noyb, a European privacy enforcement non-profit organization which focuses on commercial privacy issues on a European level, has filed ten GDPR complaints with the Austrian Data Protection Authority, on behalf of ten users which it represents, against eight online streaming companies for violations of Article 15.
“As GDPR foresees € 20 million or 4% of the worldwide turnover as a penalty, the theoretical maximum penalty across the 10 complaints could be €18.8 billion,” says noyb.
According to Max Schrems, noyb’s Director, all those companies (i.e., Amazon, Apple, DAZN, Spotify, SoundCloud, YouTube, Flimmit, Netflix) have been tested to check their compliance of the General Data Protection Regulation (GDPR) “right to access” provision described in the EU regulation’s Article 15.
Complaints filed for “right to access” violations
The “right to access” grants all EU citizens the “right to get a copy of all raw data that a company holds about the user, as well as additional information about the sources and recipients of the data, the purpose for which the data is processed or information about the countries in which the data is stored and how long it is stored.”
After testing the eight companies “right to access” compliance, noyb found out that none of the eight streaming companies were fully compliant with Schrems going as far as to say that they were all engaging in “structural violation” of the EU data protection legislation.
According to noyb’s Director:
Many services set up automated systems to respond to access requests, but they often don’t even remotely provide the data that every user has a right to. In most cases, users only got the raw data, but, for example, no information about who this data was shared with. This leads to structural violations of users’ rights, as these systems are built to withhold the relevant information.
Out of all streaming services contacted during noyb’s test, DAZN and SoundCloud were the only ones which completely ignored the data requests.
The ones who did respond provided data which was either incomplete or incomprehensible, as was the case of the raw data and the user background information, or completely missing seeing that only Netflix and Flimmit were able to provide partial user background info in their replies.
Table of all complaints filed against the eight online streaming services
GDPR is a user and data privacy regulation that came into effect in the European Union on May 25, 2018, immediately used by noyb to file four complaints against Google, Instagram, WhatsApp, and Facebook on the day the new legislation was enacted over their use of “forced consent.”
As Schrems said in the complaints, the four firms were violating Article 7(4) by their failure to present users with individual data processing consent opt-ins.
Multiple other high profile companies targeted by GDPR complaints
During November 2018, Google was also targeted with GDPR complaints from multiple consumer groups according to The European Consumer Organisation for deceptive practices to track user location.
Also during November, Acxiom, Oracle, Criteo, Quantcast, Tapad, Equifax, and Experian were the subjects of a GDPR complaint filed by user rights group Privacy International for collecting the data of millions of their users and creating user profiles.
Twitter was also under investigation by the Irish Data Protection Commission (DPC) during October 2018 following a complaint filed by privacy researcher Michael Veale from the University College London in August because he was refused an answer to a request for link tracking information, as reported by Fortune.
[UPDATE] Today we filed a wave of complaints against 8 streaming services like @netflix, @Spotify, @daznglobal, @YouTube or @AppleMusic over structural violations of the #RightToAccess under #GDPR
⏩ Details: https://t.co/8u5E54qXvY
⏩ Press release: https://t.co/wlpfDJuOMJ pic.twitter.com/0EBqPgv4rw
— noyb (@NOYBeu) January 18, 2019