Risks of personal data collection with streaming services

Did you know that data collection by streaming services and their vendors happens automatically, without obtaining anyone’s consent?

Risk summary:

• Competitive sensitive and critical business data can be exposed. 
• Profiling and manipulation of persons and democratic processes.
• Exposed personal data causes reputational damage.
• Non-compliance with GDPR laws.
• Severe fines by data protection authorities.

Collection of IP-addresses

Even though you may have no requirements in collecting IP-addresses, your suppliers and their sub-suppliers are collecting IP-addresses. Whenever a user visits a webpage, or starts watching a stream or a video, all involved vendors log all requests in their access logs on their servers, including the users IP-addresses, which is personal data.

Logging is always on

Access logging is always on and cannot be disabled because logging is mandatory. This data must be saved for a certain amount of time, because of security regulations by law, for example, to analyse historic access to services out of malicious reasons. This means that personal data is stored and kept over time at various vendors and their sub-vendors. Please note that this data is not encrypted. 

Data ownership

By generating access logs, this data automatically becomes the ownership of the (sub)vendor. Because of their ownership, they are free to use this data. They can analyse it, feed it into AI’s, share it, and even sell it, including the IP-address personal data of your audience. The users have not given consent to this data collection. Note that cookies are not involved in this process, the personal data collection happens autonomously by all servers of all vendors.

Non-EU data locations?

Preferably all data is stored within the EU zone. However, when non-EU-owned vendors are involved, the data may also be stored outside of the EU zone. For example, Content Delivery Networks collect access logs from their decentralized edge servers and can store this data on central storage facilities outside the EU zone (sometimes with third-party cloud services such as Google), which is not compliant with the GDPR.

Non-EU access?

Making storage of data in the EU zone mandatory is a good idea, but it is not sufficient. Many vendors, cloud services and CDNs contract staff from all over the world. When non-EU citizens operate these services, they have access to this unencrypted data containing the personal data of your audience. They can be forced by their government to hand over the data to a country such as the US that does not protect personal data as required by the EU, breaking GDPR compliance.

Non-EU ownership?

Storing data within the EU and making sure that only EU-citizens have access to the data is also not enough. If there is a non-EU ownership link to the vendor, the vendor can be forced to hand over data to their government, even if there is an EU-sub company in between. This means that personal data of your audience can end up in the USA,  which breaks GDPR compliance.

Risks

• Personal data of viewers ends up in the systems of vendors and sub-vendors without your and their knowledge and consent.
• Personal data being exposed can severely hurt trust and brand reputation.
• The personal data can end up with unknown third-party vendors, competitors, hackers, security services and governments.
• The data of which of your content is being watched, by whom, for how long, at what time, with which browsers, devices, from which cities, regions, countries is logged in detail and can be of high value for competitors or anyone else seeking harm.
• Anyone with access to this data can combine the data with other datasets, and then find out who of your visitors has interests in specific products, services, political subjects, specific political interests, or belongs to a specific political group, and can then use this profiled data to manipulate the viewers and even democratic processes.
• Noncompliance with GDPR risks severe fines with data protection authorities.

Non-EU vendors in use?

Have you already analysed which vendors and subvendors are involved in your services? There is an easy way to find out for anyone. Just go to your website and inspect the page. Start a stream, and in the Sources and Network tabs you will see a list of suppliers involved. Sometimes you have to lookup the DNS names to find out which clouds and CDNs are involved. You will be surprised! How many non-EU vendors can you find?

All these services are automatically generating access logs containing the IP address personal data of your viewers.

Advise

We advise you to:

• Involve your Data Protection Officer and your country’s Data Protection Office to share these insights and ask for their consulting.
• Make a risk and GDPR compliance assessment.
• Update your purchasing requirements to mitigate the risks and for GDPR compliance.

Remarks:

1. The EU and the US have a transatlantic agreement on data sharing, which is being challenged at the EU court. Two former agreements were judged not to be compliant. There is a risk that the latest agreement also won’t hold in court since it does not protect the above-mentioned risks.
2. ISO data protection certification does not cover these risks.
3. Standard Contractual Clauses also do not offer enough protection against these risks.

What Jet-Stream does to protect your data and the audience

EU ownership

Legal: Jet-Stream is an EU company with no foreign ties.

EU operation.

Staff: Jet-Stream is operated by EU-only citizens.

EU soil.

Zones: Jet-Stream Cloud is hosted solely on EU-soil.

EU vendors.

Suppliers: Jet-Stream only uses EU owned, operated, and hosted infrastructure vendors. Optionally non-EU CDNs can be used for global performance.

EU technologies.

Technologies: Jet-Stream solely uses internally developed software and software from EU-only partners.

Data collection minimisation.

Jet-Stream minimizes data collection, for example by not using any trackers in the player. Analytics are based on secured and anonymised access log data.

Data ownership.

Jet-Stream does not claim ownership on data, transfers ownership to you, and does not share any data.

Data anonymisation.

Jet-Stream zeroes out IP-addresses before exposing data and analytics to you, effectively deleting personal data.

Privacy Innovations.

Jet-Stream’s contextual advertising service and AI replace 3^rd party cookie advertising services and yield higher commercial results.

Privacy awareness.

Jet-Stream routinely publishes insights and knowledge to the industry and the public.

Are you ready to make the switch to a streaming service that prioritizes your privacy? Then start your 30-day free trial with Jet-Stream and experience streaming the way it should be – safe, secure, and worry-free. Your data, your rules!