Spotify has been fined $5.4 million in Sweden for violating GDPR

Photo credit: Thibault Penin

Spotify faces a $5.4 million fine for violating GDPR guidelines by not providing full information about the personal data it holds.

Spotify was found to be in breach of Article 15 of the General Data Protection Regulation (GDPR). The complaint was first filed in 2019 by the privacy rights non-profit organization noyb. In it, noyb claims that Spotify did not provide all the requested personal data and did not provide any information on the purposes of the processing. The original complaint was filed in Austria before being forwarded to Sweden, where it lay in abeyance for four years.

noyb sued the Swedish Data Protection Authority for lack of a decision. IMY eventually requested Spotify to provide the complainant with the full data set, more than four years after the original filing of the complaint.

“We are pleased that the Swedish authorities have finally taken action,” adds Stefano Rossetti, data protection attorney at noyb. “It is a fundamental right of every user to receive comprehensive information about the data processed about him. However, the case lasted more than four years and we had to sue the IMY to get a decision. It is imperative that the Swedish authorities speed up their procedures.”

Spotify plans to appeal the decision, arguing that only minor areas of its data processing could be improved. “Spotify provides all users with comprehensive information on how personal data is processed,” a Spotify spokesman told Digital Music News. “During its investigation, the Swedish DPA only identified minor areas of our process that they felt needed improvement. However, we disagree with the decision and plan to appeal.”

noyb argues that Spotify is not the only platform violating European users’ GDPR data access rights. These companies include Amazon, Apple Music, DAZN, Flimmit, Netflix, Spotify, SoundCloud and YouTube. Each of these bodies set up automated systems to process SAR requests, which did not provide all the information that Europeans are legally entitled to receive.