Swedish music streaming service Spotify has been hit with a fine of 58 million Swedish krona (equivalent to around $5.4 million) by Sweden's data protection authority (DPA) following an audit of the company's handling of customers' rights to access their personal data.
The Swedish Authority for Privacy Protection determined that Spotify is in compliance with General Data Protection Regulation (GDPR) rules regarding data access upon user request. However, the company fell short of fulfilling the requirements of Article 15 of the privacy law by failing to provide clear information on how user data is utilized, according to a press release by the DPA on Tuesday.
The issue was initially raised in January 2019 when privacy campaigner Max Schrems, along with two others, lodged a complaint asserting that Spotify had violated Article 15 of the GDPR.
Although the complaint was originally filed in Austria, it was redirected to Sweden, where Spotify's EU headquarters is located, in line with the GDPR's one-stop shop mechanism.
The one-stop shop mechanism was established to streamline the investigative process for cross-border cases. In November 2022, Schrems's privacy rights nonprofit organization, NOYB, took the Swedish DPA to court and emerged victorious, contending that it had the right to due process and that the DPA's three-year investigation had exceeded reasonable duration.
The DPA acknowledged that Spotify has taken corrective measures to comply with Article 15, and the identified deficiencies were considered to be of a relatively low level of seriousness.
In response to the fine, a Spotify spokesperson stated via email, "Spotify offers all users comprehensive information about how personal data is processed. During their investigation, the Swedish DPA found only minor areas of our process they believe need improvement. However, we don’t agree with the decision and plan to file an appeal." The spokesperson further noted that the imposed penalty accounts for "approximately 1 percent of the maximum allowable fine" and highlighted that the DPA's decision largely deemed Spotify to be compliant.
By levying this fine, the Swedish DPA aims to ensure that companies like Spotify adhere to GDPR regulations and provide transparent information to users regarding the use of their personal data.
By fLEXI tEAM