There may be trouble brewing for Spotify in its home country, with the Swedish data-protection authority (Datainspektionen) launching a review of how Spotify handles requests for people to see what information it holds about them.
“The authority has become aware that there may be some shortcomings in how the company handles registry extracts, including that the extracts are not complete, and that the information is not sufficiently clear,” explained its announcement.
This is sparked by last year’s GDPR legislation in Europe, which gives people stronger rights to request and see the data held on them by digital services.
“Because Spotify handles a large amount of data on a very large number of users, it is important that the users’ request for registry extracts be handled correctly,” said lawyer Karin Ekström. “You have the right to turn to a company or authority that processes your personal data and through a registry extract to know what the information is. You should also get information about how the data is used described with a clear and simple language.”
You can read the questions posed to Spotify by the authority in this PDF. It’s in Swedish, but you can download it and then upload to Google Translate for a sense of what’s being asked. Spotify must reply in writing to Datainspektionen by 1 July with its answers.
Spotify says it will cooperate with the request. “Spotify takes data integrity and our obligations to our users very seriously. We welcome Datainspektionen’s questions about the processes we have in place to ensure that users receive the information they are looking for and are entitled to under the GDPR,” its Nordic spokesperson Fredrik Westin told ComputerSweden.
This investigation won’t come as a surprise if you read our news story in January about the latest study by privacy campaigner Max Schrems, who tested services including Spotify, Apple Music, SoundCloud and YouTube to see if they were complying with the ‘right to access’ elements of the GDPR.
“Many services set up automated systems to respond to access requests, but they often don’t even remotely provide the data that every user has a right to,” said Schrems at the time, as he filed complaints against the companies with the Austrian Data Protection Authority.
So, as we said, trouble brewing for Spotify, but this is by no means an issue exclusive to that company. The new investigation in Sweden may be a harbinger of further scrutiny to come for all music-streaming services, at a time when data on their users’ habits and tastes is more crucial to their businesses (from advertising to personalised recommendations) than ever.