The music streaming service Spotify has been fined €5 million by the Swedish Data Protection Authority (IMY) for a lack of transparency about how it uses the personal data it collects. IMY launched an investigation into Spotify after receiving a complaint about potential violations of the General Data Protection Regulation (GDPR) from the privacy activist group, NOYB.
In 2019, NOYB filed a complaint in Austria that alleged Spotify failed to provide users of its service with adequate information on how their personal data would be collected and used. The complaint was passed on to IMY, as Spotify has its EU headquarters in Sweden. IMY’s audit of the data processing activities of Spotify determined that between November 2021 and May 2022, Spotify had processed the personal data of EU citizens, but there was a lack of transparency about the nature of the data processing and the recipients of personal data, as well as a failure to state whether protective measures were in place for personal data it transferred to third countries.
IMY said that when individuals exercise their right of access to find out about how their personal data is used, Spotify only provided generalized notifications of the processing activity and did not inform individuals clearly enough about how their data is used. Under the GDPR, individuals must be told in a clear and unambiguous way how their data is used, and it should be easy for individuals to understand the processing activities. IMY said Spotify gave individuals the option to choose the types of personal data they want to access, as it was divided into different layers, with the most relevant information provided upon request. Customers could request more detailed information if required, such as technical log files.
IMY said that dividing data into different layers can make it easier for individuals to understand the data, but Spotify had failed to make it clear to individuals what data was in each layer and how that information could be requested. “As the information provided by Spotify has been unclear, it has been difficult for individuals to understand how their personal data is processed and to check whether the handling of their personal data is lawful.”
IMY said Spotify cooperated with the investigation and has taken several measures to correct the deficiencies and that overall they are considered to be of a low level of seriousness; however, a financial penalty of SEK 58 million was still imposed and Spotify has been given a month to ensure full compliance with the GDPR. Spotify said it provides users with comprehensive information on how their data is processed and that the alleged GDPR violations concern only minor areas of its process, and that it does not agree with the penalty and intends to appeal the decision.