Austria Orders YouTube to Grant Users Access to Their Personal Data

Austria’s Data Protection Authority has ruled against Google LLC and has ordered its subsidiary YouTube to comply with the European Union’s General Data Protection Regulation (GDPR). The authority has told YouTube to do so by granting users full access to the personal data the platform holds about them. The decision comes from a complaint that was filed in the year 2019 by the Vienna-based privacy advocacy group NOYB (None of Your Business), on behalf of an Austrian user who was denied access to their data. 

Noyb had accused YouTube, along with other streaming platforms like Netflix, of “structural violations” of GDPR. The group argued that these companies failed to respond adequately to user data access requests, even after various appeals. Under GDPR, individuals have the right to know what personal data is being collected, how it is processed, and for what purposes. This includes metadata, profiling information, and any data used for targeted advertising. 

The Austrian regulator confirmed the ruling on September 1, 2025, stating that YouTube must respond to such requests in full. Google now has four weeks to comply with or appeal the decision. NOYB welcomed the outcome as a “win” for digital rights but also criticised the lengthy delay. The group noted that it took five and a half years for the regulator to act. “Making an access request should enable users to exercise rights such as erasure or correction,” the group said, “but delays make that impossible.”

 This case highlights the growing tension between tech platforms and European regulators over data transparency and user control. GDPR has been in force since 2018, but when it comes to enforcement, it often lags. This is especially true in cross-border cases that involve U.S.-based companies. Noyb has filed over 800 complaints across jurisdictions and has targeted tech giants like Meta and Google so that they can comply strongly with the regulations.   

📰 Mini Headlines ――――――――――――――――――――――――――――――  

OpenAI to Build 1-Gigawatt AI Data Centre in India Under $500B Stargate Initiative 

OpenAI has announced plans to establish a 1-gigawatt data centre in India. It ranks among the most significant worldwide artificial intelligence infrastructure initiatives. The project is part of OpenAI's $500 billion Stargate plan, which aspires to expand computer capacity for sophisticated AI models. Chosen for its regulatory fit, digital expansion, and competent workforce, India is now OpenAI's second-biggest user base. The facility will comply with India’s Digital Personal Data Protection Act, 2023, and will also ensure local data residency and privacy safeguards. 

Data Centre Read More → https://opentools.ai/news/openai-to-launch-massive-1-gigawatt-data-center-in-india-why-it-matters    

The Ministry of Electronics and Information Technology (MeitY) and the Competition Commission of India (CCI) held a joint meeting to discuss regulatory challenges brought about by the Digital Personal Data Protection Act, 2023 (DPDP Act). Officials had a discussion on how privacy and competition law intersect, especially in digital markets where data is a regulatory problem as well as a strategic asset. Strong protections for data fiduciaries are demanded by the DPDP Act, which has drawn more than 6,900 public comments on its draft rules. The CCI advocated for coordinated enforcement to stop data dominance abuse while also promoting innovation. To guarantee regulatory consistency and safeguard consumer rights in India's developing digital economy, both organisations promised ongoing cooperation.  

DPDP Act Read More →  https://ommcomnews.com/india-news/cci-ministry-of-electronics-it-take-stock-of-challenges-in-data-protection/   

The California Privacy Protection Agency (CPPA) has approved new regulations under the California Consumer Privacy Act (CCPA). The Act introduces mandatory disclosures for automated decision-making, risk assessments, and cybersecurity audits. Businesses must now inform consumers about the logic and impact of AI systems and offer opt-out rights for significant decisions made by such technologies. Risk assessments are required for sensitive data use and must be updated every three years. High-risk processors must conduct annual cybersecurity audits aligned with NIST standards.  

AI and Cybersecurity Read More →   https://www.mondaq.com/unitedstates/privacy-protection/1672486/california-finalizes-new-ccpa-regulations-what-businesses-need-to-know     

Thailand’s PDPC Issues THB 14.5M in Fines for Data Privacy Breaches 

Thailand’s Personal Data Protection Committee (PDPC) has imposed fines totalling THB 14.5 million (approx. USD 448,000) across five cases for violations of the Personal Data Protection Act, 2019. Offenders included both public and private entities. They are penalised for inadequate security measures, failure to notify breaches, and non-compliance with Data Protection Officer requirements.  

Data Privacy Breach Read More →   https://www.lexology.com/library/detail.aspx?g=ab5f00f1-f545-4622-97bd-8c65105d26cb