Austrian authority orders YouTube to honor data access request after 5-year case

The Austrian Data Protection Authority (DSB) ruled on August 7, 2025, that Google's YouTube violated GDPR data access requirements. The platform must now provide full personal data access to a complainant whose request was inadequately handled for over five years. YouTube faces a four-week deadline to comply or face potential enforcement actions.

Google had initially responded to the October 2018 data access request by directing the user to download tools and privacy policies rather than providing personalized information. The complainant received files in technical formats like JSON and OPML that were deemed incomprehensible to average users. According to the official decision document, YouTube failed to provide critical information about data processing purposes, storage periods, data recipients, and tracking technologies.

The case began when noyb - European Center for Digital Rights filed complaints against eight streaming services on January 18, 2019. Google reCAPTCHA was ruled unlawful without consent by an Austrian court in a related privacy enforcement action this year, demonstrating increased scrutiny of Google's data practices across Austria.

The complainant had specifically requested copies of all personal data, including tracking information such as cookies and advertising profiles. Google's response provided only basic account data through its "Takeout" tool while withholding extensive categories of information that the company's own privacy policy acknowledged collecting.

According to the DSB decision, YouTube collected personal data through various tracking technologies including cookies, pixel tags, local storage, and server logs containing IP addresses, browser information, and unique identifiers. The authority noted that Google's privacy policy explicitly described collecting data from "publicly accessible sources" and "trusted partners" yet failed to specify which sources contributed to the complainant's data.

The complainant received eight files in different formats after logging into Google Dashboard on November 7, 2018. However, these files lacked essential accompanying information required under Article 15 GDPR. The authority determined that referring users to privacy policies and multiple online tools violated transparency requirements because such general information cannot substitute for personalized data access responses.

Martin Baumann, Data Protection Lawyer at noyb, stated that "a multi-billion-dollar tech company like Google rather engages in lengthy legal proceedings than to grant a user access to his personal data." The organization noted that Google "successfully delayed compliance with an access request for more than half a decade."

The decision emphasized that GDPR Article 15 establishes comprehensive access rights allowing individuals to understand data processing activities. This includes receiving copies of personal data alongside detailed information about processing purposes, recipients, retention periods, and sources. The authority rejected Google's argument that the request lacked sufficient precision, noting that users can demand complete data disclosure without limiting scope.

Technical format violations represented another significant aspect of the ruling. The DSB determined that JSON and OPML formats are designed for machine processing rather than human comprehension. Article 12 GDPR requires information delivery in "concise, transparent, intelligible and easily accessible form, using clear and plain language." Providing raw data in technical formats without explanation tools violates these transparency obligations.

The authority specifically addressed Google's portal system for data access. While acknowledging that download portals can satisfy GDPR requirements when properly implemented, the DSB found that systems requiring users to navigate multiple tools and contact support for missing information fail to meet Article 12's facilitation requirements. Complete data access must be centralized and comprehensive rather than fragmented across various interfaces.

Procedural delays characterized much of the case timeline. The DSB initially transferred the matter to Ireland's Data Protection Commission under the one-stop-shop mechanism on January 31, 2019. However, the Irish authority declared itself incompetent and returned the case to Austria on November 17, 2022, nearly four years later.

Google's legal team at Baker McKenzie argued that the complainant had not properly identified the data controller and that YouTube LLC was not the responsible entity. The authority rejected these procedural objections, determining that Google LLC was the clear data controller for YouTube services during the relevant period. The decision noted that users should not bear responsibility for navigating complex corporate structures when exercising fundamental rights.

The ruling addressed data controller identification challenges common with multinational technology companies. The DSB applied objective interpretation standards, emphasizing that users clearly intend to address the entity responsible for specific services rather than specific legal entities within corporate groups. Administrative courts have established that procedural objections cannot undermine substantive rights when user intent remains clear.

Processing purpose violations formed another core element of the decision. Google's privacy policy lists numerous potential processing purposes without specifying which apply to individual users. The Austrian Federal Administrative Court had previously established that Article 15 requires controllers to identify concrete purposes pursued for each complainant rather than providing general purpose lists. Multi-purpose processing requires clear specification of which data categories serve which purposes.

Storage period information presented similar deficiencies. While Google's privacy policy mentions that "some data can be deleted at any time, others are automatically deleted" and "still others can be stored longer," this generic language provides no meaningful insight into actual retention practices for specific users. The authority noted that without concrete retention information, users cannot verify storage limitation compliance or exercise deletion rights effectively.

