GDPR gets real: Eight strategic complaints filed on “Right to Access”

noyb (a European non-profit organisation for privacy enforcement) has put the GDPR law and eight online streaming services from eight countries to the test – but no service fully complied.

In eight out of eight cases, noyb has filed formal complaints with the relevant data protection authorities. All major providers engaged in “structural violation” of the GDPR law, says Max Schrems, Director of noyb. 

A test by noyb shows structural violations of most streaming services. In more than 10 test cases noyb was able to identify violations of Article 15 GDPR in many shapes and forms by companies like Amazon, Apple, DAZN, Spotify or Netflix. noyb has filed a wave of 10 strategic complaints against 8 companies today.

Right to Access. Under the new General Data Protection Regulation (“GDPR”), users enjoy a “right to access”. Users are granted a right to get a copy of all raw data that a company holds about the user, as well as additional information about the sources and recipients of the data, the purpose for which the data is processed or information about the countries in which the data is stored and how long it is stored. This “right to access” is enshrined in Article 15 GDPR and Article 8(2) of the Chart of Fundamental Rights.

Structural Violations

While many smaller companies manually respond to GDPR requests, larger services like YouTube, Apple, Spotify or Amazon built automated systems that claim to provide the relevant information. When tested, none of these systems provided the user with all relevant data.

“Many services set up automated systems to respond to access requests, but they often don’t even remotely provide the data that every user has a right to,” says Max Schrems, director of noyb.

“In most cases, users only got the raw data, but, for example, no information about who this data was shared with. This leads to structural violations of users’ rights, as these systems are built to withhold the relevant information.”

DAZN and SoundCloud simply ignored the request

While all other streaming services have provided some response to the request of users to access their data at least, the UK sports streaming service “DAZN” and the German music streaming service SoundCloud have not even responded.

Missing Information & Incomprehensible Raw Data

The rest of the streaming services provided at least some raw data in response to the access requests. However, these responses were lacking background information, such as the sources and recipients of data or on how long data is actually stored (“retention period”).

In many cases, the raw data was provided in cryptic formats that made it extremely hard or even impossible for an average user to understand the information. In many cases certain types of raw data were also missing.

10 Complaints filed 

noyb has filed complaints with the Austrian Data Protection Authority (dsb.gv.at) against 8 companies, on behalf of 10 users today. The Austrian authority will have to cooperate with the relevant authorities at the main establishment of each streaming service. As GDPR foresees €20 million or 4% of the worldwide turnover as a penalty, the theoretical maximum penalty across the 10 complaints could be  € 18.8 billion.

Transparency is a Corner Stone

The right of access is a cornerstone of the data protection framework. Only when users can get an idea of how and why their data is stored or shared they can realistically uncover violations of GDPR and consequently take action.

Everyone can make a request

Every user has the right to get a copy of his or her data and to receive additional information. Usually users can fill out a form or send an email to most services. noyb has collected the links and forms for major streaming services on its webpage for everyone to use.

Table of all complaints

	Response	Raw Data	Data was Intelligible	Background Information1	Delay of Response	Company Location	Maximum Penalty³	Complaint
Amazon Prime					Download²	Luxembourg	€ 6.31 Billion	Link (PDF)
Apple Music					Download²	Ireland	€ 8.02 Billion	Link (PDF)
DAZN					Never	United Kingdom	€ 20 Million	Link (PDF)
Flimmit					30 days	Austria	Not requested	Link (PDF)
Netflix					27-30 days	The Netherlands	€ 415 Million	Link (PDF)
SoundCloud					Never	Germany	€ 20 Million	Link (PDF)
Spotify					Download²	Sweden	€ 163 Million	Link (PDF)
YouTube					Download²	USA	€ 3.87 Billion	Link (PDF)

1) In addition to the raw data, users have the right to know the sources, recipients, purposes and alike. 2) Instant download option on the webpage. 3) Approximate value for 2017 based on public information.