Spotify, the popular digital music streaming service, is facing a hefty fine of approximately €5 million ($5.4M) in Sweden after being accused of neglecting to provide adequate information about how the company was using user data in accordance with EU regulations.
The size of the fine may not be significant to many, but it is an important milestone representing the struggle that European citizens face in trying to protect their data privacy. It serves as a reminder of the difficulty for citizens in this region in getting their rights respected and enforced.
Who reported this violation?
In January of 2019, noyb, a not-for-profit focusing on privacy rights, lodged a complaint against Spotify with the General Data Protection Regulation (GDPR). The complaint alleged that Spotify had failed to provide enough information in response to a subject access request (SAR) placed by the complainant. After almost four years of investigation, Swedish authorities have now found that Spotify had indeed violated Article 15 of the GDPR by not providing enough information in response to the SAR.
The complaint alleged that the music streaming platform had failed in their duty to provide all personal data that was requested by the complainant. In addition, they did not adequately inform the complainant of the purposes of the processing, along with any potential recipients of the data or any international transfers associated with it.
How was the complaint filed?
The complaint, which was initially filed with the Swedish authority IMY, went unresolved for an extended period of time. According to noyb, an ex officio investigation was launched in parallel to the complaint, but without the direct involvement of the complainants.
noyb took legal action against IMY for not making a decision on their case. Eventually, the Stockholm administrative court ruled that complainants are allowed to request a decision after six months, overturning IMY’s previous stance that complainants are not involved in the decision-making process.
In a statement, Stefano Rossetti, privacy lawyer at noyb, said:
“We are glad to see that the Swedish authority finally took action. It is a basic right of every user to get full information on the data that it processed about them. However, the case took more than 4 years and we had to litigate the IMY to get a decision. The Swedish authority definitely has to speed up its procedures.”
Spotify was also contacted for comment. A company spokesperson sent this statement — confirming it intends to appeal:
“Spotify offers all users comprehensive information about how personal data is processed. During their investigation, the Swedish DPA (data protection authority) found only minor areas of our process they believe need improvement. However, we don’t agree with the decision and plan to file an appeal.”
Are more GPDR violations to come?
The introduction of the GDPR in May 2018 has had a major impact on companies across Europe and the UK, with a noticeable increase in both the number and severity of fines issued. Before 2018, fines issued were relatively small, usually falling within the single-digit millions. However, in 2021 alone, this figure was more than 400 million.
With GDPR enforcement becoming stricter, businesses should prepare for further rises in the number and severity of fines issued in the coming years. Companies must ensure that their data processing activities are compliant with the regulation or risk facing substantial financial penalties. To help companies stay ahead of new regulations, many organizations have implemented data protection officers to oversee their operations and ensure GDPR compliance.