Do you have an Amazon.com user account?
You'd be surprised. If you have a user account on one of the European Amazons, try logging into Amazon.com with the same credentials. You almost certainly do have a user account. That means, they almost certainly already have your data.
What personal data does Amazon.com collect?
No-one knows... My research whether Amazon.com has ever granted any GDPR data subject requests, and revealed which data they collect, has been inconslusive. So let's consider a simpler question: what personal data does Amazon.com have access to?
For once, it's obvious they know your shopping behaviour. As a EU citizen, you might not buy much stuff from Amazon.com in the US, so the shopping behaviour alone might not be so concerning. Unless they receive data from the European Amazon branches. Or from other shopping sites that belong to them, such as Audible, Yoyo, AbeBooks, ComiXology. Or from other services that belong to them such as IMDb, Goodreads, Twitch. These are just a few examples. There are dozens more. Do all these services share data with Amazon? No-one knows.
Do you have an Amazon Prime account? Then Amazon.com might know what you read, which music you listen to, which movies you watch. Maybe that's negligible compared to what's coming next.
Do you have an Alexa or Echo device? If so, do you know what has been recorded, where it is stored, and what is done with this data? No? Neither do I. For the record, Fire TV devices and Kindle Fire tablets with an up to date firmware have Alexa integrated as well. Do you know when they listen and what's done with the data? No? Nor do I. If you're under one of Amazon's European privacy policies, your data should be relatively safe. If your devices are connected to your Amazon.com account though, maybe not so much.
Now let's consider something less obvious, but even scarier. Amazon Web Services (AWS) holds about 33% of the global cloud infrastructure. That includes websites, web services, social media, basically for every single online/internet request that you make through any device, there's a chance of one third that it connects to a server that belongs to AWS. So ASW at least could have access to the information which sites and services you use, and even what you do on them. Do they collect this information? No-one knows... If so, do they share this data with Amazon? And if so, does Amazon use this data for profiling? Again, no-one knows... But we're entitled to know. That's why it's important to send more GDPR data subject requests to Amazon.com.
Severity of my own situation
Now consider that Amazon identified me as having committed "fraud" (entirely unwarrented, as we remember). Is it possible that this "fraud label" leaves quite a stain on my entire user account? At least possible, if not probable.
What would be the consequences of such a stain on my account (automated decision making in business processes for example)? Possibly quite awful.
Would it be possible that they share their opinion that I have committed fraud with third parties, either manually or by automated process? I would not be surprised.
Can anyone come into such situation? Unlikely, unless you're a seller, affiliate, author or other contactor. But impossible? No. After what I've been through, I'd say any ugly behavior from Amazon's side is possible, especially when remembering that Amazon.com already considers it a violation of their terms, for example, when you sell something that you've bought through their services.
How to write a GDPR data subject request?
Luckily this is not as hard as it sounds. With GDPR being implemented for many months already, others have come up with templates for us to use. The most comprehensive one is the "Nightmare Letter" by Constantine Karbaliotis. It contains so many requests, that it must be trimmed down to be useful as a data subject request to Amazon.com. Here's my own version of that letter:
I am writing to you in your capacity as data protection officer for Amazon.com, Inc. I am a customer of yours, and in light of recent events, I am making this request for access to personal data pursuant to Article 15 of the General Data Protection Regulation (GDPR). I am concerned that your company’s information practices may be putting my personal information at undue risk of exposure or has breached its obligation to safeguard my personal information in connection with the recent arbitration matter (AAA case number 011800003205). I want to know full information how my data has been processed in general as well as in this specific aforementioned case.
I am including a copy of documentation necessary to verify my identity. If you require further information, please contact me by email.
I would like you to be aware at the outset, that I anticipate reply to my request within one month as required under Article 12, failing which I will be forwarding my inquiry with a letter of complaint to the Dutch Autoriteit Persoonsgegevens and/or the German LDI NRW.
Please advise as to the following:
1. Please confirm to me whether or not my personal data is being processed. If it is, please provide me with the categories of personal data you have about me in your files and databases.
a. In particular, please tell me what you know about me in your information systems, whether or not contained in databases, and including e-mail, documents on your networks, or voice or other media that you may store.
b. Additionally, please advise me in which countries my personal data is stored, or accessible from. In case you make use of cloud services to store or process my data, please include the countries in which the servers are located where my data are or were (in the past 12 months) stored.
c. Please provide me with a copy of, or access to, my personal data that you have or are processing.
2. Please provide me with a detailed accounting of the specific uses that you have made, are making, or will be making of my personal data.
3. Please provide a list of all third parties with whom you have (or may have) shared my personal data.
a. If you cannot identify with certainty the specific third parties to whom you have disclosed my personal data, please provide a list of third parties to whom you may have disclosed my personal data.
b. Please also identify which jurisdictions that you have identified in 1(b) above that these third parties with whom you have or may have shared my personal data, from which these third parties have stored or can access my personal data. Please also provide insight in the legal grounds for transferring my personal data to these jurisdictions. Where you have done so, or are doing so, on the basis of appropriate safeguards, please provide a copy.
4. Please advise how long you store my personal data, and if retention is based upon the category of personal data, please identify how long each category is retained.
5. If you are additionally collecting personal data about me from any source other than me, please provide me with all information about their source, as referred to in Article 14 of the GDPR.
6. If you are making automated decisions about me, including profiling, whether or not on the basis of Article 22 of the GDPR, please provide me with information concerning the basis for the logic in making such automated decisions, and the significance and consequences of such processing.
So all that remains to be done is replacing the name, your national agency for data protection, and the reason why you request your data (since I doubt that many of you have had a legal dispute with Amazon.com).
How to file a GDPR data subject request with Amazon.com
It took me four attempts to submit my request. There's no need for you to go through the same ping pong game and be redirected forth and back. The data subject request must be sent by email. Customer service at Amazon.com will tell you the email address if you keep nagging them. It would be prudent to go through the process of requesting the email address through the support chat, as that would be evidence of the fact in case Amazon.com doesn't honor your request, and you're going to complain with the authorities. It is important that you make it abundantly clear to the supporter that you want to send a data subject request to the American Amazon.com, and not to one of the European branches.
Should you still fail to obtain the email address from Amazon.com support, get in touch with me, and I'll let you know.
Once you have the email address, and send the letter to them, don't forget to attach a scan or photo of an ID document.
What if Amazon.com ignores the data subject request?
They have 30 days to comply with the request. After the time has passed, you can and should complain with your national agency for data protection. The EU has made it extremely easy for you to find the contact details of all the data protection authorities.
I personally handled the complaint through an attorney to make absolutely sure that I make no formal mistake in my communication, but a personally submitted complaint is just as valid and as important.
If you request your data from Amazon.com, it would be awesome if you let us know, the details of the process of getting your data, and whether you have to complain to the authorities. As a group we're stronger and more powerful than any of us individually, especially against a giant like Amazon.com.
In any case, when there's any news, I'll keep you updated here in the blog.
We don't have a comment section here in the blog, but you can leave comments and questions in our forum.
This blog post is part of a series on our legal dispute with Amazon.com. This is what's been released so far:
- The History of a Legal Dispute
- HeiDoc Smiles back at Amazon.com
- Closure of the Affiliate Accounts
- Playing the Waiting Game
- Conspiracy and Fraud
- More Allegations against us
- Breaking the Kindle Monopoly
- The Verdict
- How to sue Amazon.com
- Amazon's GDPR Fail