Luxembourg Slaps Record €746 Million Fine on Amazon

La Quadrature du Net press release 4th August 2021 :

“Update of August 4, 2021: we have just received this letter from the CNIL giving us more details on the decision rendered in Luxembourg. In summary :

• the Luxembourg authority did recognize, as we requested, that Amazon was targeting us for advertising purposes without a legal basis and therefore violated the RGD (Amazon claimed, wrongly, that the contract we entered into with it to use its services could force us to accept this targeting);
• Amazon has 6 months to modify the lawful legal basis (that is to say, to end advertising targeting or to obtain our free consent to do so);
• beyond this period, Amazon will have to pay a penalty payment of € 746,000 per day of delay (this is exactly the measure we requested);
• the data protection authorities of the other European states had given their agreement to the decision rendered by the Luxembourg authority (this further reinforces the pressure put on the Irish authority for our four other complaints).”

The solid arguments developed by La Quadrature du Net and the legal requirement for lawful processing of customers data and direct marketing can be found on these Slideshares.

On July 16, 2021, the Luxembourg personal data protection authority finally ruled on our collective complaint filed by 10,000 people against Amazon in May 2018. This decision comes after three years of silence that made us fear the worst ( re-read our fears which, in the case of Amazon, are therefore now obsolete).

La Quadrature du Net press release “CNPD, the Luxembourg data protection authority slapped Amazon with the record fine in a July 16 decision that accused the online retailer of processing personal data in violation of the EU’s General Data Protection Regulation, or GDPR. Amazon disclosed the findings in a regulatory filing on Friday, saying the decision is “without merit.”“

Bloomberg revealed the fine : Amazon Gets Record $888 Million EU Fine Over Data Violations

FastCompany : Targeted ads aren’t just annoying, they can be harmful. Here’s how to fight back

Politico : https://www.politico.eu/article/amazon-fine-luxembourg-europe-privacy-champion/ With Amazon fine, Luxembourg emerges as Europe’s unlikely privacy champion : ‘Amazon has already said it intends to defend itself against Luxembourg’s decision “vigorously,” and said Luxembourg’s fine was predicated on “subjective and untested interpretations of European privacy law,” that are “entirely out of proportion.”’

The laws of Luxembourg will protect the supervisory authority from any publication of the decision we might never see. Quite ironic of an authority in charge of transparency. I’ve had the confirmation from La Quadrature du Net that they have not been officially informed by the CPD.

Amazon would have said : Amazon said, “We believe the CNPD’s decision to be without merit and intend to defend ourselves vigorously in this matter.” 

“There has been no data breach, and no customer data has been exposed to any third party. These facts are undisputed. We strongly disagree with the CNPD’s ruling, and we intend to appeal.” 

“The decision relating to how we show customers relevant advertising relies on subjective and untested interpretations of European privacy law, and the proposed fine is entirely out of proportion with even that interpretation,” the company added. 

Forbes : Amazon Stock Loses $130 Billion In Market Value After $885 Million Fine And Disappointing Earnings Report

Interesting news on the Amazon fine, to be confirmed :

According to Lawint, the CPDP decision has not been published and will not be published !

There would be an appeal to the administrative court on its way.

Also, the EDBP would have asked the CPD to m=ultiply the fine by 10.

Affaire à suivre.

UPDATE 3 August 2021 : Finally, some news from the CNIL ‘A l’issue d’une procédure de collaboration avec la CNIL, la Commission Nationale pour la Protection des Données luxembourgeoise, a prononcé à l’encontre de la société Amazon Europe Core une amende d’un montant de sept cent quarante-six millions d’euros’ CNIL confirms the ‘unprecedented high’ fine decision based on LQDN’s complaint. According to Luxembourg legislation it will only be published once all appeals exhausted. 

