Noyb files another complaint against Amazon Europe – black box algorithm discriminates customers

The e-commerce giant offers customers the possibility to pay for products later via "Monthly Invoicing". A customer was automatically rejected from using this payment method without Amazon giving any reasons why. When Amazon’s customer service could not provide any further information, the customer submitted an access request under Article 15 GDPR in order to find out why he was rejected – but the company still refused to provide any information.

By NOYB (guest author) · November 17, 2021

An Amazon customer wanted to make use of the possibility to pay his order via “Monthly Invoicing”. Just seconds after his order was confirmed, he received an automatic e-mail in which the payment using “Monthly Invoicing” was rejected. Amazon urged him to make a credit card payment instead, as the order would otherwise be cancelled within 5 days. Amazon did not give any reason for the rejection and its customer service could not answer any questions about it – they merely referred to “the system’s decision”.

The GDPR requires transparency regarding solely automated individual decisions based on personal data, such as whether or not to allow payment on account. A company using automated decision making must provide the data subject with meaningful information about the logic involved and the scope of the underlying data processing already upon data collection (Article 13(2)(f) or Article 14(2)(g) GDPR). Amazon manifestly violates these provisions. Its privacy policy only contains vague information about some credit checking mechanisms but no explanation whatsoever on how the decision on allowing or rejecting payment via “Monthly Invoicing” is taken.

Furthermore, under the GDPR any automatically taken decision must be verifiable by humans – who must have the capacity to override the machine’s decision. This is obviously not possible at Amazon, as their billing department clarifies: “This automated decision can have various causes and cannot be adapted manually.” Ironically, Amazon justifies this by saying that customer service cannot see the exact reason for the rejection “for data protection reasons”. Amazon also refused to clarify whether internal information or a negative credit score were used as part of the decision-making process.

The customer consequently filed an access request under Article 15 GDPR, hoping to shed some light on the issue. Despite the clear legal obligation in Article 15(1)(h) GDPR, Amazon’s reply to the access request also did not provide any information on why the payment via “Monthly Invoicing” was rejected. It just revealed a multitude of further GDPR violations: Instead of being provided with a copy of the data, as required by Article 15(3) of the GDPR, the customer was supposed to manually download 54 folders containing mostly incomprehensible tables. Amazon also provided no information on the purposes or legal basis of the data processing, and refused to provide any information on data sources or recipients – although the GDPR requires controllers to provide such information. Enquiries from the customer were dismissed with text blocks that did not clarify anything.

EDRi member Noyb’s complaint on behalf of the customer will now be handled by the Supervisory Authority of Luxembourg (Commission nationale pour la protection des données – CNPD), as Amazon Europe is seated in Luxembourg.

The article was first published here.

(Contribution by: EDRi member, NOYB)