Data recipients and international transfer information also failed GDPR standards. The Court of Justice established in case C-154/21 that controllers must identify specific recipients when known rather than providing generic recipient categories. The DSB expressed confidence that Google as a leading technology company can specify actual recipients for individual user data rather than listing broad recipient types.

The authority noted particular concerns regarding international data transfers given Google's global server infrastructure. The company's privacy policy acknowledges processing data "around the world" and mentions Privacy Shield frameworks, indicating third-country transfers. However, without specific recipient information, users cannot assess transfer safeguards or exercise related rights under Article 15(2) GDPR.

Cookie and tracking technology data presented another significant gap in Google's response. The company's privacy policy extensively describes cookie collection, advertising identifiers, and location data gathering yet provided none of this information to the complainant. According to legal commentary cited in the decision, access rights extend to all data rendering individuals identifiable, including cookies, online identifiers, and tracking technologies.

The decision highlighted broader enforcement implications for automated access systems. While large companies often implement automated tools for GDPR compliance efficiency, these systems must provide complete information rather than partial responses. The authority noted that automation cannot excuse incomplete compliance when companies possess comprehensive data about individual users.

YouTube now must provide complete access including processing purposes, data recipients, retention periods, data sources, international transfer safeguards, and copies of all personal data in comprehensible formats. The four-week compliance deadline reflects standard administrative enforcement timelines while allowing reasonable implementation time for comprehensive responses.

The ruling establishes important precedents for access request quality standards across the European Union. Privacy advocates filed GDPR complaints against major Chinese tech platforms for similar access violations, suggesting coordinated enforcement efforts against inadequate compliance systems.

Industry observers note the decision's significance for platform accountability measures. Google's Gemini app gained automatic Android access to phone and messaging data without explicit user consent in July 2025, demonstrating continued tensions between platform expansion and privacy rights.

Marketing professionals monitoring data protection developments should note the decision's emphasis on complete, personalized information rather than generic policy references. The ruling clarifies that privacy policies cannot substitute for individualized data access responses regardless of policy comprehensiveness or legal compliance.

The decision acknowledges Google's substantial organizational and technical capabilities while rejecting complexity as justification for incomplete responses. The authority noted that multinational technology companies possess sophisticated data management systems capable of comprehensive user data retrieval when properly implemented.

Google retains appeal rights to the Federal Administrative Court within four weeks of the decision. However, the company must comply with the access order during any appeal process unless suspension is specifically granted. The ruling's detailed legal analysis suggests limited grounds for successful challenge given extensive GDPR precedent supporting comprehensive access rights.

The case demonstrates noyb's strategic approach to privacy enforcement, targeting systematic compliance failures across major technology platforms. The organization has filed similar complaints against streaming services, social media platforms, and advertising technology companies to establish consistent enforcement standards across the digital economy.

The timeline reveals significant enforcement system challenges that may influence future regulatory approaches. Five-year resolution periods undermine the GDPR's fundamental premise that individuals can promptly access their data to exercise other rights such as rectification, erasure, or portability. Extended delays effectively nullify practical privacy protections regardless of ultimate legal victories.

Data protection authorities across Europe will likely reference this decision when evaluating similar access request complaints. The ruling's detailed technical analysis of acceptable data formats and response comprehensiveness provides clear guidance for both controllers and supervisory authorities implementing Article 15 requirements.

Timeline

• October 2, 2018 - Complainant submits data access request through Google's online form
• October 25, 2018 - Google responds directing user to dashboard tools and privacy policy
• November 7, 2018 - User downloads "Takeout" folder containing 8 files in technical formats
• January 18, 2019 - noyb files eight strategic complaints against streaming services including YouTube
• January 31, 2019 - Austrian DSB transfers case to Irish Data Protection Commission under one-stop-shop mechanism
• November 17, 2022 - Irish DPC declares itself incompetent and returns case to Austrian DSB
• February 1, 2023 - Google's legal team submits response through Baker McKenzie arguing procedural objections
• March 7, 2023 - Complainant responds to Google's arguments defending complaint validity
• December 2024 - Google updates platform policies with focus on privacy
• April 2025 - Austrian court rules Google reCAPTCHA unlawful without consent
• July 2025 - Privacy advocates file GDPR complaints against TikTok, WeChat, AliExpress
• August 7, 2025 - Austrian DSB issues decision ordering YouTube to provide complete data access within four weeks

Summary

Who: Austrian Data Protection Authority ruled against Google's YouTube platform following complaint by noyb - European Center for Digital Rights on behalf of individual user whose data access request was inadequately handled.

