European privacy campaigner Max Schrems has filed a fresh batch of strategic complaints at tech giants, including Amazon, Apple, Netflix, Spotify and YouTube.
The complaints, filed via his nonprofit privacy and digital rights organization, noyb, relate to how the services respond to data access requests, per regional data protection rules.
Article 15 of Europe’s General Data Protection Regulation (GDPR) provides for a right of access by the data subject to information held on them.
The complaints contend tech firms are structurally violating this right — having built automated systems to respond to data access requests which, after being tested by noyb, failed to provide the user with all the relevant information to which they are legally entitled.
Indeed, noyb tested eight companies in all, in eight different countries in Europe, and says it found none of the services provided a satisfactory response. It’s filed formal complaints with the Austrian Data Protection Authority against the eight, which also include music and podcast platform SoundCloud; sports streaming service DAZN; and video on-demand platform Flimmit.
The complaints have been filed on behalf of 10 users, per Article 80 of the GDPR, which enables data subjects to be represented by a nonprofit association such as noyb.
Here’s its breakdown of the responses its tests received — including the maximum potential penalty each could be on the hook for if the complaints stand up:
Disrupt 2026: The tech ecosystem, all in one room
Your next round. Your next hire. Your next breakout opportunity. Find it at TechCrunch Disrupt 2026, where 10,000+ founders, investors, and tech leaders gather for three days of 250+ tactical sessions, powerful introductions, and market-defining innovation. Register now to save up to $400.
Save up to $300 or 30% to TechCrunch Founder Summit
1,000+ founders and investors come together at TechCrunch Founder Summit 2026 for a full day focused on growth, execution, and real-world scaling. Learn from founders and investors who have shaped the industry. Connect with peers navigating similar growth stages. Walk away with tactics you can apply immediately
Offer ends March 13.
Two of the companies, DAZN and SoundCloud, failed to respond at all, according to noyb, while the rest responded with only partial data.
Also, noyb points out that in addition to getting raw data, users have the right to know the sources, recipients and purposes for which their information is being processed. But only Flimmit and Netflix provided any background information (though again, still not full data) in response to the test requests.
“Many services set up automated systems to respond to access requests, but they often don’t even remotely provide the data that every user has a right to,” said Schrems in a statement. “In most cases, users only got the raw data, but, for example, no information about who this data was shared with. This leads to structural violations of users’ rights, as these systems are built to withhold the relevant information.”
We’ve reached out to the companies for comment on the complaints. Update: Spotify told us: “Spotify takes data privacy and our obligations to users extremely seriously. We are committed to complying with all relevant national and international laws and regulations, including GDPR, with which we believe we are fully compliant.”
Last May, immediately after Europe’s new privacy regulation came into force, noyb lodged its first series of strategic complaints — targeted at what it dubbed “forced consent,” arguing that Facebook, Instagram, WhatsApp and Google’s Android OS do not give users a free choice to consent to processing their data for ad targeting, as consenting is required to use the service.
Investigations by a number of data protection authorities into those complaints remain ongoing.
