Noyb, a non-profit organization that is engaged in the assurance of consumer privacy rights in Europe, has filed multiple GDPR complaints against Amazon, Apple, DAZN, Flimmit, Netflix, SoundCloud, Spotify, and YouTube. The organization has investigated the ways that these companies handle user data and provide the “right to access” that is provisioned by “Article 15” of the EU regulation that encompasses the General Data Protection Regulation (GDPR). The findings of the investigation reveal that the approach of the companies on this requirement is epidermic.
More specifically, many have set up automated systems to respond to data access requests filed by the users, only to actually provide unusable raw data without any details regarding the other parties that accessed this data, who they are, and how they used it. This creates a fake image of compliance with the GDPR, but the essence of the responses clearly indicate that there are violations of the users’ rights. Some of the companies like DAZN and SoundCloud didn’t even bother to respond to the data requests at all.
This is why Noyb filed their GDPR complaints with the Austrian Data Protection Authority, justifying them through several points, including the lack of information about the purposes of the user data processing, lack of information regarding the recipients of the user data, lack of information about the retention period of the user data, no information about the right to lodge a complaint, no information about the appropriate safeguards that are in place for the transferring of the user data, and more. The total maximum penalty that can be imposed on the eight companies reaches €18.8 billion, corresponding to the 4% of the worldwide turnover of each company that is accused of GDPR violations.
As hefty as these fines may be, the companies seem to have trouble aligning with the legislation that came into effect over seven months ago, as this is not the first time that GDPR complaints were submitted against them. Other data protection commissions have filed complaints against online platform giants in recent months, following relevant investigations that yielded similarly disappointing results. The Irish Data Protection Commission investigated Twitter back in October, while in November, Google was targeted by multiple European consumer protection groups. At the same time, Oracle, Equifax, Criteo and others received a data collection complaint from the Privacy International group. It is evident from the above that GDPR complaints are now a strong lever of coercion in the hands of data protection rights groups, still, though, the full compliance of those who collect and manage our data is still away from today.
Do you believe that data collectors will be compelled to comply with the GDPR regulations after the imposition of the fines? Let us know of your opinion in the comments below, and don’t forget to like this story and subscribe to our socials on Facebook and Twitter.