Live

A case that took five years

At the end of August 2025, Austria’s data protection authority (Datenschutzbehörde, DSB) ordered YouTube to give users full access to the personal data the platform processes. The decision came from a complaint filed back in 2019 by the NGO Noyb — founded by privacy activist Max Schrems — known for taking on tech giants in strategic GDPR lawsuits. The complaint targeted eight major platforms, including Netflix, Amazon, Apple Music, and Spotify.

The central issue? YouTube’s failure to properly respond to users’ data access requests, which are clearly outlined in Article 15 of the GDPR. Even though this article gives people the right to a copy of all their personal data, the Austrian authority said YouTube fell far short.

Noyb’s “bittersweet victory”

While Noyb called the ruling a win, it also expressed frustration: it took five years to get here. That delay, they argued, makes rights under the GDPR feel almost useless. As lawyer Martin Baumann put it: “If accessing your own data takes over five years, exercising any other rights becomes practically impossible.”

Noyb also accused Google, YouTube’s parent company, of deliberately dragging out the process by insisting that the case should fall under Ireland’s Data Protection Commission (because Google’s European HQ is in Dublin). This tactic reflects a bigger problem in the EU: when multiple national regulators are involved, cases often get stuck in endless disputes.

No fine – but why?

One surprising twist: Austria’s decision didn’t include a fine for YouTube. That’s unusual, since other companies have faced multi-million-euro penalties for similar GDPR breaches.

Critics argue that without financial sanctions, the system loses its “deterrent effect.” If global corporations know they can delay cases for years and avoid fines, users’ rights risk becoming purely symbolic.

New EU rules: real fix or just a patch?

In 2025, the European Parliament and the Council agreed on new rules designed to speed up cross-border GDPR cases. The aim is to stop companies from exploiting gaps between national authorities.

But Noyb isn’t convinced. The group says the reforms don’t solve the bigger issue: the imbalance between individual citizens and tech giants with huge legal teams. Unless enforcement becomes quicker and stronger, the right to access your data risks remaining a “formal right without real meaning.”

Data access: a fundamental right or an illusion?

The Austrian ruling highlights a deeper question: is the right to access your personal data truly guaranteed — or just an illusion?

In theory, this right is central to GDPR. It doesn’t just let you see what information companies hold on you — it also makes other rights possible, like correcting, deleting, or limiting how your data is used. Without access, those other rights are meaningless.

But if cases drag on for years and regulators avoid imposing fines, citizens may feel powerless against platforms with global reach and endless resources.

Why it matters to you?

The YouTube case in Austria isn’t unique — it’s part of a much bigger trend. Even the strongest laws, like GDPR, won’t protect people’s rights if enforcement is slow and consequences are weak.

Access to your personal data isn’t just a legal phrase. It’s the foundation of digital privacy in Europe. And if this foundation cracks, so does the trust that EU citizens — especially young people growing up online — can have in the system that’s supposed to protect them.

Napísal

Formujte konverzáciu

Chcete k tomuto príbehu niečo dodať? Máte nejaké nápady na rozhovory alebo uhly pohľadu, ktoré by sme mali preskúmať? Dajte nám vedieť, ak by ste chceli napísať pokračovanie, protipól alebo sa podeliť o podobný príbeh.

Napíšte článok s protiargumentmi Napíšte súvisiaci článok