A European Union regulator has proposed a fine of more than $425 million against Amazon.com Inc., part of a process that could yield the largest-yet penalty under the bloc’s privacy law.

Luxembourg’s data-protection commission, the CNPD, has circulated a draft decision authorizing Amazon’s privacy practices and proposing the fine among the bloc’s 26 other national authorities. The CNPD is Amazon’s lead privacy regulator in the EU because Amazon has its EU headquarters in the Grand Duchy.

The Luxembourg case relates to the alleged violation of Europe’s General Data Protection Regulation, or GDPR, linked to Amazon’s collection and use of personal data, and isn’t related to its cloud-computing business, Amazon Web Services, one of the people aware of the matter said. The person refused to elaborate on the particular allegations against Amazon.

An Amazon spokesperson refused to comment. The company had previously stated that the privacy of its customers is a priority and it complies with the law in all countries where it operates. A spokesman for the CNPD stated that the regulator wasn’t allowed to comment on individual cases.