Austrian privacy activist Max Schrems has spearheaded the filing of GDPR complaints against 8 companies. His non-profit, noyb, says they failed to comply with key parts of the Article 15 legislation. This includes missing required information, taking too long to respond, or providing intelligible data.

The companies in question include Amazon, Apple Music, Netflix, SoundCloud, Spotify, YouTube, Filmmit, and DAZN. They exhibited various degrees of compliance, with SoundCloud and DAZN completely failing to respond.

If enforced, the companies may have to pay a combined maximum fine of over €18.8 billion ($21.3 bn). As GDPR violations can take the form of 4% of global revenues, Apple would be hit the hardest, with a maximum fine of €8.02 billion ($9.13 bn).

The news comes as Apple CEO Tim Cook calls for the US government to double down on privacy legislation.

“In 2019, it’s time to stand up for the right to privacy—yours, mine, all of ours,” said Cook in a  op-ed in Time. “Consumers shouldn’t have to tolerate another year of companies irresponsibly amassing huge user profiles, data breaches that seem out of control and the vanishing ability to control our own digital lives.”

Background Is Essential

Schrem’s team found that Apple provided only partial raw data, with part of it unintelligible, and didn’t provide any background information. Like other tech giants, Apple has an automated download system which Schrems says was not sufficient.

Many services set up automated systems to respond to access requests, but they often don’t even remotely provide the data that every user has a right to,” said Schrems in a noyb blog post. “In most cases, users only got the raw data, but, for example, no information about who this data was shared with. This leads to structural violations of users’ rights, as these systems are built to withhold the relevant information.”

noyb did not request a penalty from Filmmit, which was only partially missing some background information. The complaints are filed on behalf of ten users in Austria, which will now have to coordinate with relevant authorities.

All eight companies were missing in some form background information relevant to the user. This includes stats like who the data was shared with, sources and recipients, and how long the data is stored.

Schrems entered the public eye when he took legal action against Facebook in 2011. After various rejections, is case entered the Court of Justice of the European Union, where he later argued the Safe Harbor privacy principles violated his fundamental human rights.

In 2015, the Safe Harbour agreement was classed as invalid, allowing for government interference. In 2016, a new EU-US Privacy Shield framework was established.