Spotify, the popular music streaming platform, on Tuesday, was issued an administrative fine of SEK 58 million (approx $5.4 million) in Sweden for breaching the data access rights of its users in the European Union.
According to the General Data Protection Regulation (GDPR) that came into force in 2018, users have the right to access, which means they have a right to find out what personal data a business handles about the person in question and to receive information about how this data is used.
However, during its audit, the Swedish Authority for Privacy Protection (IMY) found Spotify guilty of violating Article 15 of Europe’s GDPR. It discovered that Spotify releases the personal data the company processes when individuals request it; however, it did not offer clear and comprehensive information on how data collected on them was used by the company.
The IMY emphasized that Spotify should be more transparent “about how and for what purposes individuals’ personal data is handled.” The lack of clarity made it challenging for the users to understand how their personal data was processed and to assess whether the handling of their personal data was lawful.
“The Swedish Authority for Privacy Protection (IMY) has investigated Spotify’s general procedures for handling access requests and have found some shortcomings related to the information that should be provided to the individual making the request pursuant to article 15.1 a-h and 15.2 of the GDPR and in relation to the description of the data in the technical log files provided by Spotify. IMY has issued an administrative fine of SEK 58 million against Spotify for not providing sufficiently clear information to individuals in this regard. The decision includes violations of articles 12.1, 15.1 a-d, g and 15.2 of the GDPR,” the regulator said in a statement.
“IMYs investigation has also encompassed an investigation of what has occurred in three different complaints and here IMY found that Spotify had failed in its handling of requests for access related to two of the complaints examined. The decision in this part includes violation of articles 12.1, 12.3, 15.1,15.3 and 15.1 a-h and 15.2 of the GDPR. In relation to these infringements IMY issues a reprimand.”
The regulator also said that the identified shortcomings were considered to be of “a low level of seriousness,” with the fine imposed taking into account Spotify’s revenue and number of users.
Since Spotify has users in many countries, the above decision has been made in cooperation with other data protection authorities in the EU.
The ruling against Spotify comes more than four years after a complaint was lodged against the music streaming platform by the non-profit privacy and digital rights organization noyb at the start of 2019.
In the complaint filed by noyb, the organization alleged that Spotify failed to provide users with all requested personal data, information as to their source, recipients of personal data, or details on international data transfers under Article 15 GDPR.
The original complaint was filed in Austria, but the case was sent to IMY as Spotify was based in Sweden. Also, a complaint related to the same issue, filed in the Netherlands, was combined into the Swedish case. However, the cases languished with IMY for four years.
As a result, on June 22, 2022, noyb filed litigation against the IMY before the Swedish Courts over the lack of a decision. Finally, after more than four years of the case being originally filed, IMY ordered Spotify to provide the full set of data to the complainant under Article 58(2)(c) GDPR.
“We are glad to see that the Swedish authority finally took action. It is a basic right of every user to get full information on the data that is processed about them. However, the case took more than 4 years and we had to litigate the IMY to get a decision. The Swedish authority definitely has to speed up its procedures,” Stefano Rossetti, a privacy lawyer at noyb, said in a statement.
Spotify has rejected the IMY findings and planned to file an appeal in response to the EU’s GDPR fine.
“Spotify offers all users comprehensive information about how personal data is processed. During their investigation, the Swedish DPA found only minor areas of our process they believe need improvement. However, we don’t agree with the decision and plan to file an appeal,” the company said in a statement.
When asked whether Spotify is making changes to its response protocol to user data access requests taking into consideration the IMY sanctions, a Spotify spokesperson told that the company has nothing to confirm at the moment. However, they did mention that the company is continuously reviewing and improving the process to enhance transparency.