We’ve been constantly repeating consent has to be freely given, informed, unambiguous and not detrimental to the access to the service.
“the main object of the contract with Amazon when using its website is the buying and selling of goods. This purpose can perfectly be pursued without establishing behavioural profiles and without targeted advertising on the basis of them.”
“The behavioural analysis and advertising targeting treatments implemented by Amazon on its services, as described above, cannot be based on the need to perform a contract with users.
They cannot be based on a legitimate interest either, because their purpose is to analyse the behaviour and to establish a profile of the users for purposes of advertising targeting which, no more than the targeting by means of “cookies”, cannot be authorised without the prior consent of the person concerned.
In the absence of a legal basis, this processing is therefore illegal, putting Amazon in violation of the GDPR, in particular its article 6.”

Here is a quick unofficial translation of the claim by the French NGO La Quadrature du Net that leads to the CNDP Luxembourg’s decision against Amazon (not published yet). Still working on it but it gives you the essence. You can help me to reformulate some of the expressions that are not the usual english words.

Claim against Amazon Europe

Claim lodged By La Quadrature du Net, located at 60 rue des Orteaux, 75020 – Paris, France;
Against Amazon Europe Core SARL, Amazon EU SARL, Amazon Services Europe SARL and Amazon Media EU SARL, located at 5 rue Plaetis, L -2338 Luxembourg and Amazon Video Limited located 1 Principal Place, Worship Street, London, EC2A 2FA, UK (ci -after referred to as “Amazon”), as those responsible for processing personal data processed via the Amazon Services.
A copy of this complaint is available online :

1- Procedure

1. Article 77, §1, of Regulation 2016/679 of the European Parliament and of the Council of the European Union, relating to the protection of individuals with regard to the processing of personal data and on the free movement of such data. data, hereinafter referred to as “general data protection regulation” or “GDPR”, provides that “any data subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State in which is his habitual residence, his place of work or the place where the violation would have been committed, if it considers that the processing of personal data concerning him constitutes a violation of this Regulation “.
2. Article 80, §1 of the GDPR provides that “the data subject has the right to mandate a non-profit body, organisation or association, which has been validly constituted in accordance with the law of a Member State, whose statutory objectives are of public interest and is active in the field of the protection of the rights and freedoms of data subjects within the framework of the protection of personal data concerning them, so that he lodges a complaint on his behalf, exercises in its name the rights referred to in Articles 77, 78 and 79 and exercises on its behalf the right to obtain compensation referred to in Article 82 when the law of a Member State so provides”.
3. La Quadrature du Net is a not-for-profit association under the 1901 law declared at the prefecture on February 5, 2013. It provides in its statutes that “the Association has as a disinterested and non-profit object”, in particular, “the encouragement of the autonomy of users and their takeover of data concerning them” as well as “ the defence of the social, cultural, innovation and human development interests of citizens ” (1)
4. From April 16 to May 27, 2018, in application of article 80 of the RGPD, La Quadrature du Net invited any individual residing in France to mandate it via its site so that it exercises, on their behalf, the rights conferred on it by article 77 of the GDPR, in order to lodge this complaint with the CNIL.
5. 10,065 people, claiming to use Amazon services, have mandated La Quadrature du Net to do so (the list of their names is attached in Appendix II).

2- COMPLAINTS

• Amazon is criticised for claiming that it is carrying out processing of personal data concerning the persons in whose names this complaint is made (2.2) without, however, basing this processing on one of the legal bases required by law (2.1), rendering therefore these unlawful (2.3). 

2.1. Legal bases required by the GDPR.

2.1. GDPR required legal basis

• Article 6, §1, of the GDPR lists the six grounds under which personal data can be lawfully processed. Three of these six cases are: the consent of the data subject (2.1.1), the performance of a contract with the data subject (2.1.2); the legitimate interest of the controller or a third party (2.1.3). 

2.1.1. Consent

• Article 6, §1, a, of the GDPR provides that processing may be lawful if “the data subject has given consent to the processing of their personal data for one or more specific purposes”.
• To be valid, this consent must be given in an explicit and free manner and requested in a fair manner.

