spotify logo

We’ve reported on the various fines and investigations of big tech and social-media companies by regulators. But now Spotify has fallen foul of the privacy watchdog in its homeland, and has been slapped with an SEK 58m (€5m) fine.

Sweden’s Authority for Privacy Protection (IMY) found “deficiencies” (under Europe’s GDPR legislation) in Spotify’s handling of its users’ rights to access the personal data that it stores on them.

“IMY assesses that Spotify releases the personal data the company processes when individuals request it, but that the company does not inform clearly enough about how this data is used by the company,” ruled IMY, in a decision made in cooperation with fellow data-protection regulators in the EU.

So, this isn’t about Spotify misusing the personal data of its users, but rather the process through which they can access what it knows about them.

“It has been difficult for individuals to understand how their personal data is processed and to check whether the handling of their personal data is lawful,” as IMY put it. While the issues are “of a low level of seriousness” in the regulator’s opinion, Spotify’s size (in terms of users and revenues) were factors in deciding the SEK 58m fine.

The original complaint was filed by privacy-campaigning organisation Noyb in early 2019, as part of a series of GDPR complaints that also included Apple Music, SoundCloud and YouTube. Noyb and IMY have since tangled in a legal battle over the lack (until now) of a decision in Spotify’s case.

“We are glad to see that the Swedish authority finally took action. It is a basic right of every user to get full information on the data that is processed about them,” said Noyb privacy lawyer Stefano Rossetti. “However, the case took more than 4 years and we had to litigate the IMY to get a decision. The Swedish authority definitely has to speed up its procedures.”

For its part, Spotify has issued a statement to TechCrunch, saying that “Spotify offers all users comprehensive information about how personal data is processed. During their investigation, the Swedish DPA found only minor areas of our process they believe need improvement. However, we don’t agree with the decision and plan to file an appeal.”

As fines go, it’s not the most punitive: €5m is precisely 0.00000004263665% of Spotify’s annual revenues of €11.73bn. However, the ruling – if upheld on appeal – has more teeth in terms of requiring Spotify to amend its processes around users’ access to their personal data. 

What about those other music-related companies that Noyb targeted in 2019? In the TechCrunch piece, its founder Max Schrems complained about the lack of activity from the relevant regulators: the DPA in Ireland for Apple Music and YouTube, and Berlin’s data protection commissioner for SoundCloud.

EarPods and phone

Tools: platforms to help you reach new audiences

Tools :: Wyng

Through Music Ally’s internal marketing campaign tracking, we’ve recently discovered an interesting website by the…

Read all Tools >>

Music Ally's Head of Insight