protection law has teeth. On 12 March 2026, the Luxembourg Administrative Court (the Cour administrative) erased it — annulling the decision in its entirety.
But anyone reading the headline as a vindication of Amazon’s data practices misread the judgment badly. The court did not find that Amazon complied with the GDPR. On the contrary, it confirmed the core of the regulator’s substantive case: that Amazon had no lawful basis for the behavioural advertising at the heart of the dispute. What the court found was that the Commission Nationale pour la Protection des Données (CNPD) — Luxembourg’s data protection authority — had not done the procedural homework that European Union case law now requires before it can impose a fine. The violations survived. The penalty did not. And the matter was sent back to the CNPD to redo the part it got wrong.
This is one of the clearest illustrations to date of a principle that compliance teams, regulators, and counsel should internalise: in mega-fine enforcement, process can kill the penalty even when the substance is sound. Getting the law right is necessary but not sufficient. The regulator must also build the file correctly — and if it skips a legally mandated step, the entire fine can collapse on appeal regardless of how serious the underlying conduct was.
The fine that set the record
The CNPD issued its decision on 15 July 2021, imposing an administrative fine of €746 million on Amazon Europe Core, alongside corrective measures requiring changes to Amazon’s practices. The amount dwarfed every prior GDPR penalty and instantly became the benchmark for “what a maximum-scale enforcement action looks like.” Under Article 83 of the GDPR, fines for the most serious categories of infringement can reach up to 4 percent of an undertaking’s total worldwide annual turnover, and the €746 million figure reflected the application of that turnover-based ceiling to a company of Amazon’s scale.
The substance of the case concerned how Amazon processed personal data for targeted, behaviour-based advertising. In broad strokes, the CNPD’s position was that Amazon built advertising and profiling on a foundation it was not entitled to use. Amazon relied on “legitimate interest” under Article 6(1)(f) of the GDPR as the legal basis for processing personal data to serve behavioural advertising, and it treated acceptance of its terms as sufficient cover for that processing. The regulator concluded that this was unlawful: behavioural advertising of this intrusive, cross-service character could not be justified by legitimate interest and instead required the data subject’s freely given, specific, informed consent. The CNPD also found shortcomings in the transparency and information Amazon provided to users about how their data was used.
Amazon disputed the decision vigorously and appealed, maintaining that its practices complied with the law and that the fine had no merit. The litigation worked its way through the Luxembourg administrative courts over the following years, culminating in the March 2026 ruling of the Cour administrative — the country’s highest administrative jurisdiction — in case reference 52757C.
The March 2026 annulment: what the court actually decided
The court’s judgment splits cleanly into two halves, and the distinction between them is the entire story.
On the substance, Amazon largely lost. The court confirmed that Amazon’s reliance on legitimate interest as the legal basis for the contested processing was not justified — in other words, the company could not lawfully ground behavioural advertising on Article 6(1)(f). The judgment endorsed the view that this kind of cross-service profiling and tracking is too intrusive to be carried on legitimate interest, and that it required consent. The court also upheld the CNPD’s findings on transparency and information obligations under Articles 12 and 13, agreeing that Amazon’s disclosures fell short at the time of the decision. The regulator’s central legal theory, in short, was vindicated.
On the penalty, the CNPD lost — and lost completely. The court annulled the fine because the regulator had not carried out two analyses that EU law treats as preconditions to a valid penalty.
First, and most decisively, the CNPD had not established Amazon’s degree of fault. In two judgments handed down on 5 December 2023 — Deutsche Wohnen (C-807/21) and the Nacionalinis case (C-683/21) — the Court of Justice of the European Union held that a data protection authority may impose an administrative fine only for an infringement committed intentionally or negligently. The GDPR does not permit “strict” or objective liability where a fine is concerned; the regulator must affirmatively characterise the conduct as intentional or negligent and reflect that in its reasoning. The CNPD’s 2021 decision pre-dated that case law and did not contain the required fault analysis. By the time the appeal was decided, the standard had crystallised, and the absence of a fault assessment was fatal to the penalty.
Second, the court found the CNPD had not sufficiently weighed whether a less severe measure would have been more appropriate than a fine of this magnitude — part of the broader Article 83 obligation to ensure that any penalty is effective, proportionate, and dissuasive in the specific circumstances. The regulator had not adequately substantiated essential elements such as the nature and gravity of the infringement and the degree of culpability before arriving at the number.
There was also a practical wrinkle that drained much of the urgency from the corrective side of the case: Amazon had, in the meantime, brought its practices into compliance with the order. At a hearing in January 2026, a CNPD representative confirmed that the aspects of the case relating to coercive measures had become moot because Amazon had already complied. So the part of the original decision designed to change Amazon’s behaviour had effectively done its job before the appeal concluded.
What “remand” means here
Annulment is not the end of the road. The court did not simply throw the case out and forbid any further action; it referred the matter back to the CNPD — a remand. In practical terms, that means the regulator is now tasked with carrying out, for the first time, the analyses the court said were missing, and then deciding afresh whether and how to penalise.
If the CNPD chooses to proceed, it will have to characterise Amazon’s conduct as intentional or negligent, with reasoning that satisfies the Deutsche Wohnen standard. It will have to run the penalty-setting exercise properly — the kind of structured, methodical calculation the European Data Protection Board has set out in its guidelines on the calculation of administrative fines, which walk an authority through identifying the processing operations, assessing seriousness, factoring in turnover, and applying aggravating and mitigating circumstances in a transparent, reproducible way. It will have to genuinely consider whether a lesser measure suffices. Only then can it land on a number — and that number could be the same €746 million, something lower, or, in principle, the result of a decision not to re-impose a monetary fine at all.
