Privacy group Noyb just filed a series of complaints under Europe’s GDPR against Netflix, Amazon, Spotify, YouTube, Apple, and other streaming services. The complaints state that these companies are in violation of the GDPR’s Article 15, effectively breaking EU law.
Are Streaming Services Like Amazon and Netflix Breaking EU Law?
Are Streaming Services Breaking EU Law?
To get a better understanding of these complaints, let’s discuss Article 15 of the GDPR. This article deals with the “Right of access by the data subject”. This dictates that anyone who falls under the GDPR’s protection has the right to ask for their data. However, there are specifics that the data provided should fulfill. This includes data storage and use.
Noyb put to test which streaming services stick to the requirements of Article 15. They tested to see whether the companies would respond, send raw data, send intelligible data, and provide background information on the data. It turned out that all 8 companies were in violation of the law, albeit to varying degrees.
How Streaming Services Responded to Noyb
Noyb then filed complaints with the Austrian Data Protection Authority regarding these violations. If the authority finds these companies liable, then they may be looking at up to 4% of their yearly global turnover in fees.
List of Companies Tested by Noyb
- Amazon Prime
- Apple Music
- Sound Cloud
How These Companies Are Breaking EU Law
Now that we know what the premise of the complaints is, let’s take a look at the results Noyb got from their experiments.
Out of all 8 companies, DAZN and Sound Cloud did not even respond to the request for data. Flimmit responded well and provided the privacy company with both raw and intelligible data. YouTube also responded to the request, sending in intelligible data but failing to meet the requirements for the raw data sent over. Netflix, Apple, and Spotify also responded to the request but offered up Raw and intelligible data that doesn’t quite fit the GDPR’s requirements. None of the companies sent any information on what the data is being used for or where it’s stored, which is illegal under EU law.
Max Schrems, the director of Noyb, explained that while smaller-scaled companies reply to these kinds of requests case-by-case, most major companies use an automated reply, which causes a lot of problems.
“Many services set up automated systems to respond to access requests, but they often don’t even remotely provide the data that every user has a right to. In most cases, users only got the raw data, but, for example, no information about who this data was shared with. This leads to structural violations of users’ rights, as these systems are built to withhold the relevant information.”
Are Streaming Services Breaking EU Law – Final Thoughts
Going by the GDPR, all of the 8 companies tested should be fined for their lack of adherence to EU law. However, we’ve gotten our hopes up about the GDPR before. This time, the companies were in direct violation of article 15. Hopefully, something will be done to guarantee their compliance and to provide a real-life example of what happens if companies don’t comply. Could this be the first GDPR fine of 2019? Only time will tell.