An Austrian privacy group has filed complaints against eight tech firms, including Apple Music and Amazon Prime, accusing them of failing to comply with the EU’s General Data Protection regulation (GDPR), the group announced on Friday.
The complaints, filed by the nonprofit noyb, allege that the firms failed to provide access to data as required under the GDPR, and demand penalties based on 4% of their worldwide revenue, the maximum allowed.
The group put "eight online streaming services from eight countries to the test — but no service fully complied," states Max Schrems, director of noyb.
Also named in the actions are Netflix, Spotify, YouTube, SoundCloud, Flimmit and DAZN.
Perhaps typical is the complaint against Apple.
It states that GDPR requires that controllers “disclose all data they hold” that could render individuals identifiable, including “cookies, online identifiers, tracking technologies, beacons, IP addresses, pixels tags or device identifiers,”
By failing to comply, Apple has “infringed the Complainant’s right of access,” the paper adds.
Specifically, Apple provided “no information” about the purposes of data processing or the recipients of the personal data, the complaint continues.
In addition, the firm failed to supply information about the right to rectify or erase personal data and the person’s right to lodge a complaint with supervisory authorities, noyb charges. Nor did it reveal the retention period for data or safeguards ifor sending data to third countries, in adds.
The complaint goes on to claim that Apple sent “raw data in a non-intelligible and machine readable format.”
In what appears to be an unintended irony, Apple CEO Tim Cook yesterday called for comprehensive data legislation in the U.S. In an essay in Time, he outlined these principals:
“First, the right to have personal data minimized. Companies should challenge themselves to strip identifying information from customer data or avoid collecting it in the first place. Second, the right to knowledge — to know what data is being collected and why. Third, the right to access. Companies should make it easy for you to access, correct and delete your personal data. And fourth, the right to data security, without which trust is impossible."
In Amazon’s case, the group says the firm also provided data in unintelligible form, almost two months after making the request.
Meanwhile, noyb demands that Apple be investigated to determine violations, and asks for a penalty of €8.02 billion, which it estimates as 4% of Apple’s worldwide revenue of $265.6 billion (around €200.5 billion).
In line with this formula, it demands a €6.31 billion penalty against Amazon Prime and a €3.87 billion penalty from YouTube. Netflix would be hit with a €415 penalty, Spotify with €163 million and SoundCloud with €20 million. No penalty is requested of Austria-based Flimmit.
Other legal actions are also pending against tech companies. In November, Privacy International filed complaints with Irish and French data authorities against Acxiom, Oracle, Criteo, Quantcast, Tapad, Equifax and Experian.
Here at Lolagrove,, we think the orders to cease are going to impact far more significantly than the penalties. The activists are baying for blood, and the crowds are gathering for the public floggings, but perhaps the more important impact will be the structural shifts required to meet cessation instructions.
Being given 30 day notice to change will strike the fear. 4% fines are not likely to be used within initial enforcement notices.
Like the tech firms didn't know about GDPR.