From fan mailing-lists to streaming services’ handling of listener data, the music industry is already well aware of the importance of the European General Data Protection Regulation (GDPR). Now music services including Spotify, Apple Music, SoundCloud and YouTube are being challenged about whether they’re meeting the requirements of the legislation.
That challenge comes from nonprofit privacy-rights group NOYB, whose leader Max Schrems has been a thorn in Facebook’s side for years over data-privacy issues. His latest study widens the net to other technology companies and digital services. It tests whether they are meeting GDPR requirements to provide users the “right to access” all the raw data that a service holds about them.
According to NOYB, none of the tested services (which also include Amazon Prime and Netflix) passed the test with a clean bill of health. “Many services set up automated systems to respond to access requests, but they often don’t even remotely provide the data that every user has a right to,” said Schrebs in a statement. “In most cases, users only got the raw data, but, for example, no information about who this data was shared with. This leads to structural violations of users’ rights, as these systems are built to withhold the relevant information.”
SoundCloud is criticised for not responding to NOYB’s request at all, while the other companies fell short in terms of the intelligibility of their data, as well as what background information was provided with it. NOYB has now filed complaints with the Austrian Data Protection Authority against eight companies, noting that the maximum penalties (based on GDPR-set figures of €20m or 4% of a company’s global turnover) of €163m for Spotify, €3.87bn for YouTube and €8.02bn for Apple Music – this is based on the parent company’s revenues, not on those of its music-streaming service.
Spotify has put out a statement in response: “Spotify takes data privacy and our obligations to users extremely seriously. We are committed to complying with all relevant national and international laws and regulations, including GDPR, with which we believe we are fully compliant,” said its spokesperson. Based on Schrems’ past persistence (and success) in challenging Facebook, it seems clear that Spotify’s claim – and the policies of the other companies mentioned – will need to stand up to further scrutiny in the weeks and months ahead.