European privacy activist Max Schrems has filed a new batch of strategic complaints with technology giants including Amazon, Apple, Netflix, Spotify and YouTube.
The complaints, filed via its non-profit organization for the protection of privacy and digital rights, noyb, relate to how services respond to requests for access to data, in accordance with regional protection rules. Datas.
Article 15 of the European General Data Protection Regulation (GDPR) provides for a right of access by the data subject to the information contained in it.
The complaints argue that technology companies structurally violate this right: they have built automated systems to respond to requests for access to data that, after being tested by noyb, did not provide the data. user all relevant information to which they are legally entitled.
Indeed, noyb has tested a total of eight companies in eight different European countries and has stated that none of these services has provided a satisfactory response. She filed a formal complaint with the Austrian Data Protection Authority against the eight people, which also include the SoundCloud music and podcast platform; DAZN sports streaming service; and Flimmit On Demand video platform.
The complaints were filed on behalf of 10 users, under Article 80 of the RGPD, which allows people to be represented by a non-profit association such as noyb.
Here are the details of the responses received to his tests – including the maximum potential penalty each could have to pay if complaints hold up:
According to noyb, two of the companies, DAZN and SoundCloud, did not respond at all, while the others only replied with partial data.
In addition, noyb points out that in addition to obtaining raw data, users have the right to know the sources, recipients and purposes for which their information is processed. But only Flimmit and Netflix provided basic information (again, still not complete data) in response to test requests.
"Many services set up automated systems to respond to requests for access, but they often do not even remotely provide the data that each user is entitled to," Schrems said in a statement. "In most cases, the users only received the raw data, but, for example, no information about the people with whom the data was shared. This leads to structural violations of user rights, which are designed to retain relevant information. "
We asked the companies to comment on the complaints. Update: Spotify told us: "Spotify takes data privacy and our obligations to users very seriously. We are committed to complying with all relevant national and international laws and regulations, including the RGPD, which we believe to be fully compliant. "
Last May, immediately following the entry into force of the new European privacy regulations, Nobelb filed its first set of strategic complaints – targeted at what he called "consent". forced ', arguing that Facebook, Instagram, Google's Android operating system did not leave users free choice. consent to the processing of their data for ad targeting because the ad is required to use the service.
A number of data protection authorities are investigating these complaints.