Say GDP-aaaRrrgh, streamers: Max Schrems is coming for you, Netflix and Amazon

Apple and others also in firing line as complaints filed


Updated Streaming services aren't complying with EU data protection law - namely the General Data Protection Regulation's right of access - according to a fresh suite of complaints aimed at the likes of Netflix, Amazon and Spotify.

Safe Harbor destroyer Max Schrems' privacy group NOYB (for None Of Your Business) today announced it had filed formal complaints with the Austrian data protection agency.

The complaints are aimed at eight companies - which also include Apple Music, YouTube, DAZN, SoundCloud, and Flimmit - and their alleged non-compliance with Article 15 of the General Data Protection Regulation, the "right of access by the data subject".

This states that people have the right to request copies of the information a company holds on them, which includes: the categories of personal data involved; where that data came from; who it has been shared with; and how long and where it will be stored.

Max Schrems

Max Schrems is back: Facebook, Google hit with GDPR complaint

READ MORE

However, NOYB said that when it put these eight streaming services' approach to requests for information to the test, it found them all lacking.

Two of the services it approached – UK sports streaming business DAZN and SoundCloud, which is headquartered in Germany – "simply ignored the request", NOYB said.

Meanwhile, major providers Apple Music, YouTube, Spotify and Amazon Prime were accused of ingraining "structural violations" of the law, by setting up automated systems that don't meet the bar.

"Many services set up automated systems to respond to access requests, but they often don't even remotely provide the data that every user has a right to," Schrems said.

"In most cases, users only got the raw data, but, for example, no information about whom this data was shared with. This leads to structural violations of users' rights, as these systems are built to withhold the relevant information."

According to NOYB, Amazon Prime, Apple Music, Spotify and YouTube all failed to provide background information – the term the group used describe info on the sources and recipients of the data and the purposes for processing.

Only video service Flimmit provided users with raw data – Amazon Prime, Apple Music, Spotify, YouTube and Netflix only partially met this requirement.

Flimmit was also one of only two services – the other being YouTube – to have provided what NOYB said was intelligible data. For instance, the majority of files sent by Amazon Prime was said to have included "code information, non-intelligible to humans".

"In many cases, the raw data was provided in cryptic formats that made it extremely hard or even impossible for an average user to understand the information. In many cases certain types of raw data was also missing," NOYB said of the tests.

The group has filed 10 complaints (PDF) against the eight companies with the Austrian Data Protection Authority on behalf of 10 users, whose names have been redacted from the complaints.

The theoretical maximum penalty across all complaints could be as much as €18.8bn under the GDPR, but it is unlikely the agency will hand out top-level fines to all of the companies.

To date, the agency has awarded one monetary penalty for a GDPR violation, some €4,800 for a company that installed surveillance cameras without proper transparency or a notice.

The set of complaints is the second batch of GDPR-related challenges from the group. In May, on the day that the regulation came into force, it made four separate filings against Google, Facebook, WhatsApp and Instagram.

These related to what it called "forced consent" – that consent is a condition of using the service, and so can't be "freely given" as required under the law.

NOYB's aim is to ensure that tech giants are forced to comply with data protection laws, with Schrems arguing that they had been able to ignore previous regulations.

"We now have to make sure this does not happen again with GDPR – so far many companies only seem to be superficially compliant," he said.

We have contacted the companies for comment and will update this story if they reply.

Updated

Following publicaqtoin of this article, Spotify sent us this statement:

"Spotify takes data privacy and our obligations to users extremely seriously. We are committed to complying with all relevant national and international laws and regulations, including GDPR, with which we believe we are fully compliant."

And Amazon sent us this statement:

"Protecting the privacy of our customers is always a top priority and has been built into our services for years...We comply with any request from a data subject to provide access to the personal data that Amazon is processing." ®

Narrower topics


Other stories you might like

  • Amazon fears it could run out of US warehouse workers by 2024
    Internal research says the hiring pool has already dried up in a number of locations stateside

    Jeff Bezos once believed that Amazon's low-skill worker churn was a good thing as a long-term workforce would mean a "march to mediocrity." He may have to eat his words if an internal memo is accurate.

    First reported by Recode, the company's 2021 research rather bluntly says: "If we continue business as usual, Amazon will deplete the available labor supply in the US network by 2024."

    Some locations will be hit much earlier, with the Phoenix metro area in Arizona expected to exhaust its available labor pool by the end of 2021. The Inland Empire region of California could reach breaking point by the close of this year, according to the research.

    Continue reading
  • Amazon shows off robot warehouse workers that won't complain, quit, unionize...
    Mega-corp insists it's all about 'people and technology working safely and harmoniously together'

    Amazon unveiled its first "fully autonomous mobile robot" and other machines designed to operate alongside human workers at its warehouses.