Critically, the substantive findings are not back on the table. The remand is about the penalty, not about re-litigating whether Amazon violated the GDPR. The unlawfulness of relying on legitimate interest for behavioural advertising, and the transparency failings, stand as confirmed. The CNPD characterised the outcome as a confirmation of its key findings and pointed out that its action had succeeded in bringing Amazon’s behavioural-advertising practices into full compliance — framing the loss of the fine as a procedural setback rather than a substantive defeat.
Process kills the penalty
The Amazon case is the most expensive single demonstration of a pattern that now defines GDPR enforcement at the high end: the bigger the fine, the more aggressively it will be litigated, and the more likely it is to fail on a procedural or methodological point rather than on the merits of the alleged violation.
That pattern is not unique to Luxembourg. Across the EU’s first eight years of GDPR enforcement, a striking share of the roughly €7 billion in headline fines has been annulled, reduced, or remains under challenge — analysts have put the figure at around 40 percent of the total value. Regulators have repeatedly won the argument that a company broke the law, only to see the penalty trimmed or vacated because the calculation was opaque, the rights of defence were not fully honoured, or a legal precondition for the fine was not properly established. The Deutsche Wohnen ruling itself reshaped the landscape by insisting on a fault requirement that several earlier enforcement decisions, issued in good faith under the prior understanding of the law, simply did not contain.
The dynamic is visible in other ongoing high-value disputes. TikTok’s €530 million penalty from the Irish Data Protection Commission — concerning transfers of European user data and transparency — is itself being fought through the courts, with the company pursuing appeals all the way up the Irish judicial system (see our analysis of the TikTok DPC Irish Supreme Court €530M appeal). The common thread is that mega-fines are not self-executing. They are the opening position in years of litigation, and they hold up only if the enforcement file is built to withstand that scrutiny on every procedural axis, not just the substantive one.
There is an important fairness point embedded in this, and it cuts in the regulated party’s favour. The rights of defence, the requirement to prove fault, and the obligation to explain how a number was reached are not technicalities to be resented. They are what separate a penalty grounded in law from a penalty grounded in the regulator’s say-so. A fine of three-quarters of a billion euros is a serious deprivation, and demanding that the authority show its work before imposing it is exactly what due process is for. The court did not let Amazon off the hook for its conduct; it held the regulator to the standard that any state actor wielding that kind of power should be held to.
What this means for companies — and for DPAs
For companies, the single most dangerous misreading of this judgment would be to treat the annulment as exoneration. It is not. The behaviour Amazon was sanctioned for — building behavioural advertising on legitimate interest and on acceptance of terms, rather than on valid consent — was confirmed to be unlawful. Any organisation running similar advertising or profiling models should read the substance of the ruling, not the headline about the fine, and should assume that the lawful-basis and transparency findings reflect where EU law now sits. The fine is gone for now, but the legal conclusion that produced it is intact, and it can be re-imposed. An annulled penalty that is remanded is not a closed matter; it is a paused one.
There is also a strategic lesson in Amazon’s coming-into-compliance. By the time the appeal was heard, Amazon had implemented the required changes, which neutralised the corrective-measures part of the case. Demonstrable remediation does not erase a past violation, but it changes the texture of the dispute, removes the regulator’s leverage on the forward-looking measures, and can become a mitigating factor when the penalty is recalculated. Fixing the problem early is rarely the wrong move.
For data protection authorities, the message is sharper. Winning on the substance is no longer enough at the top of the fining scale. The enforcement file has to be procedurally complete and methodologically transparent from the outset: a documented assessment of intent or negligence consistent with Deutsche Wohnen; a structured, reproducible penalty calculation aligned with the EDPB’s methodology; a genuine and recorded consideration of whether a lesser measure would suffice; and a clear evidentiary basis for the gravity and culpability findings that drive the number. A fine that cannot survive that level of scrutiny is not a deterrent — it is a multi-year liability that ends in annulment and a remand, sending the authority back to the drawing board with its credibility dented and the clock reset.
The economics of enforcement reinforce the point. A record fine that is annulled five years later, then has to be rebuilt and re-issued, delivers a fraction of the deterrent value the regulator hoped for, while consuming enormous institutional resources. The authorities that will make GDPR fines stick are the ones that treat the procedural architecture of a decision — fault, methodology, proportionality, rights of defence — as load-bearing rather than as boilerplate.
Conclusion
The annulment of Amazon’s €746 million fine is not the story of a tech giant defeating a regulator on the merits. It is the story of a regulator that was right about the law and wrong about the procedure — and that, in the high-stakes world of GDPR mega-fines, is enough to vacate even the largest penalty ever issued. The violations stand. The case goes back to the CNPD. And the number, if it returns, will have to be rebuilt on a foundation that can survive appeal.
The durable lesson belongs to everyone in the enforcement chain. Substance gets you to the violation; process gets you to a penalty that holds. A finding without a defensible procedure behind it is a press release, not an enforceable fine. As the value of GDPR penalties climbs and the litigation around them intensifies, the authorities that prevail will be the ones that build files capable of withstanding scrutiny on every axis — and the companies that prosper will be the ones that read these judgments for what the law now requires of them, rather than for the false comfort of a vacated fine.
This article is provided for informational purposes only and does not constitute legal advice.
