Streaming media services violating users' GDPR rights, Schrems says in complaints

News by Tom Reeve

Streaming media services are failing to provide their users with access to their data as required under the GDPR, according to complaints filed by Max Schrems and Noyb against eight companies.

Max Schrems (pic: Lukas Beck)

Max Schrems, famous for his role in overturning Safe Harbour in 2015, is challenging eight streaming media companies over alleged abuse of GDPR.

Schrems is director of Noyb, a new European non-profit organisation for privacy enforcement, which has filed complaints with the Austrian Data Protection Authority against eight companies representing 10 users. The Austrian authority will have to liaise with the data authorities in each of the European countries where the companies are officially based.

The complaints claim that each of the eight companies violated Article 15 of the General Data Protection Regulation (GDPR).

Under the GDPR, users enjoy a right of access to the raw data held by the company about them, as well as the sources of the data and with whom it has been shared, the purpose for processing the data and the country in which the data is stored.

Noyb filed subject access requests with each company and found they failed to respond adequately, Schrems claimed in a blog post on the Noyb website.

Four of the companies – Amazon Prime, Apple Music, Spotify and YouTube – used automated systems but none of them provided all the relevant data, Schrems claimed.

He said: "Many services set up automated systems to respond to access requests, but they often don’t even remotely provide the data that every user has a right to. In most cases, users only got the raw data, but, for example, no information about who this data was shared with. This leads to structural violations of users’ rights, as these systems are built to withhold the relevant information."

Two companies – DAZN and SoundCloud – ignored the requests, he said.

The other two – Flimmit and Netflix – provided some raw data, but it was missing some background information, he said.

*Source: Noyb

"The right of access is a cornerstone of the data protection framework. Only when users can get an idea of how and why their data is stored or shared they can realistically uncover violations of GDPR and consequently take action," he said.

Under Article 80 of the GDPR, individuals can be represented by a third-party when filing complaints. "Noyb is meant to reasonably enforce the new law, so that the benefits actually reach the users," Schrems said.

Meanwhile, Russia’s communications watchdog has opened civil cases against Twitter and Facebook, according to a report on Reuters.

Roskomnadzor says Twitter and Facebook had failed to explain how they would comply with legislation requiring servers which store the personal data of Russian citizens to be located in Russia.

The companies have been told they have a month to supply the information before civil action would be taken against them.

Currently the penalty for failing to comply is a small fine equivalent to a few thousand pounds or having your service blocked by the Russian government. However, the Russian government is reportedly mulling far stiffer fines for tech companies that fail to comply.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews