We've written many times about privacy activist Max Schrems, who almost single-handedly brought down the silly privacy safe harbors between the EU and the US. Last year, we wrote about his newest project called noyb.eu, which stands for "None Of Your Business."
Last week, Schrems and noyb announced a big list of GDPR complaints filed in Austria, against basically every streaming media company, none of which -- they claim -- are in compliance with the GDPR. Schrems also provided everyone with a handy dandy chart showing the basic details of the results of the GDPR requests they made to eight different streaming platforms, where they fell down, and how much they might be on the hook for:
If you'd like to see the actual complaints, here they are for Amazon, Apple, DAZN, Flimmit, Netflix, Soundcloud, Spotify, and YouTube.
I have lots of thoughts about this, so let's list them out:
This demonstrates the near impossibility of complying with the GDPR: While I'm sure many will view this as a positive for the GDPR, in that Schrems is going after a bunch of big companies who many people love to hate, I'd argue that these complaints really show just how ridiculous the GDPR is in practice. At least with the larger companies on this list (Amazon, Apple, YouTube, Netflix, and Spotify) it is ridiculous to argue that any of them were deliberately avoiding the GDPR requirements. All of those companies have been well aware of the GDPR for years and spent the past few years spending many, many millions of dollars preparing for the GDPR. All have decently large teams focused on doing everything they can to comply, in part because of the possibility of massive fines if they fail.
The fact that those large companies, who have all the resources in the world, are still deemed by Schrems to fail on nearly every aspect of the GDPR suggests, pretty clearly, that it is nearly impossible for anyone to truly be GDPR compliant in any reasonable sense.
The nature of the complaints shows just how silly the GDPR continues to be: Taking the Apple Music complaint as an example, the company did allow noyb and its client to download all the data it had, but noyb is demanding significantly more information under the GDPR -- much of it is information that would effectively be impossible to provide in the first place. For example, the complaint notes that Apple didn't provide "information about the purposes of the processing." But... isn't that the kind of information that anyone signing up for Apple Music already knows about when they sign up? Apple is using your information to provide you access to music and to recommend other music to you. What good does it do to have that information need to be spelled out once again at a later date to avoid massive billion dollar fines?
The possible fines remain completely insane: Note the numbers on the "maximum penalty" associated with these complaints. Under the GDPR, a company can be fined either €20 million or 4% of annual global turnover whichever is greater. So those eye-popping numbers are basically that 4%. Remember, most of the companies here bent over backwards to try to comply, with most of them setting up useful systems that allow users to download all of their data, even if noyb didn't like the format that data was in. And yet they might still face billions in fines?
GDPR could destroy some of these companies: It is surprising to see two companies -- DAZN and Soundcloud -- not respond at all to these requests. Both of them are based in the EU (though DAZN may escape via Brexit shortly, but it operates in many EU countries). I would think, at the very least, these companies would have in place some method of responding to GDPR requests. Soundcloud, despite its level of popularity, has struggled even to stay alive -- and came very close to shutting down a year and a half ago before getting a last minute reprieve from some investors. Either way, the company is clearly struggling, and the fact that both of these company's "maximum" possible fines are €20 million suggests that this is "greater" than 4% of their annual turnover. In short, this is likely a crippling and possibly company-destroying amount for these smaller operations. I'm still surprised neither responded to the requests at all -- but it's going to be difficult for either to stay in business facing these kinds of headwinds thanks to the EU's overaggressive regulations.I'm sure that many don't seem to care that this might cause problems for these companies, or that it may be literally impossible to comply with these regulations. But we should all be concerned if regulations make it effectively impossible to be in business on the internet in the EU. We should be even more concerned that -- as many of us predicted -- regulations like the GDPR seem to have a high likelihood of completely destroying smaller players, like SoundCloud. The huge fines for the big companies are eye-popping and totally disconnected from any actual "harms," but most of those big companies can grudgingly afford to pay them. That seems unlikely for the smaller players meaning that -- once again -- the EU seems to be clearing the field of smaller internet companies, and leaving in place only the giants, from whom the government will just keep siphoning off cash.
One final point on all of this: I recognize that there are lots of legitimate concerns about privacy in this day and age -- and, in particular, how various data collection companies are using our private data. And I've long been on record that companies should be not just a lot more transparent about the data they collect and how they use it, but also should push control over that data out to the end users. But, looking over this list, none of these are companies that I'm particularly worried about concerning how they use my data. Yes, there are potential privacy concerns here, but the idea that SoundCloud or Spotify contains data so sensitive that they should be fined massive amounts for not making it "intelligible" just seems disconnected from any real harms and any real concerns.
Indeed, my concern with this type of litigation is that it actually waters down and distorts the real concerns we should be having over privacy in the internet era. Netflix not giving me all of the data on what I've been watching via streaming doesn't seem like a particularly big consumer concern -- and yet if it sucks all the air out of the room, it makes it that much harder to deal with real privacy questions raised by internet giants.