"As the DSGVO provides as punishment 20 million euros or 4% of global sales, the theoretical maximum penalty for the 10 complaints could be 18.8 billion euros," says Noyb.
Complaints about "right of access" to violations
The "right of access" grants all EU citizens the right to obtain a copy of all raw data owned by a company about the user, as well as additional information about the sources and recipients of the data and the purpose for which the data is available or information about the countries where the data is stored and how long it has been stored. "
After examining the right of access to compliance for the eight companies, noyb stated that none of the eight streaming companies fully complied with Schrems, saying that they all had "structurally violated" EU data protection laws.
According to the director of Noyb:
Many services set up automated systems to respond to access requests, but they often do not even provide the data every user has a right to access. In most cases, users only received the raw data, but no information about who shared that data. This leads to structural violations of user rights, as these systems serve to retain the relevant information.
Of all the streaming services addressed during the noyb test, DAZN and SoundCloud were the only ones that completely ignored the data requests.
Those who responded either provided incomplete or incomprehensible data, as was the case with the raw data and background information for the user, or were completely absent, since only Netflix and Flimmit were able to provide partial background information to the user in their responses.
Table of all complaints submitted against the eight online streaming services
As Schrems points out in the complaints, the four companies breached Article 7 (4) because they did not provide users with individual consent for data processing.
Several other top-class companies for which GDR complaints were submitted
In November 2018, Google was accused of GDPR complaints by several consumer groups, according to the European Consumer Organization, due to misleading practices in determining the location of users.
Also in November, Acxiom, Oracle, Criteo, Quantcast, Tapad, Equifax and Experian were the subject of a DSGVO complaint filed by the Privacy International User Group, collecting millions of users' data and creating user profiles.
Twitter was also investigated by the Irish Data Protection Commission (DPC) in October 2018 after data protection researcher Michael Veale of University College London filed a complaint in August for refusing to reply to a link tracking request.
[UPDATE] Today we filed a wave of complaints against 8 streaming services @netflix, @Spotify, @daznglobal, @youtube or @AppleMusic about structural violations of the #RightToAccess under #GDPR
⏩ Press release: https://t.co/wlpfDJuOMJ pic.twitter.com/0EBqPgv4rw
- noyb (@NOYBeu) 18 January 2019