What: YouTube must provide complete personal data access including processing purposes, storage periods, data recipients, tracking information, and data sources in comprehensible format rather than technical files and privacy policy references.

When: The August 7, 2025 decision concluded a case spanning five years and seven months from the original October 2018 access request, with YouTube receiving four weeks to comply with the comprehensive access order.

Where: Austrian Data Protection Authority issued the binding decision after the Irish Data Protection Commission returned jurisdiction to Austria in November 2022, establishing precedent applicable across European Union member states under GDPR consistency mechanisms.

Why: YouTube violated GDPR Articles 12 and 15 by providing incomplete data in incomprehensible technical formats while withholding critical information about processing purposes, retention periods, and recipients that users need to understand and verify lawful data processing activities.

PPC Land explains

Data Access Request: A fundamental right under GDPR Article 15 that allows individuals to obtain copies of their personal data and detailed information about how organizations process it. Data access requests serve as the foundation for exercising other privacy rights such as rectification, erasure, and portability. The YouTube case demonstrates how inadequate responses to access requests can effectively nullify these downstream rights, as individuals cannot exercise correction or deletion rights without first understanding what data exists and how it is processed.

Austrian Data Protection Authority (DSB): The national supervisory authority responsible for enforcing GDPR within Austria, possessing investigative powers, corrective authority, and the ability to impose administrative fines up to 4% of global annual turnover. The DSB's decision in this case establishes important precedent for access request quality standards across the European Union, particularly regarding technical format requirements and the inadequacy of privacy policy references as substitutes for personalized information.

Article 15 GDPR: The specific legal provision establishing comprehensive data access rights, requiring controllers to provide not only copies of personal data but also detailed information about processing purposes, recipients, retention periods, data sources, and international transfer safeguards. This article forms the cornerstone of GDPR transparency requirements, enabling individuals to understand and verify the lawfulness of data processing activities affecting them.

noyb - European Center for Digital Rights: A Vienna-based privacy advocacy organization founded by Max Schrems that strategically enforces GDPR through systematic complaint filing against major technology platforms. The organization's approach focuses on structural violations affecting millions of users rather than individual cases, leveraging Article 80 GDPR provisions that allow non-profit associations to represent data subjects in privacy enforcement proceedings.

Personal Data: Any information relating to an identified or identifiable natural person, including names, email addresses, IP addresses, cookies, location data, and behavioral patterns that can render individuals recognizable either alone or in combination with other data. The YouTube case clarified that technical identifiers like cookies and tracking pixels constitute personal data requiring full disclosure under access requests, contradicting platform arguments that such data falls outside GDPR scope.

Processing Purposes: The specific reasons why organizations collect and use personal data, which must be clearly communicated to individuals under GDPR transparency requirements. The Austrian authority emphasized that controllers cannot satisfy this obligation by listing general purposes from privacy policies but must specify which exact purposes apply to each individual user's data, particularly when processing serves multiple distinct objectives across different platform services.

Data Recipients: Third parties who receive personal data from the original controller, including subsidiaries, service providers, advertising partners, and government authorities. The Court of Justice ruling in C-154/21 established that controllers must identify specific recipients when known rather than providing generic categories, a requirement that major technology platforms often violate by offering vague descriptions of "trusted partners" or "affiliated companies."

Retention Periods: The length of time organizations store personal data before deletion, which must be disclosed to individuals under Article 15(1)(d) GDPR and cannot exceed what is necessary for the original processing purposes. YouTube's violation included providing only generic statements about data retention rather than specific timeframes for different data categories, preventing users from understanding when their information would be deleted or exercising erasure rights effectively.

Technical Data Formats: Machine-readable file formats like JSON and OPML that require specialized knowledge to interpret, which violate GDPR Article 12 requirements for information delivery in "concise, transparent, intelligible and easily accessible form." The decision established that providing raw data in technical formats without explanation tools or human-readable translations fails to meet legal transparency obligations regardless of data completeness or accuracy.

International Data Transfers: The movement of personal data from European Union member states to third countries, which requires specific safeguards and transparency obligations under GDPR Articles 44-49. Controllers must inform individuals about transfer destinations and protective measures, information that becomes particularly critical when data moves to countries without adequate data protection laws, such as the United States where many technology platforms maintain primary server infrastructure.