The complaints, filed via his nonprofit privacy and digital rights organization, noyb, relate to how the services respond to data access requests, per regional data protection rules.
Article 15 of Europe’s General Data Protection Regulation (GDPR) provides for a right of access by the data subject to information held on them.
The complaints contend tech firms are structurally violating this right — having built automated systems to respond to data access requests which, after being tested by noyb, failed to provide the user with all the relevant information to which they are legally entitled.
Indeed, noyb tested eight companies in all, in eight different countries in Europe, and says it found none of the services provided a satisfactory response. It’s filed formal complaints with the Austrian Data Protection Authority against the eight, which also include music and podcast platform SoundCloud; sports streaming service DAZN; and video on-demand platform Flimmit .
The complaints have been filed on behalf of 10 users, per Article 80 of the GDPR, which enables data subjects to be represented by a nonprofit association such as noyb.
Here’s its breakdown of the responses its tests received — including the maximum potential penalty each could be on the hook for if the complaints stand up:
Two of the companies, DAZN and SoundCloud, failed to respond at all, according to noyb, while the rest responded with only partial data.
Also, noyb points out that in addition to getting raw data, users have the right to know the sources, recipients and purposes for which their information is being processed. But only Flimmit and Netflix provided any background information (though again, still not full data) in response to the test requests.
“Many services set up automated systems to respond to access requests, but they often don’t even remotely provide the data that every user has a right to,” said Schrems in a statement. “In most cases, users only got the raw data, but, for example, no information about who this data was shared with. This leads to structural violations of users’ rights, as these systems are built to withhold the relevant information.”
We’ve reached out to the companies for comment on the complaints. Update: Spotify told us: “Spotify takes data privacy and our obligations to users extremely seriously. We are committed to complying with all relevant national and international laws and regulations, including GDPR, with which we believe we are fully compliant.”
Last May, immediately after Europe’s new privacy regulation came into force, noyb lodged its first series of strategic complaints — targeted at what it dubbed “forced consent,” arguing that Facebook, Instagram, WhatsApp and Google’s Android OS do not give users a free choice to consent to processing their data for ad targeting, as consenting is required to use the service.
Investigations by a number of data protection authorities into those complaints remain ongoing.