Sweden’s privacy protection authority has issued a SEK 58-million (€5m / $5.4m) fine against Spotify for what it says is failure to comply with EU regulations that require digital services to grant users access to the data they have about them.
Spotify reportedly plans to appeal the decision.
The case stems from a complaint filed in January 2019 by an unnamed individual and represented by noyb (“none of your business”), a not-for-profit that campaigns for privacy rights.
That complaint, filed initially in Austria, alleged that Spotify had violated the rules of the EU’s General Data Protection Regulation (GDPR). Section 15 of the GDPR requires that digital services companies provide detailed information to users about what data is stored, who it’s shared with and for what reasons.
“The right to access does not only grant a right to get a copy of a users’ own data, but also information as to their source, recipients of personal data or details on international data transfers,” noyb said in a statement.
“In the case of Spotify this information was not fully provided. Moreover, the company only gave access to ‘some’ of the data, without informing the data subject on how to get the rest.”
Because Spotify is a Sweden-headquartered company, EU rules required that the complaint be transferred to the Swedish data protection authority (DPA), known as IMY, where the complaint languished without a decision for several years. That’s something noyb says is itself a violation of GDPR rules that require a DPA to make a decision on a complaint within one month.
According to noyb, IMY launched a parallel investigation into Spotify, to which the original complainant was not a party. When noyb went to court in Sweden to force IMY to make a decision, the authority argued that the original complainant was not a party to the investigation and didn’t have standing to challenge IMY in court over the matter, noyb said.
In November of last year, a Swedish administrative court sided with the complainant and declared that they did have a right to request that IMY issue a decision in the matter. On Tuesday (June 13), IMY issued that decision.
“The Swedish Authority for Privacy Protection (IMY) has investigated Spotify’s general procedures for handling access requests and have found some shortcomings related to the information that should be provided to the individual making the request… and in relation to the description of the data in the technical logfiles provided by Spotify,” IMY said in a statement sent to TechCrunch.
“IMY has issued an administrative fine of SEK 58 million against Spotify for not providing sufficiently clear information to individuals in this regard,” the statement continued.
“IMY’s investigation has also encompassed an investigation of what has occurred in three different complaints and here IMY found that Spotify had failed in its handling of requests for access related to two of the complaints examined,” the authority added.
“It is a basic right of every user to get full information on the data that is processed about them.”
Stefano Rossetti, noyb
IMY also noted that, because the investigation spanned several countries, it required the cooperation of data protection authorities outside Sweden, which it said slowed down the investigation.
“The EU cooperation, which came with GDPR, is something relatively new to us and there is ongoing work within the EU to streamline the cooperation – something we see that there is a need for,” IMY said.
“We are glad to see that the Swedish authority finally took action. It is a basic right of every user to get full information on the data that is processed about them,” Stefano Rossetti, a privacy lawyer at noyb, said in a statement.
“However, the case took more than four years and we had to litigate the IMY to get a decision. The Swedish authority definitely has to speed up its procedures.”
noyb has suggested that, in some other EU countries, regulators appear to be working even more slowly. The Austrian complaint against Spotify was just one of eight the group filed against digital companies in 2019, including complaints against Apple Music, Netflix, SoundCloud and YouTube.
The group told Global Village Space that of those eight, it has seen movement on four of the complaints, including the Spotify one, and the remaining data protection authorities involved have not responded.
In a statement issued to TechCrunch, a Spotify spokesperson said the music streaming service “offers all users comprehensive information about how personal data is processed.”
It said Swedish authorities “found only minor areas of our processes they believe need improvement,” adding that the company disagrees with IMY’s decision and plans to file an appeal.
A 2022 review of Spotify’s privacy practices by the Common Sense Privacy Program gave Spotify a 57 out of 100, a score that comes with the label “warning.”
Among areas of particular concern were protecting against unauthorized access, preventing sale of data and following student data privacy laws.
This is not Spotify’s first controversy involving user privacy. In 2015, co-founder and CEO Daniel Ek issued an apology after the DSP attempted to change its privacy conditions, and requested users’ permission to access their photos, contacts and other personal information.Music Business Worldwide
