The world’s biggest streaming services — from Netflix and YouTube to Apple Music and Spotify — are all breaking European privacy law, according to a volley of complaints launched Friday by a leading campaigner and his organization.
Streaming services typically make great use of their users’ data, in order to generate recommendations, learn about general tastes and sell advertising. If all the companies are found to have been violating the EU General Data Protection Regulation, by not revealing to users all the information they’re obliged to, they face fines to a total theoretical maximum of €18.8 billion ($21.4 billion.)
As a mere law student, Austria’s Max Schrems managed to sink the U.S.’s crucial “Safe Harbor” data-sharing deal with the EU, and he’s still threatening its successor, “Privacy Shield.” Last year, he and his NOYB (“None Of Your Business”) group also whacked Google, Facebook, WhatsApp and Instagram with complaints about their alleged violation of the GDPR, minutes after the law came into effect.
Now Schrems and NOYB have turned their attention to eight streaming services, namely: Amazon Prime, Apple Music, Netflix, SoundCloud, Spotify, YouTube, Austria’s Flimmit and the U.K.’s DAZN.
The issue is Article 15 of the GDPR, which gives people wide-ranging rights to demand their data from online services that hold it, along with information about: why it’s being processed, where it’s going, how long it’s being stored for, the existence of automated decision-making based on that data, and more.
In short, none of the above-named services give users all the data that’s required by the law. Some are better than others — YouTube and Flimmit at least provide intelligible data, while SoundCloud and DAZN simply ignored access requests — but all fail to provide everything that’s needed. If NOYB’s complaints to the Austrian data protection authority pan out, there could be fines on the horizon to the tune of up to €20 million ($22.8 million) or 4% of global revenues.
“Many services set up automated systems to respond to access requests, but they often don’t even remotely provide the data that every user has a right to,” said Schrems. “In most cases, users only got the raw data, but, for example, no information about who this data was shared with. This leads to structural violations of users’ rights, as these systems are built to withhold the relevant information.”
NOYB made the complaints on behalf of 10 users — the GDPR allows non-profit organizations to do this, as they have the legal expertise that regular people lack.
“Spotify takes data privacy and our obligations to users extremely seriously,” the music-streamer said. “We are committed to complying with all relevant national and international laws and regulations, including GDPR, with which we believe we are fully compliant.”
Amazon provided a statement reading: “Protecting the privacy of our customers is always a top priority and has been built into our services for years. We have introduced a new Privacy Help page that shows customers how they can easily manage and access their information across our retail, entertainment services, and devices, as well as centralized privacy settings for Alexa that give customers control over their data. We comply with any request from a data subject to provide access to the personal data that Amazon is processing.”
None of the other companies involved have thus far responded to Fortune‘s requests for comment.
This article was updated to include Spotify and Amazon’s statements.