An non-profit organization, noyb, has launched a complaint with the Austrian government against Apple, YouTube, and several other major tech companies, saying they've failed to comply with the European Union's General Data Protection Regulation, or GDPR.
"Many services set up automated systems to respond to access requests, but they often don't even remotely provide the data that every user has a right to," said noyb chairman Max Schrems. The group tried to request private data from Apple, Amazon, Netflix, Spotify, and YouTube, but found that no company was fully compliant.
The GDPR took effect last May, and gives Europeans the right to access not just their own data but learn about its sources and destinations. When companies want to use data in new ways, they're obligated to ask for consent.
It's not yet clear how Apple is accused of violating GDPR standards. Failure to meet them, though, could potentially carry severe penalties, up to 4 percent of global revenues.
Apple has generally prided itself on its privacy policies, even putting up a billboard near the Las Vegas Convention Center during this month's Consumer Electronics Show. To comply with the GDPR the company launched online data request tools in E.U. countries, even bringing them to the U.S. despite no formal necessity.
noyb's Schrems is an experienced, well-known privacy activist, having launched a lawsuit against Facebook as far back as 2011, when he was still a student. In 2018 he took action against Google, Facebook, Instagram, and WhatsApp, saying they broke the law by making people accept prying terms of service.
4 Comments
'“Many services set up automated systems to respond to access requests, but they often don’t even remotely provide the data that every user has a right to,” Schrems said. “This leads to structural violations of users’ rights, as these systems are built to withhold the relevant information.”' I did a data request and was exceedingly impressed with the sheer completeness of the data. I am wondering what proof he has as to what data is not provided. I am guessing ... NOT. Lets through a fishhook out and see if we can collect some revenue for the social coffers.
This is a topic I actually know something about (with professional certifications).
I'm not kidding when I say that it's literally impossible for a large organization to be indisputably 100% compliant with GDPR. It is a massive law with very strict rules and extremely broad scope. The copy of the GDPR on my desk is over 200 (small) pages.
This is a regulation about the processing of personal data.
Personal data is defined as "any information related to an identified or identifiable natural person [meaning, not corporations] ... who can be identified, directly or indirectly, in particular reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more specific factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."
"Processing" means "any operation ... which is performed on personal data, ... such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction." [i.e., any conceivable thing that can be done with or to data.]
Following these definitions are 100 pages of proscriptions about what organization shall and shall not do when "processing" personal data. For example Article 6 says "Processing [of personal data] shall be lawful only if and to the extent that at least one of the following applies..." This is followed by a short list of 6 justifications, the broadest of which is "[Where] processing is necessary for the purposes of the legitimate interests pursued by the [company] or third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data."
So let's parse this for a minute. Personal data is literally anything about a person that can theoretically be identified (this includes web logs that include IP addresses for example). In order to retain or do anything with this data it must be "necessary" for some valid business purpose. So a simple decision to keep web logs for, say two years, for analytic purposes could theoretically be litigated as a violation of "data minimisation" rules, for example.
So having said all this, it's not a terrible law and it's "heart" is in the right place, but news that a particular organization is accusing anyone of violating GDPR is about as meaningful as me complaining that you violated a driving law last year. It would be easy to find a justification to bring a case about any company that processes data about Europeans. Without specifics such a charge is completely meaningless.
While it was not the responsibility of the author of this article, I note that the outcomes of Schrem's various actions over the years are not mentioned, and I assume that is because they weren't successful (otherwise we likely would have heard of changes ordered by the various courts). At present, at least, this looks like a publicity stunt for the privacy group that is likely to go not much of anywhere in the courts without hard evidence.