Noyb files another complaint against Amazon Europe – black box algorithm discriminates customers
The e-commerce giant offers customers the possibility to pay for products later via "Monthly Invoicing". A customer was automatically rejected from using this payment method without Amazon giving any reasons why. When Amazon’s customer service could not provide any further information, the customer submitted an access request under Article 15 GDPR in order to find out why he was rejected – but the company still refused to provide any information.
An Amazon customer wanted to make use of the possibility to pay his order via “Monthly Invoicing”. Just seconds after his order was confirmed, he received an automatic e-mail in which the payment using “Monthly Invoicing” was rejected. Amazon urged him to make a credit card payment instead, as the order would otherwise be cancelled within 5 days. Amazon did not give any reason for the rejection and its customer service could not answer any questions about it – they merely referred to “the system’s decision”.
Furthermore, under the GDPR any automatically taken decision must be verifiable by humans – who must have the capacity to override the machine’s decision. This is obviously not possible at Amazon, as their billing department clarifies: “This automated decision can have various causes and cannot be adapted manually.” Ironically, Amazon justifies this by saying that customer service cannot see the exact reason for the rejection “for data protection reasons”. Amazon also refused to clarify whether internal information or a negative credit score were used as part of the decision-making process.
The customer consequently filed an access request under Article 15 GDPR, hoping to shed some light on the issue. Despite the clear legal obligation in Article 15(1)(h) GDPR, Amazon’s reply to the access request also did not provide any information on why the payment via “Monthly Invoicing” was rejected. It just revealed a multitude of further GDPR violations: Instead of being provided with a copy of the data, as required by Article 15(3) of the GDPR, the customer was supposed to manually download 54 folders containing mostly incomprehensible tables. Amazon also provided no information on the purposes or legal basis of the data processing, and refused to provide any information on data sources or recipients – although the GDPR requires controllers to provide such information. Enquiries from the customer were dismissed with text blocks that did not clarify anything.
EDRi member Noyb’s complaint on behalf of the customer will now be handled by the Supervisory Authority of Luxembourg (Commission nationale pour la protection des données – CNPD), as Amazon Europe is seated in Luxembourg.
The article was first published here.
(Contribution by: EDRi member, NOYB)