Updated Streaming services aren't complying with EU data protection law - namely the General Data Protection Regulation's right of access - according to a fresh suite of complaints aimed at the likes of Netflix, Amazon and Spotify.
Safe Harbor destroyer Max Schrems' privacy group NOYB (for None Of Your Business) today announced it had filed formal complaints with the Austrian data protection agency.
The complaints are aimed at eight companies - which also include Apple Music, YouTube, DAZN, SoundCloud, and Flimmit - and their alleged non-compliance with Article 15 of the General Data Protection Regulation, the "right of access by the data subject".
This states that people have the right to request copies of the information a company holds on them, which includes: the categories of personal data involved; where that data came from; who it has been shared with; and how long and where it will be stored.
Max Schrems is back: Facebook, Google hit with GDPR complaintREAD MORE
However, NOYB said that when it put these eight streaming services' approach to requests for information to the test, it found them all lacking.
Two of the services it approached – UK sports streaming business DAZN and SoundCloud, which is headquartered in Germany – "simply ignored the request", NOYB said.
Meanwhile, major providers Apple Music, YouTube, Spotify and Amazon Prime were accused of ingraining "structural violations" of the law, by setting up automated systems that don't meet the bar.
"Many services set up automated systems to respond to access requests, but they often don't even remotely provide the data that every user has a right to," Schrems said.
"In most cases, users only got the raw data, but, for example, no information about whom this data was shared with. This leads to structural violations of users' rights, as these systems are built to withhold the relevant information."
According to NOYB, Amazon Prime, Apple Music, Spotify and YouTube all failed to provide background information – the term the group used describe info on the sources and recipients of the data and the purposes for processing.
Only video service Flimmit provided users with raw data – Amazon Prime, Apple Music, Spotify, YouTube and Netflix only partially met this requirement.
Flimmit was also one of only two services – the other being YouTube – to have provided what NOYB said was intelligible data. For instance, the majority of files sent by Amazon Prime was said to have included "code information, non-intelligible to humans".
"In many cases, the raw data was provided in cryptic formats that made it extremely hard or even impossible for an average user to understand the information. In many cases certain types of raw data was also missing," NOYB said of the tests.
The group has filed 10 complaints (PDF) against the eight companies with the Austrian Data Protection Authority on behalf of 10 users, whose names have been redacted from the complaints.
The theoretical maximum penalty across all complaints could be as much as €18.8bn under the GDPR, but it is unlikely the agency will hand out top-level fines to all of the companies.
To date, the agency has awarded one monetary penalty for a GDPR violation, some €4,800 for a company that installed surveillance cameras without proper transparency or a notice.
The set of complaints is the second batch of GDPR-related challenges from the group. In May, on the day that the regulation came into force, it made four separate filings against Google, Facebook, WhatsApp and Instagram.
These related to what it called "forced consent" – that consent is a condition of using the service, and so can't be "freely given" as required under the law.
NOYB's aim is to ensure that tech giants are forced to comply with data protection laws, with Schrems arguing that they had been able to ignore previous regulations.
"We now have to make sure this does not happen again with GDPR – so far many companies only seem to be superficially compliant," he said.
We have contacted the companies for comment and will update this story if they reply.
Following publicaqtoin of this article, Spotify sent us this statement:
"Spotify takes data privacy and our obligations to users extremely seriously. We are committed to complying with all relevant national and international laws and regulations, including GDPR, with which we believe we are fully compliant."
And Amazon sent us this statement:
"Protecting the privacy of our customers is always a top priority and has been built into our services for years...We comply with any request from a data subject to provide access to the personal data that Amazon is processing." ®