Photo credit: Thibault Penin
Spotify could be fined $5.4 million for violating GDPR guidelines by failing to provide complete information about the personal data it stores.
Spotify has been found to be in violation of Article 15 of the General Data Protection Regulation (GDPR). The complaint was first filed in 2019 by the privacy rights nonprofit noyb. In it, noyb alleges that Spotify did not provide all the requested personal data, nor did it provide any information about the purposes of the processing. The first complaint was filed in Austria and then sent to Sweden, where it remained dormant for four years.
noyb has sued the Swedish data protection authority for failing to reach a decision. More than four years after her lawsuit was first filed, IMY finally ordered Spotify to provide the plaintiff with a full dataset.
“We are delighted that the Swedish authorities have finally taken action,” added noyb privacy attorney Stefano Rossetti. “It is a fundamental right of every user to have complete information about the data processed about him. The Swedish authorities definitely need to speed up the process.”
Spotify said it plans to appeal the decision, saying only a few areas of data processing need improvement. “Spotify provides all users with comprehensive information about how their personal data is processed,” a Spotify spokesperson told Digital Music News. “During its investigation, the Swedish DPA found only a few areas of the process that it felt needed improvement. However, we disagree with this decision and plan to appeal.”
noyb argues that Spotify is not the only platform that violates European users’ GDPR data access rights. These companies include Amazon, Apple Music, DAZN, Flimmit, Netflix, Spotify, SoundCloud and YouTube. Each of these organizations has set up automated systems to deal with SAR requests that do not provide all the information that Europeans have a legal right to obtain.