Apple, Amazon, Netflix, Spotify and Youtube are among eight tech firms named in a complaint filed in Austria by non-profit organization noyb, which cited their failure to comply with the European Union’s General Data Protection Regulation (GDPR).
The action by noyb, a European non-profit organization for privacy enforcement, follows tests that showed structural violations of most streaming services.
In more than 10 test cases noyb was able to identify violations of Article 15 GDPR in many shapes and forms by companies like Amazon, Apple, DAZN, Spotify or Netflix. noyb says it has filed a wave of 10 strategic complaints against 8 companies.
Under the new General Data Protection Regulation (GDPR), users enjoy a “right to access”. Users are granted a right to get a copy of all raw data that a company holds about the user, as well as additional information about the sources and recipients of the data, the purpose for which the data is processed or information about the countries in which the data is stored and how long it is stored. This “right to access” is enshrined in Article 15 GDPR and Article 8(2) of the Chart of Fundamental Rights.
While many smaller companies manually respond to GDPR requests, larger services like YouTube, Apple, Spotify or Amazon built automated systems that claim to provide the relevant information. According to noyb, none of these systems provided the user with all relevant data.
Max Schrems, director of noyb: “Many services set up automated systems to respond to access requests, but they often don’t even remotely provide the data that every user has a right to. In most cases, users only got the raw data, but, for example, no information about who this data was shared with. This leads to structural violations of users’ rights, as these systems are built to withhold the relevant information.”
According to noyb's tests, DAZN and SoundCloud simply ignored the request. While all other streaming services have provided some response to the request of users to access their data at least, the UK sports streaming service “DAZN” and the German music streaming service SoundCloud have not even responded.
The rest of the streaming services provided at least some raw data in response to the access requests. However, noyb sais that those responses were lacking background information, such as the sources and recipients of data or on how long data is actually stored (“retention period”). In many cases, the raw data was provided in cryptic formats that made it extremely hard or even impossible for an average user to understand the information. In many cases certain types of raw data were also missing.
The GDPR foresees fines of up to 4 percent of global revenues for companies that break the rules.