General Data Protection Regulation (GDPR), standards, regulations and compliance
Online music streamers to appeal Swedish data protection authority’s decision
Akshaya Asokan (asokan_akshaya) •
June 13, 2023
Sweden’s privacy regulator has ordered Spotify to pay 5 million euros for failing to do enough about how the music streaming service uses consumer data.
The Swedish Privacy Agency (IMY) on Tuesday imposed a fine of Swedish kroner 58 million in a statement that Spotify should be more specific about how and for what purpose it collects personal data.
The fines are the result of a four-year investigation by the agency based on complaints from the Austrian privacy activist group NOYB and others that invoked provisions of the General Data Protection Regulation regarding individual rights to access personal data.
In an emailed statement, Spotify said its investigation found “only a few areas of our processes” to be inconsistent with GDPR. “Spotify provides all users with comprehensive information about how their personal data is processed,” said a spokesperson. “We do not agree with this decision and plan to appeal it,” the spokesperson added.
In its 2019 complaint, NOYB alleges that online streaming platforms, including Spotify, have not provided users with full data on how their personal information is being processed. As the company’s European headquarters are in Stockholm, the authorities have transferred jurisdiction over the complaint, originally filed in Austria, to Sweden.
An investigation by Swedish authorities found that between November 2021 and May 2022, Spotify violated the requirement for companies to be transparent about the purposes for which they process personal data, the types of recipients of personal data and whether they have safeguards in place. It turns out that it was processing users’ personal data. Applies when personal data is transferred to a third country.
Spotify had taken the necessary steps to notify users about how it handled their data, but the Swedish agency said the notice was “generalized” and that the company would be the same regardless of who requested the information. He said it meant that he was providing information.
The action by Swedish authorities comes after NOYB sued the Swedish court to force IMY to make a decision. The case is still under review.
“It is a fundamental right of every user to have complete information about the data processed about them,” said NOYB privacy attorney Stefano Rossetti.
Spotify has one month to comply with existing data processing requirements.