Spotify Fined for Not Complying with GDPR
The Swedish Data Protection Authority has imposed a fine of 58 million Swedish kronor, approximately 5 million euros, on Spotify for not adequately complying with the right of access enshrined in the General Data Protection Regulation (GDPR). Although Spotify had released the personal data it processes on request, the privacy watchdog ruled that the company had not clearly enough explained how this information is used.
Noyb Accusations
The Austrian data protection association, Noyb, filed a series of GDPR-based complaints against various streaming service providers, including Spotify, on January 18, 2019. Noyb complained that Spotify had not provided complete information about the origin and recipients of personal data or details about international transfers. Spotify also only provided information about a selection of data without explaining how users could access a complete package.
IMY Ruling
The Swedish Data Protection Authority, known as the Integritetsskyddsmyndigheten (IMY), has made its decision on Spotify’s information practice, following the complaint made by Noyb. The IMY emphasized that the information should be “more specific,” making it easy for the person requesting access to their data to understand how the company is using that information. The IMY plans to assess Spotify’s compliance by assessing its data practice.
Customers exercising their right to access their personal data can choose different levels at which they wish to access their information. One level contains the information that Spotify believes is the most interesting to the user, such as the customer’s contact and payment details, preferences for certain artists, and a playlist for a specific period.
Conclusion
The IMY now believes that Spotify has taken several measures to meet the requirements of the individual’s right of access fully, and the defects found were also not serious. The penalty was taken in collaboration with other data protection authorities in the EU, given that Spotify has users in many countries. Although Noyb is examining whether the rights of those affected are fully enforced with this decision, they recommend that the Swedish authorities speed up their procedures.
