We’ve covered various fines and investigations by regulators against big tech and social media companies. But this time, Spotify was fined 58 million Swedish kronor (€5 million) for violating its home country’s privacy watchdog.
The Swedish Privacy Agency (IMY) has found a “deficiency” (under European GDPR law) in how Spotify handles users’ rights to access personal data stored by them.
“IMY understands that although Spotify makes public the personal data that the company processes if an individual requests it, the company has not provided sufficiently clear information about how this data will be used by the company. No,” IMY ruled in a decision made in collaboration with data colleagues. EU protection regulator.
In other words, this is not about Spotify misusing your personal data, but rather about the process by which you gain access to information that Spotify knows about you.
The IMY said that “it has been difficult for individuals to understand how their personal data is being processed and to see whether the processing of their personal data is lawful”. Spotify’s size (in terms of users and revenue) was a factor in determining the 58 million Swedish kronor fine, although the regulator’s view was that the issue was “low severity”.
The original complaint was filed by privacy campaign group Noyb in early 2019 as part of a series of GDPR complaints that also include Apple Music, SoundCloud and YouTube. Noyb and IMY have since embroiled themselves in a legal battle over a (to date) pending decision in the Spotify case.
“We are pleased that the Swedish authorities have finally taken action. It is a fundamental right of every user to have complete information about the data processed about them,” said Stefano Rossetti, a privacy attorney at Noyb. says. “But the case took more than four years and I had to go to IMY to get a decision. Swedish authorities definitely need to speed up the process.”
Meanwhile, Spotify issued a statement to TechCrunch, saying, “Spotify provides all users with comprehensive information about how their personal data is processed. The Swedish DPA said during an investigation that improvements could be made. We have only found very few areas of our process that we believe are necessary, but we disagree with this decision and plan to appeal.”
As for fines, this is the least punitive one. €5 million equals exactly 0.00000004263665% of Spotify’s annual revenue of €11.73 billion. But the ruling, even if upheld on appeal, has stronger implications in that it would require Spotify to amend its processes for accessing users’ personal data.
What about the other music companies Noyb targeted in 2019? In a TechCrunch article, founder Max Schrems complained about the lack of action from relevant regulators, including Ireland’s DPA for Apple Music and YouTube and the Berlin Data Protection Commissioner for SoundCloud.