Austrian privacy group claims that large tech companies are violating the GDPR

An Austrian privacy rights group argues that large tech companies such as Amazon, Netflix, Spotify, Apple and YouTube do not comply with the General Data Protection Regulation. It is about the right to ask what data the companies hold.

The NGO called noyb, of which the well-known Austrian privacy advocate Max Schrems is the director, states that none of the companies or services examined comply with the General Data Protection Regulation. This concerns the right for users to knock on the door of the companies and ask what data the companies have about them. The companies DAZN and SoundCloud have not responded to requests to this effect at all, writes noyb. The other six companies or services, namely Amazon Prime, Apple Music, Flimmit, Netflix, Spotify and YouTube, did come up with an answer, but according to noyb they are not sufficient.

Noyb states that many smaller companies often manually answer these kinds of AVG requests. According to the group, this is different at large companies such as YouTube, Apple, Spotify and Amazon; they work with automated systems to fulfill user requests. Noyb concludes that none of these systems, however, came up with relevant data. Background information such as the sources, possible recipients of the data and the retention period was often missing. In addition, the ‘raw data’ was often supplied in ‘cryptic formats’, making it ‘extremely difficult or impossible’ for users to understand the information, according to noyb. In many cases, certain types of raw data were also missing, noyb notes.

Max Schrems says these systems “often don’t come close to providing the data that every user is entitled to.” According to him, users often only receive the raw data, but no information is given, for example, about who this data has been shared with. According to Schrems, this constitutes a structural violation of users’ rights, because the systems are “built to prevent users from accessing the relevant information.”

The privacy group has filed complaints against the eight companies on behalf of ten users with the Austrian privacy watchdog. The General Data Protection Regulation prescribes that a fine of 20 million euros or 4 percent of worldwide turnover can be imposed. According to noyb, this means that the theoretical maximum fine for the ten complaints can amount to 18.8 billion euros. Noyb has previously filed complaints about Google, Facebook, Instagram and WhatsApp with four EU privacy regulators.