Amazon, Apple and six other big name companies are accused of not complying with the European Union’s General Data Protection Regulation in complaints filed in Austria by NOYB (none of your business), a European non-profit privacy watchdog.
Vienna, Austria-based data privacy activist Max Schrems filed grievances late last week with the Austrian Data Protection Authority (dsb.gv.at) against eight companies on behalf of 10 people. The maximum penalty, were the 10 complaints to be affirmed, could reach more than $21 billion, the equivalent of about 19 billion euros, NOYB said.
GDPR Concerns Explained
Schrems compared the GDPR’s “right to access” clause to the real-world practices of eight online streaming services in Europe -- Amazon Prime, Apple Music, DAZN, Flimmit, Netflix, Sound Cloud, Spotify and YouTube -- and determined each came up lacking. Under the GDPR, companies that collect the personal data of European Union citizens must adhere to a strict set of rules:
- You have a right to a copy of your data
- You can ask for your data to be deleted
- The company must present a specific, lawful reason to use your data
- Personal data must be encrypted
Schrems also claimed that automated systems used by the larger streaming services to provide users with the information they seek were inadequate and didn’t provide sufficient data to users. None of the automated systems supplied users with all relevant data required under the GDPR, Schrems said.
“Many services set up automated systems to respond to access requests, but they often don’t even remotely provide the data that every user has a right to,” he said. “In most cases, users only got the raw data, but, for example, no information about who this data was shared with. This leads to structural violations of users’ rights, as these systems are built to withhold the relevant information.”
Data Privacy Activist: Who Is Max Schrems?
Schrems is a noted data privacy activist, having taken his first legal action in 2011 against Facebook when he was a college exchange student in Silicon Valley, challenging the social media giant’s policies on international transfer of the personal data of European citizens. His action contributed to the dismantling of the Safe Harbor agreement that had existed for years and was used by some 4,500 companies to transfer data to the U.S.
Last year Schrems filed complaints (on the day the GDPR went into effect) against Facebook, Google, Instagram and WhatsApp, contending they were coercing users into signing onerous service terms as a condition of access that impinged upon their privacy.
"In 1995 the EU already passed data protection laws, but they were simply ignored by the big players,” Schrems said. “We now have to make sure this does not happen again with GDPR – so far many companies only seem to be superficially compliant.”
GDPR Privacy Concerns: Amazon, Apple Statements and Policies
In responding to the complaint, Amazon told Reuters that it has launched a new “Privacy Help” page on its website to inform customers on the choices they can make about their data across all of the company’s platforms. “We comply with any request from a data subject to provide access to the personal data that Amazon is processing,” the company said on Friday. Spotify was less specific in its response: “We are committed to complying with all relevant national and international laws and regulations, including GDPR, with which we believe we are fully compliant,” a spokesperson told the news outlet.
Apple intends to apply GDPR-type protection to all its customers worldwide, not just EU citizens, the company said. Users can submit an online request available to customers in the U.S., Canada and some other non-EU countries. But, to Schrems’ point, users might not receive a link to view the data Apple has collected on them for up to one week.
The GDPR enforcement authorities are going could be busy for the foreseeable future adjudicating a number of potential GDPR data privacy violations against big name players, including Facebook (again), Marriott, British Airways and others. Last October, European Data Protection Supervisor Giovanni Buttarelli said that by the end of 2018 organizations violating the GDPR’s privacy rules will be hit with fines, warnings or temporary bans. So far, we haven’t seen that happen.