Streamers fail to meet GDPR obligations according to noyb, a European non-profit organization for privacy enforcement. noyb made a number of test requests under Article 15 of the General Data Protection Act (GDPR) which gives users a ‘Right of Access’ to the data that an organisation holds. Under the legislation users are granted a right to get a copy of all raw data that a company holds about the user, as well as additional information about the sources and recipients of the data, the purpose for which the data is processed or information about the countries in which the data is stored and how long it is stored.
noyb made test requests to eight online streaming services from eight countries but no service fully complied (see table). As a consequence, noyb has filed complaints with the Austrian Data Protection Authority (dsb.gv.at) against 8 companies on behalf of 10 users. Under GDPR there is the potential for fines of up to €20 million or 4% of the worldwide turnover which puts the theoretical maximum penalty across the 10 complaints at €18.8 Bn.
Max Schrems, director of noyb, said, “Many services set up automated systems to respond to access requests, but they often don’t even remotely provide the data that every user has a right to. In most cases, users only got the raw data, but, for example, no information about who this data was shared with. This leads to structural violations of users’ rights, as these systems are built to withhold the relevant information.”
While most of the streaming services responded to the noyb requests the UK sports streaming service ‘DAZN’ and SoundCloud did not provide a response.
noyb filed the data requests on behalf of all ten users using Article 80 of the GDPR which allows data subjects to be represented by a non-profit association acting on their behalf.