Cinemas and theatres are closed but the show must go on, as they say. And the show does go on. There is TV, of course, but also streaming services such as Netflix or Amazon.
Streaming services are slick and fun … and generate a lot of data about which movies or songs you consume when and where. However, they often sloppily explain to users what happens to their data, regardless of whether they are financed by advertising or paid subscriptions.
The Austrian Chamber of Labour (Kammer für Arbeiter und Angestellte, shortform Arbeiterkammer or AK) and noyb investigated the information practices of eight streaming services against the provisions of the General Data Protection Regulation (GDPR): Amazon Prime (music and video), Apple Music (music), DAZN (video), Flimmit (video), Netflix (video), SoundCloud (music), Spotify (music) and YouTube (video).
The GDPR requires providers to give information on the use of personal data and the data protection rights of users "in a precise, transparent, comprehensible, easily accessible form and in plain language".
The test shows: What happens to customer data often remains in the dark. AK and noyb assessed eleven requirements of the GDPR. The requirements and what we expected are listed below. All of the information elements are generally of equal importance.
Name and contact details of the controller
The name and contact details of the controller (i.e. the company processing the personal data), ideally include covering different communication methods, such as phone number, email, postal address, etc. Looked at in light of the GDPR’s fairness principle, but also interpreted against Article 5(1)(c) of the E-Commerce-Directive (2000/31/EC), we expected electronic contact details because the investigated services are digital in nature. Only providing a postal address would be insufficient, as unfair in the context of a streaming service. We also believe that a mere online contact form is insufficient. For one, a form is a contact method and not a contact detail. For another, it artificially prevents the user from contacting the controller in a method of their choice.
Contact details of the Data Protection Officer
The contact details of the Data Protection Officer (DPO), where applicable (not all controllers are required to appoint a DPO). Providing the DPO’s contact details should make it easy for data subjects and the supervisory authorities to reach the DPO, e.g. via a postal address, a dedicated telephone number, and/or a dedicated e-mail address. Looked at in light of the GDPR’s fairness principle, we expected electronic contact details because the investigated services are digital in nature. Only providing a postal address would be insufficient, as unfair in the context of a streaming service. We also believe that a mere online contact form is insufficient. For one, a form is a contact method and not a contact detail. For another, it artificially prevents the user from contacting the controller in a method of their choice.
Purposes and legal basis of the processing, linking each purpose with its respective legal basis and the processed categories of personal data, and stating what the legitimate interest is where relied upon as a legal basis
The purposes for which personal data are processed, as well as the relevant legal basis under Article 6 GDPR and, where special categories of data are processed, an additional legal basis under Article 9 GDPR. When the controller relies on legitimate interests as a legal basis for processing, it should also inform the data subject about the interests and be able to demonstrate that the processing is necessary and proportionate. We also assessed whether the controller linked each purpose to a legal basis and to specific categories of personal data. This requirement follows from the GDPR’s transparency obligations and is the only way for a user to actually control the controller’s processing activities.
Recipients of personal data
Recipients could be other controllers but also service providers. We expected the names of the recipients and the categories of personal data shared with each. At the very least, if for some reason all the recipients could not be named, we expected that the controller stated the categories of recipients and indicated the activities they carry out, their industry, sector and sub-sector, and their location.
Transfers outside the EU/EEA
In case of data transfers to countries outside the EU/EEA, the countries should be named and the safeguards relied upon (e.g. adequacy decision under Article 45 GDPR, standard contractual clauses, derogations, etc.) should be specified. Also, the controller should provide for the means to access or obtain the relevant documents.
Retention period
The retention periods should be specific for the category of personal data concerned, or, at the very least, should allow the user to assess the duration of the retention as it applies to them. If a controller stated that data are retained to comply with a legal obligation, we expected it to specify the legal obligation.
Information about GDPR rights
Information about the user’s rights to access, rectification, erasure, restriction on processing, objection to processing, and portability, as well as the right to withdraw consent at any time and the right to lodge a complaint with a supervisory authority. Strictly speaking, it is not enough to merely inform about the existence of those rights, the controller should explain what the rights mean and how to exercise them. Also, the right to lodge a complaint should explain that a complaint may be filed with the supervisory authority in a Member State of his or her habitual residence, their place of work or of an alleged infringement of the GDPR.
Existence of automated decision making including profiling
A clear and plain explanation of how the profiling or automated decision-making process works. Additionally, the controller should inform about the significance and the envisaged consequences of such processing for the data subject.
Apple and YouTube were all "only partially" or "not satisfactory". Flimmit and SoundCloud scored the best, followed by Spotify. Of the 85 individual evaluations, 23 were “satisfactory”, 40 were “only partially satisfactory” and 22 “not satisfactory”.
In general, information was often unclear or simply not given. For example, retention periods were stated to be as "as long as necessary" and that "data may be passed on to third parties". Such empty phrases do not provide any concrete information on what actually happens to the personal data processed.
Regarding the transfer of personal data to recipients, a category a lot of users are curious about, only Flimmit stated which personal data is transferred to which category of recipients and for what purpose – though here, too, the specific recipients were mostly missing.
Another criticism is that there is often little information on how offers are personalised through individual recommendations. Only SoundCloud stated which data categories are used for this type of personalisation. One bright spot, though, was that all services, except for Apple, provided clear information that consumers can withdraw any granted consent.
In summary: Services mostly fail in complying with one of the GDPR’s most basic requirements - namely that users are informed about what happens to their data.
Around 92 percent of Austrians use streaming services on the net - on average for just under half an hour per day, young people already for about one and a half hours a day (statista.com 2018). These figures are likely very similar in other Member States. Netflix and Amazon Prime each have well over 150 million customers worldwide. Every interaction with the service can be recorded and analyzed to gain insights about the user. For example, might a sudden preference for melancholic music indicate a separation?
Read the full report in German here.
For more information by the Austrian Chamber of Labor (AK), click here
The non-profit association noyb is committed to the legal enforcement of European data protection laws. More than 3,200 supporting members make the work of noyb possible. To date, the NGO has already filed more than 25 proceedings for numerous deliberate violations of data protection laws - against companies that include Google, Apple, Facebook and Amazon.
For further information and media enquiries:
By e-mail: media@noyb.eu
By phone: +43 660 2678622