Swedish music streaming platform Spotify has been fined about $5.4 million in Sweden for violating data access rights of European Union (EU) users.
The complaint was first filed in early 2019 by noyb, a nonprofit dedicated to privacy rights. The complaint alleges that Spotify failed to fulfill all requests for personal data, failed to disclose the purpose and recipients of data processing, and failed to provide information about international money transfers.
The complaint was originally filed in Austria, but due to the GDPR’s one-stop-shop mechanism designed to streamline cross-border litigation processing, the litigation was transferred to Sweden, where Spotify maintains its main EU presence. It was decided.
But Noyve argues that the complaint remained unresolved for several years because Swedish authorities conducted a separate investigation without involving the plaintiffs. This measure contradicts the GDPR requirement that the data controller respond to access requests within one month of her.
In the absence of a decision, noyb filed a lawsuit with the Swedish Data Protection Authority (IMY). Last year, noyb successfully challenged IMY’s position that the complainant was not a party to the proceedings. The Stockholm Administrative Court ruled that the complainant has the right to seek a decision within six months of filing the complaint.