2.1.1.1. Explicit consent

1. Article 4, §11, of the GDPR requires that, in order to be valid, the consent must be an “unambiguous indication” expressed “by a statement or by a clear affirmative action”.
2. Recital 32 of the GDPR specifies that, since consent is a “positive act“, “there can therefore be no consent in the event of silence, pre-ticked boxes or inactivity should not therefore constitute consent“. 
3. The “Article 29 Working Group” (G29) clarified the meaning of these provisions in their guidelines on the notion of consent in the GDPR, adopted on April 10, 2018 (guidelines WP259. (2)
4. It indicates that “the GDPR does not authorise data controllers to provide for pre-ticked boxes or opt-out mechanisms which require the data subject to intervene to prevent the agreement”. (3)
5. The G29 adds that “the simple fact of continuing the ordinary use of a website is not a behaviour from which one can deduce an expression of an agreement to the proposed processing”. (4)
6. Article 4, §11, of the GDPR requires that, in order to be valid, the consent must be a “freely given, specific, informed and unambiguous”.
7. Article 7, §4 of the GDPR specifies that “when assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract”.
8. Recital 42 of the GDPR specifies that “Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.” 

2.1.1.2. Free consent

18. In the same sense, recital 43 of the GDPR provides that “consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent being necessary for such performance.”
19. The G29 has clearly specified the meaning of these provisions in its guidelines (WP259, cited above), explaining that “the GDPR provides that if the data subject does not have a real choice, feels compelled to consent or will suffer negative consequences if it does not consent, so the consent is not valid”. (5)
20. Among the negative consequences that the refusal to consent must not cause, the G29 targets the case where “the use of a service would be detrimental to the access of the service”. (6)
    It gives as a practical example a mobile application to which the user would refuse to give access to the accelerometer of the phone (for reasons of behavioural analysis) and which, for this reason, would only function in a limited way (see the example 8, given on p.11). For the G29, this would be a negative consequence incompatible with free consent.
21. In general, the G29 sums up these requirements by explaining that “the GDPR guarantees that the processing of personal data for which the requested consent cannot become, directly or indirectly, the condition of a contract”.
22. This interpretation is moreover in line with the desire that the European Parliament has clearly expressed recently, twice:

• “No user may be refused access to a service […] on the grounds that he has not consented […] to the processing of his personal data […] not necessary for the provision of the service. ”(Article 8, §1 bis, of the version of the“ ePrivacy ”regulation adopted on 23 October 2017); 

• European law must not “legitimise or encourage a practice of monetising personal data, which personal data cannot be compared to a price, and therefore cannot be considered as a commodity” (recital 13 of the version of the Directive “Digital content” adopted on November 21, 2017).

23. Finally, it must be emphasised that these requirements already existed in the law prior to the GDPR, the latter having contented itself here with codifying. For example, in France, on December 18, 2017, the CNIL announced that it was notifying an injunction to Whatsapp to stop sharing various data on its users to Facebook , on the grounds that this transmission was based on a non-free consent of users, because ” the data subject refusal concerned to give his consent to the transmission of his data will necessarily have significant negative consequences since he will be forced to delete his account and will not be able to use the WhatsApp application”. (8) 

2.1.1.3. Fairness of the request for consent

24. Article 5, §1, a, of the GDPR provides that “personal data must be […] processed lawfully, fairly and in a transparent manner in relation to the data subject“;

