Privacy campaigner Schrems slaps Amazon, Apple, Netflix, others with GDPR data access complaints

European privacy campaigner Max Schrems has filed a fresh batch of strategic complaints at tech giants, including Amazon, Apple, Netflix, Spotify and YouTube. The complaints, filed via his non-profit privacy and digital rights organization, noyb, relate to how the services respond to data access requests, per regional data protection rules. Article 15 of Europe’s General […]

European privacy campaigner Max Schrems has filed a fresh batch of strategic complaints at tech giants, including Amazon, Apple, Netflix, Spotify and YouTube.

The complaints, filed via his non-profit privacy and digital rights organization, noyb, relate to how the services respond to data access requests, per regional data protection rules.

Article 15 of Europe’s General Data Protection Regulation (GDPR) provides for a right of access by the data subject to information held on them.

The complaints contend tech firms are structurally violating this right — having built automated systems to respond to data access requests which, after being tested by noyb, failed to provide the user with all the relevant information they are legally entitled to.

noyb tested eight companies in all, in eight different countries in Europe, and says it found none of the services provided a satisfactory response. It’s filed formal complaints with the Austrian Data Protection Authority against the eight, which also include music and podcast platform SoundCloud; sports streaming service DAZN; and video on-demand platform Flimmit .

The complaints have been filed on behalf of ten users, per Article 80 of the GDPR which enables data subjects to be represented by a non-profit association such as noyb.

Here’s its breakdown of the responses its tests received — including the maximum potential penalty each could be on the hook for if the complaints are stood up:

Two of the companies, DAZN and SoundCloud, failed to respond at all, according to noyb. While the rest responded with only partial data.

noyb points out that in addition to getting raw data users have the right to know the sources, recipients and purposes for which their information is being processed. But only Flimmit and Netflix provided any background information (though again still not full data) in response to the test requests.

“Many services set up automated systems to respond to access requests, but they often don’t even remotely provide the data that every user has a right to,” said Schrems in a statement. “In most cases, users only got the raw data, but, for example, no information about who this data was shared with. This leads to structural violations of users’ rights, as these systems are built to withhold the relevant information.”

We’ve reached out to the companies for comment on the complaints.

Last May, immediately after Europe’s new privacy regulation came into force, noyb lodged its first series of strategic complaints — targeted at what it dubbed “forced consent”, arguing that Facebook, Instagram, WhatsApp and Google’s Android OS do not give users a free choice to consent to processing their data for ad targeting, as consenting is required to use the service.

Investigations by a number of data protection authorities into those complaints remain ongoing.

LinkedIn cuts off email address exports with new privacy setting

A win for privacy on LinkedIn could be a big loss for businesses, recruiters, and anyone else expecting to be able to export the email addresses of their connections. LinkedIn just quietly introduced a new privacy setting that defaults to blocking other users from exporting your email address. That could prevent some spam, and protect […]

A win for privacy on LinkedIn could be a big loss for businesses, recruiters, and anyone else expecting to be able to export the email addresses of their connections. LinkedIn just quietly introduced a new privacy setting that defaults to blocking other users from exporting your email address. That could prevent some spam, and protect users who didn’t realize anyone who they’re connected to could download their email address into a giant spreadsheet. But the launch of this new setting without warning or even a formal announcement could piss off users who’d invested tons of time into the professional networking site in hopes of contacting their connections outside of it.

TechCrunch was tipped off by a reader that emails were no longer coming through as part of LinkedIn’s Archive tool for exporting your data. Now LinkedIn confirms to TechCrunch that “This is a new setting that gives our members even more control their email address on LinkedIn. If you take a look at the setting titled “Who can download your email”, you’ll see we’ve added a more detailed setting that defaults to the strongest privacy option. Members can choose to change that setting based on their preference. This gives our members control over who can download their email address via a data export.”

That new option can be found under Settings & Privacy -> Privacy -> Who Can See My Email Address? This “Allow your connections to download your email [address of user] in their data export?” toggle defaults to ‘No’. Most users don’t know it exists since LinkedIn didn’t announce it, there’s merely been a folded up section added to the Help center on email visibility, and few might voluntarily change it to ‘Yes’ since there’s no explanation of why you’d want to. That means nearly no one’s email addresses will appear in LinkedIn Archive exports any more. Your connections will still be able to see your email address if they navigate to your profile, but they can’t grab those from their whole graph.

Facebook came to the same conclusion about restricting email exports back when it was in a data portability fight with Google in 2010. Facebook had been encouraging users to import their Gmail contacts, but refused to let users export their Friends’ email addresses. It argued that users own their own email addresses, but not those of their Friends, so they couldn’t be downloaded — though that stance conveniently prevented any other app from bootstrapping a competing social graph by importing your Facebook friend list in any usable way. I’ve argued that Facebook needs to make friend lists interoperable to give users choice about what apps they use, both because it’s the right thing to do but also because it could deter regulation.

On a social network like Facebook, barring email exports makes more sense. But on LinkedIn’s professional network where people are purposefully connecting with those they don’t know, and where exporting has always been allowed, making the change silently seems surreptitious. Perhaps LinkedIn didn’t want to bring attention to the fact it was allowing your email address to be slurped up by anyone you’re connected with given the current media climate of intense scrutiny regarding privacy in social tech. But trying to hide a change that’s massively impactful to businesses that rely on LinkedIn could erode the trust of its core users.