Swedish music streaming giant Spotify has been fined SEK 58 million ($5.4 million) by the Swedish Authority for Privacy Protection (IMY) for breaching the European Union’s General Data Protection Regulation (GDPR). The penalty comes after an investigation into Spotify’s handling of users’ personal data and their access to that information.
The complaint against Spotify was initially filed in early 2019 by advocacy group Noyb, led by privacy campaigner Max Schrems. Noyb alleged various violations by Spotify, including failure to provide users with their complete personal data upon request and insufficient disclosure of the purposes for which the data was being processed.
The IMY found that while Spotify did provide users with their personal data upon request, it lacked clarity in informing them about how the company utilizes that data. The regulator emphasized the need for greater transparency from Spotify regarding the handling and processing of individuals’ personal data. Insufficient clarity made it challenging for users to comprehend how their data was being processed and verify the lawfulness of its handling, according to the IMY.
Despite deeming the violations to be of low severity, the IMY imposed the fine based on factors such as Spotify’s revenue, user base, and the steps the company has taken to address the issues. The decision was reached in collaboration with other EU data protection authorities due to Spotify’s widespread user presence across numerous countries.
Responding to the fine, Spotify stated in a TechCrunch interview that it offers comprehensive information to all users regarding the processing of personal data. The company disagreed with the IMY’s decision and intends to appeal.
This case serves as a reminder to tech companies of the importance of compliance with GDPR regulations and the need for transparent communication with users regarding their personal data. As data privacy concerns continue to grow in importance, regulators are closely scrutinizing the practices of major tech companies, and violations can result in significant financial penalties. Spotify’s appeal will shed further light on the outcome of this case and its implications for the company’s data handling practices.