25. Recital 39 of the GDPR specifies that “The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used” and that “Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing”.
26. Article 7, §3 of the GDPR provides that “the data subject has the right to withdraw his consent at any time” and, in application of the principle of lawfulness and transparency, that “the data subject is informed before giving his consent”.
27. Therefore, processing would be neither fair nor transparent (nor therefore lawful) if it was based on the consent of the data subject while, at the same time, the controller would allow himself the opportunity to base the processing on another legal basis (for example, to anticipate the event that the data subject withdraws their consent). In fact, in such circumstances, the information given to the data subject as to the right he would have to withdraw his consent would be perfectly misleading: this “right” would not legally have any effect, the processing being able to be based on another legal basis. 
28. Thus, the processing of personal data can never be lawful if it is based both on the consent of the data subject and on another legal basis, as this would systematically make the information that must be given to the person with regard to the right misleading. to withdraw consent.
29. This is the conclusion reached by the G29, explaining that, “if a data controller chooses to base part of its processing on consent, he must be ready to respect this choice and to end this part of the processing. if an individual withdraws their consent. To give the impression that data will be processed on the basis of consent, when in fact it will be processed on another legal basis, would be fundamentally unfair to individuals. In other words, the data controller cannot exchange consent with other legal bases. For example, it is not allowed to retrospectively use the legitimate interest in order to justify a treatment when difficulties have arisen concerning the validity of the consent ”(9) (p.23 of the WP259 guidelines mentioned above).

2.1.2. Contract

30. Article 6, §1, b, of the GDPR provides that processing may be lawful if “necessary for the performance of a contract to which the data subject is party”.
31. This provision is identical to that already provided for in Article 7, b, of Directive 95/46 / EC, which the GDPR has replaced. It has thus already been detailed by the G29 in its opinion 06/2014, issued on November 25, 2014 (10), as “to be interpreted strictly and not to cover cases where the processing is not really necessary for the performance of a contract, but rather unilaterally imposed on the data subject by the controller”. (11)
32. The G29 added that “the fact that certain data processing operations are covered by a contract does not automatically mean that these processing operations are necessary for its execution. For example, article 7, b, is not a suitable legal basis for profiling the tastes and lifestyles of a user based on his browsing experience on a website and the products he has. purchased. Indeed, the contract was not concluded to carry out a profile, but to provide certain goods or certain services, for example. Even if these treatments were specifically mentioned in the details of the contract, this fact alone would not make them ‘necessary’ for the execution of the contract”. (12)
33. These requirements perfectly reflect those imposed in terms of free consent, in order to achieve the same result: the purpose pursued by the data subject by entering into a relationship with the data controller must not lead to the authorisation of another, independent purpose than the data subject. does not wish to continue. Indeed, not to reflect these contract requirements would be tantamount to nullifying the conditions of validity of the consent (seen earlier), since they could be entirely circumvented based on this other legal basis (the contract). 
34. This reflection between “contract” and “consent” is found in the recent WP259 guidelines dedicated to consent (cited earlier), where the G29 integrates its 2014 position into the GDPR: “In accordance with G29 opinion 06/2014, the expression “necessary for the execution of a contract” must be interpreted strictly. The processing must be necessary to fulfil the contract individually with each of the data subjects […] There must be a direct and objective link between the processing of data and the purpose of the performance of the contract”. (13)
35. In practice, these requirements have for example found application in the sanction issued, in France, by the CNIL against Facebook, on April 27. The CNIL then considers that “the main object of the service is the provision of a social network […], that the combination of user data for the purposes of advertising targeting does not correspond either to the main object of the contract nor to the expectations. reasonable users [and, thus,] that companies [cannot] rely on the necessity of performing a contract”.

