Spotify, the renowned music streaming platform, has been slapped with a fine of SEK 58 million (approximately $5.4 million) by Swedish authorities due to its failure to provide users with proper information on how their data is collected and handled.
The Swedish regulator found Spotify to be lacking in transparency regarding its handling of user data, thereby violating data protection regulations. This penalty follows allegations of breaching data access rights of users in the European Union (EU) by not fully disclosing personal data processing details in response to individual requests.
Spotify, though, has expressed its intention to appeal the decision.
A report by TechCrunch revealed the complaint against Spotify was originally filed in Austria. This triggered the EU’s General Data Protection Regulation’s (GDPR) one-stop-shop mechanism, resulting in the case being redirected to Sweden, where the company’s main EU establishment is located. Additionally, a complaint related to the same issue, filed in the Netherlands, was also consolidated into the Swedish case.
Privacy advocacy group Noyb, led by prominent privacy campaigner Max Schrems, initiated the complaint against Spotify and other major tech companies in early 2019. Noyb alleged that Spotify had failed to provide users with all requested personal data and neglected to disclose the purposes for processing such information.
The Swedish Authority for Privacy Protection (IMY) said it conducted an audit of Spotify’s handling of user data and concluded that while the company did provide users with their requested personal data, it did not offer clear and comprehensive information on how that data was used. The IMY emphasised the need for greater transparency from Spotify regarding the handling and purposes of individuals’ personal data. Insufficient clarity made it challenging for users to understand how their personal data was processed and to assess its lawfulness.
Under GDPR regulations, users have the right to be informed about the data a company holds about them and how it is being used. The IMY identified Spotify’s shortcomings in this regard, noting that the company had not provided sufficiently specific information about the use of personal data.
Karin Ekström, one of the legal advisors leading the supervision, stated that Spotify’s provided information concerning the handling and purposes of personal data should be more precise. Furthermore, the IMY suggested that technical aspects of personal data, which are difficult to understand, should be explained not only in English but also in the user’s native language. The IMY acknowledged certain deficiencies in these areas.
The regulator emphasised that the identified shortcomings were considered to be of low severity, with the fine imposed taking into account Spotify’s large user base and revenue. Spotify, listed on the New York Stock Exchange, announced in April that it had surpassed 500 million monthly active users, including 210 million paying subscribers.
Spotify, however, rejected the IMY findings and stated in an email to AFP that it provides users with comprehensive information about the processing of personal data. The company acknowledged minor areas of improvement pointed out by the IMY but disagreed with the decision and plans to file an appeal.
Noyb, the privacy activist group behind the complaint, welcomed the decision but expressed frustration with the lengthy process, noting that it took over four years to reach a resolution. Stefano Rossetti, a privacy lawyer at Noyb, emphasised the need for the Swedish authority to expedite its procedures.
While litigation between Noyb and the Swedish data protection authority (IMY) is ongoing, the administrative court’s decision in November last year, which ordered IMY to process and investigate the complaint, seemingly prompted the issuance of a decision by the IMY in the interim.
Noyb confirmed that the IMY has now instructed Spotify to provide the complete set of data, but it reserves judgment on whether the authority has fulfilled all its requirements until it can thoroughly examine the decision.
As Spotify faces the repercussions of this fine, the case highlights the significance of transparency and adherence to data protection regulations for tech companies dealing with vast amounts of user data.