Skip to main content

GDPR complaints say Amazon, Spotify, and other streaming companies are breaking EU law

GDPR complaints say Amazon, Spotify, and other streaming companies are breaking EU law


Privacy activists filed the complaints

Share this story

Illustration by Alex Castro / The Verge

A series of complaints brought under Europe’s General Data Protection Regulation (GDPR), filed by an Austrian privacy activist, accuse eight major streaming companies of failing to comply with European Union law.

GDPR, which went into effect last year, created a set of strict privacy rules around when data can be gathered and shared. Already, tech giants like Google and Facebook have faced questions about whether some of their practices align with the law.

Group asked eight streaming providers for data

The latest challenges have been filed by the privacy group noyb, led by activist Max Schrems. Under GDPR, consumers are allowed to request data that companies hold on them. As a test, noyb says it asked eight major streaming media providers, including YouTube, Netflix, Spotify, Apple, and Amazon, to provide consumer data.

But the companies, noyb argues in its complaints, failed the test. SoundCloud and UK sports streaming service DAZN failed to provide the data, while six other companies did not provide adequate data under the law, noyb says. In most cases, the complaints argue, the companies failed to provide relevant background information meant to help consumers understand how their data is used, even though that information is required.

The complaints were filed with the Austrian Data Protection Authority, and they will likely be sharply defended by the tech companies. The penalties for GDPR violations are up to 4 percent of global turnover, a potentially major hit. Schrems also filed GDPR complaints last year against Google and Facebook.

"Spotify takes data privacy and our obligations to users extremely seriously," Spotify said in a statement. "We are committed to complying with all relevant national and international laws and regulations, including GDPR, with which we believe we are fully compliant."

“Many services set up automated systems to respond to access requests, but they often don’t even remotely provide the data that every user has a right to,” Schrems said in a statement. “In most cases, users only got the raw data, but, for example, no information about who this data was shared with.”

Update, 8:50 AM ET: Includes statement from Spotify.