Amazon’s integrity is under scrutiny as employees have allegedly been leaking consumer and company data for bribes, according to a report by the Wall Street Journal.

Amazon employees, particularly in China, are alleged to have been selling user information and other confidential material to independent sellers on the platform. Employees are also said to have been offering to delete negative reviews and restore banned accounts in exchange for a bribe.

Amazon’s reputation is built on consumer communication and transparency – it is a marketplace built on customer reviews, which earned it its immense brand power and enables thousands of small sellers to operate on the platform.

If the allegations are confirmed the retail giant might also be facing a multi-billion dollar fine under the General Data Protection Regulation (GDPR).

Could Amazon face a GDPR fine?

Oz Alashe, CEO of intelligent cybersecurity awareness platform, CybSafe, told Verdict:

“Given the type of content leaked – which at this stage, appears to be email addresses – Amazon may find itself in breach of GDPR.

“Even as a US company, EU regulators can levy fines of up to 4% of a company’s global turnover, which for a company like Amazon, would equate to a maximum penalty of roughly €7bn. However, in this instance, a maximum fine is unlikely as the leak appears to be mostly localised to China.

“Nonetheless, the extent of the data leak and bribes isn’t clear, and the number of customers affected also hasn’t been established. More transparency will be needed before we can determine more accurate financial consequences for all involved.

“Reputationally, however, this news will have already caused significant damage. Amazon is already in hot water over misuse of information, with allegations of ‘fake reviews’ hosted on its site. This latest news confirms that its data woes are growing,” he added.

Will Amazon’s reputation be affected?

Matt West, chief revenue officer at review platform Feefo, told Verdict:

“Deleting negative reviews is counter-intuitive. Not only does it falsely distort the image of the product or services a company like Amazon is selling, but it also causes doubt in the consumer’s mind that the reviews are even real in the first place, a wholly positive picture is too good to be true.

“It’s rare to buy something online without seeing some negative sentiment, and in most cases it’s not even about the product but poor delivery, for example. Businesses need to realise that consumers value trust and transparency above all else, our research indicates that 89% of UK consumers agree with this.

3 Things That Will Change the World Today

“This demonstrates the need for retailers to become more transparent. Retailers must ensure their customers are basing decisions from real opinions of other customers rather than cherry-picked, positive reviews that suit the retailer, in order for customers to trust them. A direct result will be customers sticking with that brand for the long-term.”

Amazon data leaks mostly in China

Wall Street Journal reports that the data leaks and malpractice is particularly problematic in China. Amazon employees are said have worked through brokers in Shenzhen, using messaging service WeChat, offering data and Amazon internal information for sums of $80 to $2,000.

It is a human corruption problem rather than a technology breach, and there is a question over how Amazon will deal with the problem.

Co-founder of The Privacy Compliance Hub Nigel Jones told Verdict:

“If customer data is being sold by Amazon employees, then either Amazon, its employees, or both could be subject to enforcement action.  Reports are suggesting that the sale of the customer data may be occurring in China and the USA.  However, if the customer data itself is that of EU citizens then, in theory, the GDPR applies to those selling it, wherever they are.

“In practice, the regulator will target Amazon itself. Amazon may seek to argue that it has taken all reasonable steps to protect such customer data, and that it should not be vicariously liable for the acts of rogue employees.  This was a defence unsuccessfully run by Morrisons in the UK for a breach of the old Data Protection Act.

“Following so soon on the heels of the recent British Airways data breach, it seems that such breaches are going to be made public more often, perhaps because of the stricter notification requirements under the GDPR.

“Companies should make sure that they have compliance programmes in place and know exactly what they are going to do if they have a similar data breach,” Jones said.

Transparency, a mutual value of GDPR and Amazon

Managing director of the Direct Marketing Association, which worked with the Information Commissioner’s Office in the lead up to GDPR, Rachel Aldighieri said:

“Accountability and transparency are two of the core principles of GDPR. Although the practice of Amazon employees selling customer data appear to have predominantly been in China, if it includes any citizen or resident of the EU then the GDPR will apply.

“Beyond monetary penalties the impact on customers trust in the business could have much longer-term repercussions.

“People’s data privacy must be front of mind for all businesses and its important companies provide consumers with the transparency they want – DMA research earlier this year found that 88% of people in the UK want more transparency around how their data is used.”