A privacy organization in Austria has filed complaints against eight major tech companies for allegedly violating the European Union’s General Data Protection Regulation (GDPR).
Companies are required under the GDPR’s “right to access” rule to not only provide users with a copy of all data held about them, but an explanation on how it is used. Max Schrems, director of noyb, says all eight companies failed to fully comply when such requests were made.
“Many services set up automated systems to respond to access requests, but they often don’t even remotely provide the data that every user has a right to,” Schrems said in a press release. “In most cases, users only got the raw data, but, for example, no information about who this data was shared with.”
While some tech firms partially complied, two of the companies, UK sports streaming service DAZN and Germany’s music streaming service SoundCloud, failed to even respond.
“The right of access is a cornerstone of the data protection framework,” noyb writes. “Only when users can get an idea of how and why their data is stored or shared they can realistically uncover violations of GDPR and consequently take action.”
Schrems says the complaints were filed with the Austrian Data Protection Authority on Friday and that penalties against the companies could reach up to 4 percent of their global revenues.
“As GDPR foresees € 20 million or 4% of the worldwide turnover as a penalty, the theoretical maximum penalty across the 10 complaints could be € 18.8 billion,” noyb notes.
Spotify released a statement in response to noyb Friday, alleging that they are “fully compliant” with GDPR.
“Spotify takes data privacy and our obligations to users extremely seriously,” the company said. “We are committed to complying with all relevant national and international laws and regulations, including GDPR, with which we believe we are fully compliant.”
Schrems and noyb filed similar complaints against Facebook and Google last year on the day the GDPR went into effect.