2.1.3. Legitimate interest

35. Article 6, §1, f of the GDPR provides that processing may be lawful if it “is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject”. 
36. Recital 47 of the GDPR provides that “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”
37. Without directly defining the criteria so that prospecting may or may not meet a legitimate interest, the GDPR here echoes the encain its opinion 06/2014 dedicated to the notion of legitimate interest (15) takes precisely the evolution of this framework as an educational example illustrating the balance to be sought in order to find a procedssing on this legal basis (p. 51 and following).
38. In 1995, Directive 95/46 / EC provided, via its article 14, b, that processing for prospecting purposes was lawful if the data subject was informed and could object to it. With regard to these two conditions alone, the G29 understands that the legal basis given to this processing was the legitimate interest (no prior consent being required).
39. In 2002, the G29 explained that, “to take account of new technological advances, this provision was subsequently supplemented by specific provisions of the “privacy and electronic communications directive”. Article 13, §1, of this directive (Directive 2002/58 / EC) now provides that, in principle, the use of “electronic mail for direct marketing purposes can only be authorised if it targets subscribers who have given their prior consent”. The right to object is no longer sufficient: the legal basis for prospecting has shifted from legitimate interest to consent.
40. It is only as an exception that Article 13, §2, of Directive 2002/58 / EC still provides for a specific case where the legitimate interest remains valid (and where the simple right of opposition, without prior consent, suffices): in the case of “direct prospecting for similar products or services that it itself provides“.
41. At the same time, this same directive first provided, in its article 5, §3, that the storage and access to information on the terminal of a user were authorised if the data subject was informed and could object. Once again, it is here the legitimate interest that was initially chosen as the legal basis.
42. The G29 traces the evolution that followed: “Technologies have evolved, requiring similar, relatively simple solutions which follow a similar logic for new prospecting practices. First, the way prospecting material is disseminated has evolved: instead of just emails arriving in mailboxes, targeted behavioural ads now also appear on smartphone and computer screens. In the near future, advertising could be integrated into smart objects connected to the Internet of Things. Second, advertisements are becoming more and more specifically targeted: instead of relying on simple customer profiles, they draw It started with tracking consumer activity which is increasingly kept online and offline and analysed using more sophisticated automated methods. “
43. The G29 thus concludes that “this change in the dominant business model and the valuation of personal data as an asset for commercial companies explain the recent requirement for consent in this context“.
44. In 2009, in fact, article 5, §3, of directive 2002/58 / CE was amended by directive 2009/136 / CE so that access and deposit of information on the terminal of the user can no longer rely on legitimate interest, but only on consent. Once again, to frame the evolution of commercial prospecting, the legal basis has shifted from legitimate interest to consent.
45. In view of these developments, it appears obvious that no other form of behavioural analysis for advertising purposes can experience a fate different from that of “cookies”: to be lawful only with the prior consent of the persons concerned.
46. This is the path taken by the G29 in appendix II of its opinion 03/2013 (16), on Big Data and Open Data: “free, specific, informed and unmistakable prior consent should almost always be required” therefore that an “organisation specifically wishes to analyse or predict the personal preferences, behaviour and attitudes of individual customers, which will then serve to guide ‘actions or decisions’ taken with respect to those customers”. (17)
47. The G29 specifies that these “‘measures or decisions’ do not cover only formal decisions and measures taken in a formal procedure. In other words: any relevant effect on particular individuals – whether positive or negative – should be avoided”. (18)
48. He gives as an example of such “measures and decisions” the dissemination of “personalised discounts, special offers and targeted advertising based on the customer’s profile”. (19)
49. The G29 clearly concludes that ‘consent should above all be required, for example, for tracking and profiling for the purposes of direct marketing, behavioural advertising, information brokerage, location-based advertising or
    market research. digital tracing-based ”(20) – 16 G29 opinion 03/2013 is available at: here
    
    2.2. Treatments carried out
    2.2.1. Data processed

51. Amazon describes in its Notice “Protection of your personal information‘ (21) the data that it processes when providing its services.
52. Without being exhaustive as to the data processed, which are all relevant to establish the complaints invoked, it is useful to point out that Amazon declares that it processes, with regard to its users:
    • the products, content or services sought or consulted;
    • orders placed;
    • information and documents relating to identity and status;
    • images, videos or any other file uploaded to an Amazon service;
    • Playlists, favourites lists, wish lists, gift lists;
    • the IP (Internet Protocol) address of the device;
    • connection data, e-mail addresses and passwords;
    • information about the computer, the device and the Internet connection such as, for example, the applications of the device, the type and
    version of the browser, the categories and versions of browser plug-ins, the operating system or setting time zones;
    • the location of the device or computer;
    • information on interactions with content, such as downloads of content, streaming content and viewing details, including duration and the number of streaming, simultaneous downloads, the details of the system for streaming, and the quality of the download, including information relating to the internet service provider;
    • information concerning interactions on a page (“scrolling”, clicks, mouse movements);
    • information on interactions with third party companies to which Amazon provides technical, logistical, payment, advertising or other services.

