Entertainment streaming giants including Amazon, Apple, Google, Netflix and Spotify have been accused of breaking the EU’s data regulations.
General Data Protection Regulation (GDPR) rules say EU customers have the right to access a copy of the personal data companies hold about them.
However, privacy group noyb said it found that most of the big streaming companies did not fully comply.
It has filed formal complaints, which if upheld could result in large fines.
What’s the problem?
GDPR took effect in May 2018 and gives EU customers the right to demand a copy of their personal data from companies. That data must be easy to understand and should also be presented in a machine-readable format, so that a customer could transfer all their data to a competitor, for example.
When GDPR took effect, many of the biggest names in tech including Amazon, Apple, Google and Spotify made changes, to let customers download a copy of their data.
But the privacy campaign group noyb, whose slogan is “My Privacy is none of your Business”, said it found many of the biggest services did not do enough to comply with the law.
What did they find?
Individuals working with noyb requested a copy of their data from several movie and music streaming services.
They found Amazon, Apple, Spotify and Google’s YouTube all let people download a copy of their personal information quickly. But noyb said that only some of the data was “intelligible”, with some parts supplied in a format that could not be understood by people.
The GDPR requires the data to be both machine-readable and easily understood by customers.
All four streaming giants also failed to supply additional information to which people are entitled, such as a list of other companies with whom their data was shared.
Netflix supplied the requested data in a format that was easy to understand, but did not supply all the additional information and took about 30 days to reply.
Soundcloud and UK-based streaming service Dazn did not reply to the information requests at all.
Privacy activist Max Schrems, diector of noyb, said: “In most cases, users only got the raw data, but, for example, no information about who this data was shared with.
“This leads to structural violations of users’ rights, as these systems are built to withhold the relevant information.”
Noyb said it had filed 10 complaints with Austria’s data protection regulator.
The maximum penalty for a breach of the GDPR is 20 million euros (£17.7m) or 4% of a company’s global turnover.
In theory, Apple could be fined £7bn if the regulatory authority rules that it has broken the law.
The BBC has contacted the named companies for comment.
Spotify said in a statement: “Spotify takes data privacy and our obligations to users extremely seriously. We are committed to complying with all relevant national and international laws and regulations, including GDPR, with which we believe we are fully compliant.”