Austria's data protection authority (DSB) has mandated that YouTube grant its users greater control over their personal data stored on the platform, enforcing EU regulations and marking a significant step for digital privacy. The decision follows a five-year legal battle initiated by privacy activists, highlighting the ongoing tension between user rights and the data practices of tech giants.

The Austrian ruling stems from a 2019 complaint filed by the Austria-based privacy group None of Your Business (Noyb) against eight streaming services, including YouTube and Netflix. Noyb alleged "structural violations" of the EU's General Data Protection Regulation (GDPR), arguing that these services were denying users access to their stored data and information about how it was being used. The specific complaint against YouTube was filed on behalf of an Austrian user.

The DSB confirmed it had issued a decision against Google LLC (YouTube) regarding the suit brought by Noyb. The regulator found that YouTube's initial response to the user's data access request in October 2018 was inadequate. Instead of providing personalized information, Google directed the user to download tools and privacy policies. The files received were in technical formats, such as JSON and OPML, deemed incomprehensible for the average user. The DSB decision stated that YouTube failed to provide critical information regarding data processing purposes, storage periods, data recipients, and tracking technologies.

Under Article 15 of the GDPR, companies are obliged to provide users with a copy of their personal data that has been processed, including details such as processing purposes, data retention periods, data sources, data recipients, and tracking cookies. The authority noted that Google's privacy policy explicitly acknowledged collecting personal data through cookies, pixel tags, local storage, and server logs containing IP addresses, browser information, and unique identifiers.

YouTube now has four weeks to comply with the decision, or it may face potential enforcement actions. However, Google also has the option to appeal the decision. Noyb has criticized the length of time it took the Austrian regulator to reach a decision, calling it a win but regretting the five and a half years it took to enforce a decision in what they described as a simple case. Noyb's lawyer, Martin Baumann, stated that the delays make it nearly impossible for users to exercise other rights, such as correcting or deleting their data.

The DSB's decision highlights broader implications for automated data access systems. While companies often use automated tools for GDPR compliance, these systems must provide complete information rather than partial responses. The authority emphasized that automation does not excuse incomplete compliance when companies possess comprehensive data about individual users. YouTube must now provide complete access, including processing purposes, data recipients, retention periods, data sources, international transfer safeguards, and copies of all personal data in comprehensible formats.

This ruling adds to the increasing scrutiny of Google's data practices in Austria. Earlier in the year, an Austrian court ruled that Google reCAPTCHA was unlawful without consent. Noyb has taken legal action against U.S. tech giants, including Meta and Google, often prompting regulators to enforce GDPR compliance and has filed more than 800 complaints in various jurisdictions on behalf of internet users.