Popular music streaming service Spotify has been fined nearly €5 million ($5.4 million) in Sweden for violating users’ data access rights in the European Union. The company has been accused of failing to provide complete information about the personal data it processes in response to individual requests, which violates Article 15 of the General Data Protection Regulation (GDPR). The complaint was filed in 2019 by noyb, a non-profit organization that protects privacy rights. In the complaint, Spotify did not provide all the personal data requested, nor did it provide any information about the purposes or recipients of the processing, nor did it provide any information about international transfers or other allegations.
Due to the GDPR’s one-stop-shop mechanism, complaints will now be sent to Sweden, where Spotify is primarily based in the EU. The complaint was then left unresolved for several years as the Swedish authorities carried out a parallel ex-officio investigation in which the complainant was not involved. Despite the fact that the GDPR stipulates that the data controller must respond to access requests within one month, noyb was eventually sued by the Swedish data protection authorities ( IMY) will be brought to court. Last year, the plaintiffs successfully challenged IMY’s position that they were not parties to the proceedings, and the Stockholm Administrative Court ruled that the plaintiffs had the right to seek a decision after six months.
The case is still ongoing (in the Superior Court), but the Administrative Court’s decision last November to order IMY to handle and investigate the complaint appears to have prompted the DPA to make a decision in the meantime. IMY finally ordered Spotify to provide the full dataset. However, we are deferring judgment on whether we have done all that the authorities asked us to do until we can scrutinize the decision.
The Swedish Privacy Agency (IMY) has investigated Spotify’s general procedures for processing access requests and the information that should be provided to individuals making requests pursuant to Articles 15.1 and 15.2 of the GDPR, and A description of the data in the technical log files provided by Spotify. IMY has imposed an administrative fine of 58 million Swedish kronor on Spotify for failing to provide individuals with sufficiently clear information in this regard. This decision contains violations of Articles 12.1, 15.1, g and 15.2 of the GDPR.
IMY’s investigation also included an investigation into what happened in three different complaints, where IMY found Spotify’s failure to process access requests related to two of the complaints investigated. I discovered that This part of the decision includes violations of Articles 12.1, 12.3, 15.1, 15.3, 15.1 and 15.2 of the GDPR. For these infringements, IMY will take disciplinary action.
Spotify provides all users with comprehensive information about how they process their personal data. During the investigation, the Swedish DPA found only a few areas of our processes that we believe need improvement. However, we disagree with this decision and plan to appeal.
The complaint against Spotify was actually one of a series of strategic complaints by noyb against music and video platforms that sought to test the application of the law. noyb found persistent structural violations of users’ GDPR data access rights across the eight platforms it tested (Amazon, AppleMusic, DAZN, Flimmit, Netflix, Spotify, SoundCloud, YouTube), many of which have set up automated systems. claimed to have been found to have To respond to the SAR of users who have not provided all the information that Europeans have a legal right to obtain.
It has been more than five years since the GDPR came into force in May 2018, but enforcement remains very difficult due to differences in approaches and processes (and in some cases resources) between national authorities tasked with protecting Europeans’ privacy rights. There continues to be a patchwork of inconsistent results.
Noyb founder and chairman Max Schrems confirmed that IMY’s decision included an order to comply with access requests to Spotify. He also suggested that the platform had improved its system during the investigation. “We are now expecting a full response,” he said, adding, “So we need to see what they send and if it is good enough.”
Asked if Spotify would modify its protocol for responding to user data access requests in light of the IMY sanctions, a Spotify spokesperson said, “There is nothing we can confirm at this time.” We are always looking for ways to improve,” he added. This is for transparency. ”
Mr Schrems also said noyb was confirming the move on three other complaints. Including cases resolved after the platform in question (Flimmit) modified the process during the procedure. Draft decision issued by his DPA in the Netherlands regarding Netflix. And DAZN is reportedly nearing a conclusion (in court) in Austria. Beyond that, the image will be dark. According to Schrems, of his eight complaints targeted by noyb as data access complaints, half have so far only resulted in radio silence from his DPA in connection.