Citing a potential violation of the 2018 European General Data Protection Regulation (GDPR), prominent Austrian privacy activist Max Schrems and his digital rights nonprofit organization noyb (“none of your business”) have filed GDPR complaints on behalf of ten European users against eight major streaming companies, including YouTube, Netflix, Spotify, Apple and Amazon. Schrems alleges that these companies are in violation of the GDPR’s “right to access” provision, which enables all European data subjects to view not only the raw data that companies have collected on them, but also information about how that data is shared with others and used, where it is stored, and for how long it is stored.
Implications of the GDPR complaints
If these tech companies are found guilty of a violation, they could be looking at hefty penalties. That’s because, under the terms of the GDPR, companies face a maximum penalty of 4 percent of their worldwide turnover, or €20 million, whichever is higher. According to noyb, these companies could be facing a combined penalty of €18.8 billion – a shockingly high number by any standard. The most prominent victims would be Apple, which could be facing a penalty of €8.02 billion; Amazon, which could be facing a penalty of €6.31 billion; and YouTube, which could be facing a penalty of €3.87 billion.
Given the size of these potential penalties, it’s perhaps not surprising that these big tech companies are likely to defend themselves against these GDPR complaints. Without the threat of billion-dollar penalties, the tech companies might have just ignored the GDPR complaints, viewing them as just an inconvenience rather than an existential threat to their business. Thus far, though, the only company that has issued an official statement on the GDPR complaints is Spotify, which emphasized that it “takes data privacy seriously.”
Evidence of non-compliance by top tech companies
There’s obviously a lot to unpack here about the GDPR complaints. The most obvious question, of course, is the following: Did the big tech companies actually do anything wrong? If you read the fine print, the decision to lodge a complaint with the Austrian Data Protection Authority on behalf of the 10 users is actually based on a “structural violation.” According to the GDPR complaints, the automated systems set up by the big tech companies to respond to customer data requests (as required by Article 15 of the GDPR) did not go far enough, and in fact, were built to withhold information.
For example, if you look at the charts that Schrems and his privacy rights organization noyb have constructed to support their formal GDPR complaints, you can see that 6 of the 8 companies contacted provided the raw data requested by the data subjects. Only two of the eight companies, SoundCloud and DAZN, failed to respond at all. But the problem is that the companies gave very little or no background information on how that raw data was being used. In some cases, the data was unintelligible. And in other cases, the data may have been unintelligible, but was completely unsupported by any context or background information.
The bigger picture here is that Schrems is filing what can best be described as “strategic complaints.” He specifically sought out the biggest companies he could find (i.e. Apple, YouTube, Amazon) and organized his GPDR complaints around one central theme: streaming services. In the case of Apple, it was Apple Music, and in the case of Amazon, it was Amazon Prime Video. Netflix, Spotify and YouTube also all fall within this one general category. The message of the GDPR complaints appears to be the following: We’re going to test just how far the GDPR protects the rights of EU data subjects when it comes to streaming services.
In 2018, Schrems and noyb employed the same general approach. As soon as the GDPR went into effect in May, he filed a “forced consent” complaint against Facebook, Instagram, WhatsApp and Google. According to Schrems, these major companies did not give data subjects a free choice on consent, as required by the European GDPR. In other words, if you don’t consent to your data being used by these companies, then you can’t use their services. There’s no real choice here, and thus, the decision to file the GDPR complaints.
So what happens next as a result of the GDPR complaints? For now, the ball is in the court of the Austrian Data Protection Authority, which is the relevant national supervisory authority for this case, given that noyb is based in Austria. If the supervisory authority in this EU member state finds that the complaint has merit, that’s when things could start to get dicey for the big streaming companies.
We’re still a long way from any maximum penalties being doled out, though. And, given that we’re talking about a “structural violation” rather than any criminal or wrongful misuse of data, it’s hard to see that the penalties would come anywhere close to the outlandish €18 billion figure presented by Schrems and his organization.
One thing is certain: no matter how this complaint proceeds, it’s increasingly clear that the number of test cases for the GDPR are only going to grow in size and intensity as long as the big tech companies do not take the processing of personal data seriously. This case involving the big eight streaming companies and how they respond to data access requests is a perfect illustration of this fact.
The companies appear to be adhering to the European GDPR, but only on the most basic level possible. They are adopting a formulaic approach to compliance, trying to check all the boxes in the easiest way possible. For example, if Article 15 of the GDPR forces them to give “right to access” privileges to data subjects, then they are only going to give the minimum amount of access possible – even going so far as just to provide the raw data and nothing more.
The good news in all this, of course, is that getting the biggest possible tech companies to recognize the importance of personal data privacy is going to make it a lot easier for other companies to jump onboard as well. If smaller companies see that heavyweights like Amazon, Apple, Netflix and Spotify are adopting more rigorous implementation of GDPR provisions, it will raise the bar for the rest of the industry when it comes to personal data privacy.