    In 2012 the e-commerce giant acquired Kiva Systems, a robotics startup, for $775 million. Now, following on from that, Amazon has revealed multiple prototypes powered by AI and computer-vision algorithms, ranging from robotic grippers to moving storage systems, that it has developed over the past decade. The mega-corporation hopes to put them to use in warehouses one day, ostensibly to help staff lift, carry, and scan items more efficiently. 

    Its "autonomous mobile robot" is a disk-shaped device on wheels, and resembles a Roomba. Instead of hoovering crumbs, the machine, named Proteus, carefully slots itself underneath a cart full of packages and pushes it along the factory floor. Amazon said Proteus was designed to work directly with and alongside humans and doesn't have to be constrained to specific locations caged off for safety reasons. 

    Continue reading
  • Amazon not happy with antitrust law targeting Amazon
    We assume the world's smallest violin is available right now on Prime

    Updated Amazon has blasted a proposed antitrust law that aims to clamp down on anti-competitive practices by Big Tech.

    The American Innovation and Choice Online Act (AICOA) led by Senators Amy Klobuchar (D-MN) and House Representative David Cicilline (D-RI) is a bipartisan bill, with Democrat and Republican support in the Senate and House. It is still making its way through Congress.

    The bill [PDF] prohibits certain "online platforms" from unfairly promoting their own products and services in a way that prevents or hampers third-party businesses in competing. Said platforms with 50 million-plus active monthly users in the US or 100,000-plus US business users, and either $550 billion-plus in annual sales or market cap or a billion-plus worldwide users, that act as a "critical trading partner" for suppliers would be affected. 

    Continue reading
  • Threat of cross-border data tariffs looms over WTO
    Some countries call for moratorium to be lifted, tech industry not keen on potential costs

    Concern is growing that a World Trade Organization (WTO) moratorium on cross-border tariffs covering data may not be extended, which would hit e-commerce if countries decide to introduce such tariffs.

    Representatives of the WTO's 164 members are meeting in Geneva as part of a multi-day ministerial conference. June 15 was to be the final day but the trade organization today confirmed it is being extended until June 16, to facilitate outcomes on the main issues under discussion.

    The current moratorium covering e-commerce tariffs was introduced in 1998, and so far the WTO has extended it at such meetings, which typically take place every two years.

    Continue reading
  • AWS says it will cloudify your mainframe workloads
    Buyer beware, say analysts, technical debt will catch up with you eventually

    AWS is trying to help organizations migrate their mainframe-based workloads to the cloud and potentially transform them into modern cloud-native services.

    The Mainframe Modernization initiative was unveiled at the cloud giant's Re:Invent conference at the end of last year, where CEO Adam Selipsky claimed that "customers are trying to get off their mainframes as fast as they can."

    Whether this is based in reality or not, AWS concedes that such a migration will inevitably involve the customer going through a lengthy and complex process that requires multiple steps to discover, assess, test, and operate the new workload environments.

    Continue reading
  • Amazon accused of obstructing probe into deadly warehouse collapse
    House Dems demand documents from CEO on facility hit by tornado – or else

    Updated The US House Oversight Committee has told Amazon CEO Andy Jassy to turn over documents pertaining to the collapse of an Amazon warehouse – and if he doesn't, the lawmakers say they will be forced to "consider alternative measures."

    Penned by Oversight Committee members Alexandria Ocasio-Cortez (D-NY), Cori Bush (D-MO) and committee chairwoman Carolyn B. Maloney (D-NY), the letter refers to the destruction of an Edwardsville, Illinois, Amazon fulfillment center in which six people were killed when a tornado hit. It was reported that the facility received two weather warnings about 20 minutes before the tornado struck at 8.27pm on December 10; most staff had headed to a shelter, some to an area where there were no windows but was hard hit by the storm.

    In late March, the Oversight Committee sent a letter to Jassy with a mid-April deadline to hand over a variety of documents, including disaster policies and procedures, communication between managers, employees and contractors, and internal discussion of the tornado and its aftermath.

    Continue reading
  • Engineer sues Amazon for not covering work-from-home internet, electricity bills
    And no, I'm not throwing out this lawsuit, says judge

    Amazon's attempt to dismiss a lawsuit, brought by one of its senior software engineers, asking it to reimburse workers for internet and electricity costs racked up while working from home in the pandemic, has been rejected by a California judge.

    David George Williams sued his employer for refusing to foot his monthly home office expenses, claiming Amazon is violating California's labor laws. The state's Labor Code section 2802 states: "An employer shall indemnify his or her employee for all necessary expenditures or losses incurred by the employee in direct consequence of the discharge of his or her duties, or of his or her obedience to the directions of the employer."

    Williams reckons Amazon should not only be paying for its techies' home internet and electricity, but also for any other expenses related to their ad-hoc home office space during the pandemic. Williams sued the cloud giant on behalf of himself and over 4,000 workers employed in California across 12 locations, arguing these costs will range from $50 to $100 per month during the time they were told to stay away from corporate campuses as the coronavirus spread.

    Continue reading

Biting the hand that feeds IT © 1998–2022