2.2.2. Processing performed

53. In that same notice, Amazon states: “We use your personal information to serve you interest- based advertisements for features, products and services that may be of interest to you.” He then refers to his Notice “Advertisements based on your interests”. (22)
54. This notice states: “In order to show you ads based on your interests, we use information such as that relating to your use of Amazon sites, content or services .” In addition, on the page https://www.amazon.fr/adprefs, Amazon allows its users to “Do not display advertisements from Amazon based on my interests“, this option being unchecked by default.
55. From this different information, it appears that Amazon processes personal data in order to carry out behavioural analyses and targeted advertisement. Amazon is the data controller of these operations, the purpose of which is to allow the advertisements disseminated by Amazon to be displayed to the users most likely to be receptive to them.
    
    2.2.3. Legal basis
    2.2.3.1 Consent
56. No document published by Amazon suggests that it intends to base its behavioural analysis and advertising targeting treatments on the consent of its users.

2.2.3.2 Contract

57. Amazon’s “Terms of Service” (23) provide: “As part of the Amazon Services, we will recommend features, products and services, including third-party advertising, that may be of interest to you, we will identify your preferences and we will personalise your experience ”.
58. By this, Amazon could indicate that its behavioural analysis and advertising targeting processing would be provided for in the contract it enters into with its users, the execution of which would make them necessary.
59. However, submitting to this behavioural analysis and advertising targeting is not the goal that Amazon users pursue when using its services. To quote the CNIL, “the combination of user data for targeted advertising purposes corresponds neither to the main object of the contract nor to the reasonable expectations of users” (decision SAN-2017-006 mentioned above).
60. Typically, the main object of the contract with Amazon when using its website is the buying and selling of goods. This purpose can perfectly be pursued without establishing behavioural profiles and without targeted advertising on the basis of them.

2.2.3.3. Legitimate interest

62. Amazon does not explicitly invoke its legitimate interest as the basis for its behavioural analysis and advertising targeting processing . As explained above in section 2.1.3, it would be impossible to do so in accordance with the GDPR.

2.3. Unlawfull processing

63. The behavioural analysis and advertising targeting treatments implemented by Amazon on its services, as described above, cannot be based on the need to perform a contract with users.
64. They cannot be based on a legitimate interest either, because their purpose is to analyse the behaviour and to establish a profile of the users for purposes of advertising targeting which, no more than the targeting
    by means of “cookies“, cannot be authorised without the prior consent of the person concerned.
65. In the absence of a legal basis, this processing is therefore illegal, putting Amazon in violation of the GDPR, in particular its article 6.

3- Requests

66. La Quadrature du Net, on behalf of the people it represents, calls for the following measures to be pronounced against Amazon:
• the prohibition of the behavioural analysis and advertising targeting treatments described above, in application of article 58, §2, f, of the GDPR;
• an administrative fine which, due to the massive, lasting and obviously deliberate nature of the violation found, be as high as possible, in application of article 83, §§2 and 5, of the GDPR.

NOTES :

