Swedish data protection authorities on Wednesday gave users clarity on what Spotify will do with their personal data when Spotify imposed an administrative fine of $5.3 million (or 58 million Swedish kroner) on the streaming service. said it had not notified the
This violates an individual’s right of access to know what personal data a company is handling and how it is using it, which is held under the General Data Protection Regulation, a European Union privacy law. is what you do.
However, the press release acknowledges that “Spotify has taken several steps aimed at meeting individual access requirements, and the flaws discovered are generally considered to be of low severity.” Spotify may appeal this decision.
Stay on top of technology policies: A daily newsletter from MediaNama with the top stories of the day delivered to your inbox before 9am. Click here to register now!
What did Spotify do error? The information Spotify gives users about how their information is handled should be more specific, said Karin Ekström, one of the leaders of the long-running investigation into the company. . “For those who request access to the data, it should be easy for them to understand how the company uses this data,” added Ekström. “In addition, personal data that are difficult to understand, such as those of a technical nature, may need to be explained not only in English, but also in the native language of the individual.”
Without this information, it is difficult for customers to verify whether Spotify’s data processing is lawful.
And where did things go right? The Swedish authority’s investigation also explored how Spotify divides customers’ personal data into different tiers, such as viewing histories and payment details, which may be of more interest to individuals. Technical information such as log files linked to the customer form another layer and can also be requested by the customer.
“There is no impediment to separating copies of personal data into different layers as long as access rights are met,” Ekström explained. “Conversely, in some situations, at least when a large amount of information is involved, it may be easier for the data subject to understand the information if it is presented in separate parts. It is important that individuals understand that there is relevant information available and how they can request it.We believe Spotify has done well.”
How did this investigation begin? The investigation was initially prompted by a complaint filed in 2019 by noyb, a privacy rights nonprofit led by Max Schrems. The complaint alleges Spotify failed to provide sufficient details in its request for personal data. The company did not provide information about the purposes of processing or concerns such as international data transfers. The petition was initially filed in Austria, but was later transferred to Sweden, Spotify’s main EU base.
This post is published under CC-BY-SA 4.0 License. Please feel free to republish it on your site, specifying the source and link. Adaptations and rewrites are allowed, but must remain true to the original.