International Institute of Communications

Shaping the policy agenda: TELECOMMUNICATIONS • MEDIA • TECHNOLOGY
Tel:+44 (0)20 8544 8076
Fax:+44 (0)20 8544 8077

social twitter sm  social linkedin sm  social youtube sm  social facebook sm

GDPR privacy violations reported by enforcement organisation

A test by noyb, a European non-profit organisation for privacy enforcement, shows violations of privacy law by most streaming services. In more than 10 test cases was able to identify violations of Article 15 of the General Data Protection Regulation (GDPR) by companies including Amazon, Apple, DAZN, Spotify and Netflix, and it has filed 10 strategic complaints against 8 companies. Under Article 15, users enjoy a “right to access”. Users are granted a right to get a copy of all raw data that a company holds about the user, as well as additional information about the sources and recipients of the data, the purpose for which the data is processed or information about the countries in which the data is stored and how long it is stored. No service fully complied in noyb’s test, and all major providers engaged in “structural violation” of the law, says Max Schrems, director of noyb.

While many smaller companies manually respond to GDPR requests, larger services like YouTube, Apple, Spotify and Amazon have built automated systems that claim to provide the relevant information. When tested, none of these systems provided the user with all relevant data. Says Schrems: “Many services set up automated systems to respond to access requests, but they often don’t even remotely provide the data that every user has a right to. In most cases, users only got the raw data, but, for example, no information about who this data was shared with. This leads to structural violations of users’ rights, as these systems are built to withhold the relevant information.” Two providers, DAZN and SoundCloud, ignored the request, says noyb. The rest of the streaming services provided at least some raw data in response to the access requests. However, these responses were lacking background information, such as the sources and recipients of data or on how long data is actually stored (retention period). Raw data was provided in cryptic formats that made it extremely hard or even impossible for an average user to understand. Read more

  • Wednesday, 23 January 2019

Stay up to date with the IIC

Tell us how you'd like to stay informed about events, interviews and more from the IIC. 

My IIC Preferences