1. Les statuts de La Quadrature du Net sont joints en Annexe I ainsi qu’accessibles sur https://www.laquadrature.net/files/nouveauxstatuts-vf-pourAG03042017.pdf
2. G29 guidelines WP259 is available at: http://ec.europa.eu/newsroom/article29/document. cfm? action = display & doc_id = 51030
3. p. 16, free translation of “the GDPR does not allow controllers to offer pre-ticked boxes or opt-out constructions that require an intervention from the data subject to prevent agreement”.
4. p. 17, free translation of “merely continuing the ordinary use of a website is not conduct from which one can infer an indication of wishes by the data subject to signify his or her agreement to a proposed processing operation”
5. p.5, free translation of” the GDPR prescribes that if the data subject has no real choice, feels compelled to consent or will endure negative consequences if they do not consent, then consent will not be valid ”. 
6. p. 11, free translation of “the performance of the service being downgraded to the detriment of the user” 
7. p. 8, free translation of “the GDPR ensures that the processing of personal data for which consent is sought cannot become directly or indirectly the counter-performance of a contract”. 
8. Decision n ° MED-2017- 075 of 27 November 2017 giving notice to the company WHATSAPP .
9. Free translation of “if a controller chooses to rely on consent for any part of the processing, they must be prepared to respect that choice and stop that part of the processing if an individual withdraws consent. Sending out the message that data will be processed on the basis of consent, while actually some other lawful basis is relied on, would be fundamentally unfair to individuals. In other words, the controller cannot swap from consent to other lawful bases. For example, it is not allowed to retrospectively utilise the legitimate interest basis in order to justify processing, where problems have been encountered with the validity of consent ».
10.  L’avis 06/2014 du G29 est accessible sur : http://ec.europa.eu/justice/article29/documentation/opinion-recommendation/files/2014/wp224_en.pdf
11.  p. 16, free translation of “the provision must be interpreted strictly and does not cover situations where the processing is not genuinely necessary for the performance of a contract, but rather unilaterally imposed on the data subject by the controller”
12. p. 17, free translation of “also the fact that some data processing is covered by a contract does not automatically mean that the processing is necessary for its performance. For example, Article 7(b) is not a suitable legal ground for building a profile of the user’s tastes and lifestyle choices based on his click-stream on a website and the items purchased. This is because the data controller has not been contracted to carry out profiling, but rather to deliver particular goods and services, for example. Even if these processing activities are specifically mentioned in the small print of the contract, this fact alone does not make them ‘necessary’ for the performance of the contract». 
13. p. 8, free translation of “According to Opinion 06/2014 of WP29, the term “necessary for the performance of a contract ” needs to be interpreted strictly. The processing must be necessary to fulfil the contract with each individual data subject. (…) There needs to be a direct and objective link between the processing of the data and the purpose of the execution of the contract ”.
14. Deliberation of the restricted formation SAN-2017-006 of April 27, 2017 pronouncing
    a financial penalty against the companies FACEBOOK INC. and FACEBOOK IRELAND very specific that commercial prospecting has received in European law during the various technological developments. The G29
15. Opinion 06/2014 of the G29 is accessible here
16. L’avis 03/2013 du G29 est accessible sur : accessible here
17. p. 46, translation given in G29 opinion 06/2014, p. 52
18.  p. 28, free translation of “‘measures or decisions’ do not only cover formal decisions and measures in a formal procedure. In other words: any relevant impact on particular individuals – either negative or positive – should be avoided »
19.  p. 45, free translation of “personalised discounts, special offers and targeted advertisements based on the customer’s profile” 
20.  p. 46, translation given in G29 opinion 06/2014, p. 52
21.  The leaflet “Protecting your personal information ”from Amazon is published here
    as well as attached in Appendix III to this
    complaint, where it is described as of May 28, 2018
22.  The Amazon “Ads based on your interests” Notice is published here as attached in Appendix IV of this complaint, where it is described on May 28, 2018
23.  The Amazon Terms of Service are published here , here described as of May 28, 2018.

Annexes 

Appendix I: Statutes of La Quadrature du Net 

Annex II: List of persons who mandated La Quadrature du Net to bring this claim against Amazon 

Appendix III: The Notice “Protecting Your Personal Information” from Amazon published on https://www.amazon.fr/gp/help/customer/display.html/ref=footer_privacy?ie=UTF8&nodeId=201909010, copy as of May 28, 2018 

Appendix IV: Notice “Interest-Based Ads” amazon published on https://www.amazon.fr/gp/help/customer/display.html?ie=UTF8&%2AVersion%2A=1&%2Aentries%2A=0&nodeId=201149360 , copy dated May 28, 201