Presentation
Streaming platforms sued for GDPR violations
Following initial legal action against Big Tech companies triggered by the GDPR’s implementation, it is now the turn of streaming platform providers to be prosecuted for data protection breaches.
“NOYB” – None of Your Business – is a non-governmental organization founded by Max Schrems dedicated to fighting for personal data protection. Significantly strengthened since the GDPR came into effect, the NGO filed four complaints in May 2018 for “forced consent” against Google, Instagram, WhatsApp, and Facebook.
On January 19th, this internet users’ rights organization announced it had filed a complaint in Austria against eight streaming platforms, including Netflix, YouTube, Amazon Prime, SoundCloud, Apple Music, DAZN, Flimmit, and Spotify, with the Austrian Data Protection Authority.
Users’ right of access and control
The issues at hand are the lack of guarantees to internet users regarding access to personal data held by these companies and the lack of transparency concerning its use. More specifically, it is the compliance with Article 15 of the GDPR that is at stake. This article concerns the right of individuals to access their personal data, including confirmation as to whether or not personal data concerning them is being processed and, if so, access to it.
Max Schrems, director of noyb: Many services implement automated systems to respond to access requests, which often don’t even provide the data to which each user is entitled. In most cases, the individuals concerned only receive raw data without, for example, any information regarding the identity of the people with whom this data has been shared. This leads to structural violations of users’ rights because these systems are designed to hide relevant information.
While Flimmit provided responses deemed relatively satisfactory by NOYB, SoundCloud and DAZN did not respond to the requests sent. The others, for their part, sent information considered insufficient in light of the obligations imposed by the new European regulations.
GDPR: Potentially very heavy fines for Dazn and Spotify
DAZN and SoundCloud have global revenues below the GDPR minimums, exposing them to a maximum fine of €20 million. For Amazon Prime, Apple Music, Netflix, Spotify, and YouTube, the fines could be much higher.
See attached table for a summary of the complaints and the amounts of the fines.
In early September 2020, the proceedings resulted in an initial ruling with mixed consequences. While the case was dismissed on its merits by [the relevant authority],
the other parties involved have seen varying outcomes: DAZN is referred to the Austrian Federal Administrative Court due to a failure to issue a ruling by the data protection authority. YouTube has launched an appeal, which is still pending, against the competent data protection authority; the other proceedings do not appear to have progressed or been successful.
Online multimedia content platforms: Monitoring compliance with the GDPR
In 2020, the Noyb association continued its campaign by contacting around thirty companies to ask them how they were handling data transfers following the European decision that invalidated the Privacy Shield: “The responses ranged from detailed explanations to admissions that these companies had no idea what was going on, to outrageously aggressive denials of the law,” summarizes Max Schrems. Since then, several of these services have been the target of cyberattacks or other complaints for breaches of data protection obligations under the GDPR.
In November 2020, the Spotify platform was the target of a cyberattack resulting in the theft of more than 400,000 account credentials. The hackers used this data to power a pirate streaming service and/or to carry out forms of streaming boosting, a practice that artificially inflates the number of plays on certain artists’ tracks.
