VIENNA (Reuters) - Non-profit group noyb, led by privacy activist Max Schrems, said it had filed a complaint against Amazon to the German data protection authority over a lack of data security in a case it said could lead to fines of more than $4 billion.
Amazon's email servers, used for direct communication between customers and third-party sellers on the platform, do not allow baseline industry encryption in some cases, breaking security rules under the European Union's General Data Protection Regulation (GDPR), noyb said on Wednesday.
"Noyb submitted a complaint to the supervisory authority of the state of Hessia in Germany on behalf of an Amazon seller," the group said in a statement.
The complaint was submitted to the Hessia data protection authority (DPA) because the seller was located in the German state, Schrems said. It was likely that the Luxembourg watchdog would have to investigate the matter too as Amazon has its European headquarters there.
Amazon did not immediately provide a comment.
European regulators have taken a tough line on U.S. tech giants. In the present case GDPR foresees fines of up to 2% of global revenue for companies that break the rules, according to noyb. Amazon reported 2019 sales of $280 billion.
Schrems is a veteran privacy campaigner who took his first legal action against Facebook as a student in 2011. His case ultimately resulted in what lawyers called a "bombshell" ruling in 2015, knocking down the Safe Harbour data transfer framework between the European Union and the United States.
Now a lawyer, Schrems has filed complaints against Facebook, Amazon, Google, Instagram and WhatsApp in recent years.
($1 = 0.9268 euros) (Reporting by Kirsti Knolle; editing by David Evans)