The first major new wave of privacy litigation has started in the EU – the “right to access.” Ten strategic complaints against eight companies from eight countries for 18.8 Billion Euros were filed by “noyb,” Max Schrems’ European non-profit organization for privacy enforcement, for alleged violations of Article 15 GDPR and Article 8(2) of the Charter of Fundamental Rights.
(Authors note: The right of access is a fundamental right in the California Consumer Protection Act of 2018 too.)
Under the Article 15 of the GDPR, a data subject has the right to access detailed information, including what a company knows about them, the purposes for which the information is used, to whom the information was or will be disclosed, how long the data will be stored, and where the data came from if not the data subject.
“noyb” contends that it tested eight video streaming companies, including Amazon, Apple, Spotify, Netflix and YouTube and all eight failed their test. Larger companies used automated systems to comply, but testing was alleged to discover that the “systems are built to withhold the relevant information.” Such an allegation of an intentional violation could result in a higher fine than an innocent mistake.
Many privacy professionals believe that the cornerstone of the GDPR data protection framework is Article 15’s right to know what information is held and how it is used because that is the only way a data subject can exercise many of their other rights – such as deletion or correction. Accordingly, these allegations will likely be taken very seriously.
The importance of this development to companies cannot be overstated. Plainly, compliance with Article 15, and its counterpart in the California Consumer Protection Act (Section 1798.110(b) and elsewhere), should jump to the top of the list of issues to be addressed. Do you know if your company is compliant?
Do you know if your company is compliant?