European NGO noyb (‘none of your business’) filed ten GDPR-related complaints against eight international streaming services on January 18, 2019. The complaints allege that the concerned streaming services have not fully — and in some cases not at all — responded to the lawful ‘right of access by the data subject’ (Article 15 of GDPR) with ‘transparent information, communication and modalities’ (Article 12); and are therefore in breach of GDPR.
Four of the companies concerned are large American firms: Amazon Prime; Apple Music; Netflix; and YouTube. Four are European: DAZN (London); Flimmit (Vienna); SoundCloud (Berlin); and Spotify (Stockholm). The maximum possible fines under GDPR range from €8.02 billion for Apple down to €20 million for DAZN and Spotify. The complaints have been filed under the authority of Article 80, which gives data subjects the right “to mandate a not-for-profit body, organisation or association which has been properly constituted”; in this case noyb.
noyb is the brainchild of privacy activist and lawyer Max Schrems. While still a student, his complaints against Facebook made under the pre-GDPR (the European Data Protection Directive) laws ultimately led to the European Court of Justice striking down the original Safe Harbor between Europe and the U.S as unconstitutional.
Schrems also has previous with GDPR-specific complaints. On the same day that GDPR was enforced (May 25, 2018), noyb filed four separate complaints against Google (Android), Instagram, WhatsApp, and Facebook. The Google complaint was examined by France’s CNIL data protection regulator. Co-incidentally or not, CNIL yesterday (January 21, 2019) announced a €50 million fine on Google as at least partial response to noyb. Noyb’s complaint was followed within days by a separate and similar complaint from France’s La Quadrature du Net (another internet freedoms organization).
CNIL found that Google was in breach of GDPR in two primary manners. Firstly, it breached the principles of transparency and information; and secondly, it was in breach of the need to have a legal basis for its advertisement personalization processing. Matt Lock, Director of sales engineering at Varonis, comments, “The new fine facing Google will quickly dispel any lingering doubts that the EU would go easy on companies found in violation of the GDPR. The news should be hitting companies like a cold shower. It’s not a stretch to say that a proverbial storm is gathering as privacy groups rally to their cause and seek to uphold major global companies as examples of lax privacy controls.” Google will undoubtedly appeal this ruling.
In the meantime, the transparency issue is of interest: transparency lies at the heart of noyb’s latest complaints. Working with eight users of the eight streaming services (effectively, proxies for noyb), Schrems’ group made data access requests against the streaming services. One month must be allowed for the response (the Apple Music request was, for example, made on October 2, 2018). DAZN and SoundCloud did not respond at all — the others did, but not to noyb’s satisfaction. Noyb measured the responses in terms of raw data, intelligibility, and background information.
Only Flimmit provided raw data that satisfied Noyb. Only Flimmit and Netflix provided data that was intelligible. In all other cases where user data was provided, it was considered only partly acceptable — except for ‘background information’ which was partly acceptable from Flimmit and Netflix, and non-existent from the other companies. None of the eight companies — in noyb’s eyes — passes muster against GDPR, and all have had complaints filed.
“Many services set up automated systems to respond to access requests,” commented Schrems, “but they often don’t even remotely provide the data that every user has a right to. In most cases, users only got the raw data, but, for example, no information about who this data was shared with. This leads to structural violations of users’ rights, as these systems are built to withhold the relevant information.”
While at first glance the right of access to user data might seem a lower priority within GDPR, it provides direct access to the heart of the legislation. The background data should provide information, not merely on what data is held, but who it is shared with and where it is stored. Many people knowingly give consent for the collection of personal data, but few knowingly consent for that data to be shared with unknown third parties.
So just as the Google complaint centered around the transparency with which data is collected, these complaints focus around the transparency with which it is shared to third-parties.
All eight complaints have been filed with the Austrian Data Protection (DSB) authority. The DSB will pass the complaints to the regulator in the country of primary operation of the streaming services. So, for example, it should handle the Flimmit complaint itself, and pass the DAZN complaint to the UK’s Information Commissioner’s Office. These two services are de facto in breach of GDPR since they did not respond to the access request at all.
The remaining six services did respond, so the complaints are that they did not respond adequately. Amazon Prime should be handled by the Luxembourg regulator, Apple Music in Ireland, and Netflix in The Netherlands. It is not clear at this stage which regulator will handle the YouTube complaint.
How long it will take for the complaints to be processed is anyone’s guess at this stage. “How long the process will now take is an unknown given the volume of [GDPR] complaints which have reportedly been made,” David Flint, senior partner at law firm MacRoberts LLP, told SecurityWeek. “although this week the French Supervisory Authority did impose a €50m on Google in response to what NOYB is hailing as one of their complaints – so possibly 9 months to a year of investigation.”
He believes that regulators have so much work that they are prioritizing based on apparent importance. “In the UK (and perhaps elsewhere) much of the focus appears to be on the use of data in politics following the Cambridge Analytica revelations,” he added. This, noticeably, seems to be happening on both sides of the Atlantic, with the FTC currently thought to be considering a major fine on Facebook over the same incident.
The Apple Music complaint is interesting since Apple CEO Tim Cook has recently been attempting to differentiate Apple from other tech giants via its apparent support for personal privacy. In a speech in October 2018, he expressed support for both European and U.S. privacy laws, and commented, “Our own information, from the everyday to the deeply personal, is being weaponized against us with military efficiency.”
This noyb complaint will either confirm Apple’s commitment to personal privacy or expose it as marketing hype. However, it also shows the weakness in the complaints against the six companies that did respond. The Apple complaint includes phrases like, “There is a well-founded suspicion that the respondent…” and, “In addition, the Respondent seems to retain…”
It is worth noting that the complaints seem to be based on a single access request. This is partly the reason for UK-based lawyer Dr Brian Bandey’s comment, “We don’t know at this stage what noyb is trying to do.” It has requested fines of a ‘dissuasive’ nature. But Bandey told SecurityWeek, “The key to understand is that fines and other types of sanctions bear a proportional relationship to the loss and damage suffered by data subjects. In the ‘noyb’ scenario, we cannot tell whether the GDPR Breaches have been identified through an activity undertaken to test them. If one was running such a test – it’s plausible to argue that Data Subjects would be chosen since theyíre not at risk.”
Bandey points to noyb’s own literature, which says, “In addition, noyb will follow the idea of targeted and strategic litigation to maximize the impact on the future of your right to privacy.” Bandey isn’t sure at this stage whether the complaints are designed to be ‘structural’ (that is, serious complaints against the structure of the companies concerned), or strategic (that is, designed to highlight current GDPR weaknesses to get them improved). “As I say,” he said, “one can’t tell.”
If the complaints are upheld, this doesn’t point to the huge fines like that from CNIL against Google. Six of the respondents did respond, just not to noyb’s satisfaction. It may be that noyb is attempting to highlight weaknesses in the companies’ GDPR implementation rather than dramatically punish them. The symmetric nature of the complaints (four U.S. companies, four European companies across at least seven different European regulators) lends some weight to the idea that these are strategic complaints.
SecurityWeek wrote to noyb, the UK ICO, and Apple to try to get a better understanding on what is happening. None of these organizations responded. If any do, their comments will be appended to this article.