23 Jan 2019

YouTube, Netflix and Others Accused of GDPR Violations

Friday is widely regarded as a day marked by joy and happiness. However, last Friday did not produce such emotions for data protection officers working in the online streaming services (“OSS”) industry, that is in Amazon, Apple, DAZN, Flimmit, Netflix, SoundCloud, Spotify and Youtube.

Namely, the Austrian campaign group None of Your Business (“NOYB”) filed 10 complaints with the Austrian Data Protection Authority and asked for an investigation of an alleged breach of Article 15 of the General Data Protection Regulation (“GDPR”). NOYB accused OSS for violating the “Right to access by the data subjects” (which provides that the data subject shall have the access to personal data and to information, such as the purpose of processing, the categories of personal data concerned, the recipients of data, the time period during which the data will be stored or the source of data) by failing to deliver basic information, e.g. how they buy and sell user data. Taking into consideration that the GDPR foresees a maximum penalty of EUR 20 million or 4% of total worldwide annual turnover, the total amount to be paid by OSS could reach as much as EUR 18.8 billion.

The complaints came as a result of a test conducted by NOYB, in which it was found that none of the above-mentioned OSS fully complied with the requirements of Article 15. Moreover, the breaches were characterized as structural, meaning that, in contrast to those conducted by small companies which handle requests manually, they ensued from the usage of automated systems which are said to provide all the relevant information. Max Schrems, the director of NOYB and a man who spent his twenties chasing down Facebook, eventually winning a major case in front of the European Court of Justice, explained:

Many services set up automated systems to respond to access requests, but they often don’t even remotely provide the data that every user has a right to. In most cases, users only got the raw data, but, for example, no information about who this data was shared with. This leads to structural violations of users’ rights, as these systems are built to withhold the relevant information”.

The test included 10 citizens filing requests concerning their personal data with OSS. As the results demonstrate, apart from DAZN and SoundCloud, who haven’t responded whatsoever, all the other OSS delivered some raw data which lacked background information, such as sources or recipients of data, or data on the retention period. Often, the data was delivered in a cryptic form, which made it increasingly difficult or even impossible for an average user to understand. For example, YouTube, the website where you can find an almost unlimited number of cat videos (the first one supposedly dating from 1894), delivered certain files in .opml and .json format. Finally, in some occasions, certain types of raw data were also missing. This was the case with a company whose Chief Content Officer once claimed (Spoiler alert!) that broadband caps and excessive overage fees in Canada are “almost a human rights violation“.

Relevance for Serbian Companies

Apart from being obliged to comply with the GDPR when dealing with data subjects residing in the EU, Serbian companies will soon have to comply with the same standards when processing data of Serbian data subjects. The New Act on Personal Data Protection (“PDPA”) which came into force on November 21, 2018 is for the most part based on the GDPR – the right to access by the data subjects included.

The Serbian counterpart of Article 15 of the GDPR is Article 26 of the PDPA, which essentially provides the same rights for data subjects. Bearing this mind, Serbian companies will have to establish mechanisms to deliver data and information to data subjects in an efficient and effective manner.

The PDPA provides for a 9-months adaptation period during which Serbian companies must comply with its requirements. The GDPR related developments are of great significance in this regard, since the enforcement of new data protection rules in Serbia will most likely seek to look up to examples from the EU.