Spotify fined $5.4 million in Sweden over GDPR violations
Sweden’s data protection agency on Tuesday hit the digital music and podcast web player Spotify with a $5.4 million fine for allegedly flouting transparency regulations set by the EU General Data Protection Regulation (GDPR).
The Swedish Authority for Privacy Protection (IMY) asserts that Spotify responds to data access requests without clearly informing customers about how their data is used by the company. Spotify must be “more specific” in its data practice disclosures and make it less complex for customers requesting access to understand how Spotify is using their data, the privacy agency said in a press release.
The GDPR, which became law in 2018, set sweeping data privacy requirements which apply across Europe. One of the GDPR regulations asserts that individuals have rights of access, defined as the ability to find out how businesses treat their personal data.
Spotify defended its actions and said it will file an appeal.
"Spotify offers all users comprehensive information about how personal data is processed,” a Spotify spokesperson said via email. “During their investigation, the Swedish DPA found only minor areas of our process they believe need improvement.”
The investigation was initiated in 2019 and stems from three user complaints back in 2018, the spokesperson said.
Among other things, Swedish privacy regulators noted that technical personal data in particular should be explained in a given individual’s native language, an area where Swedish officials said they found “shortcomings.”
Other elements of Spotify’s data access approach were found to be appropriate.
Swedish officials said Spotify “layers” personal data, separating information it deems to be most relevant such as the customer's contact and payment details, artists the customer follows and listening history. More technical information is stored in a separate layer, Swedish officials said, making it easier for customers to access the data they are most likely to seek.
“It is important that the individual understands what information is in the various layers and how it can be requested,” Karin Ekström, one of the lawyers involved in the investigation said in a statement. “Here we believe that Spotify has done enough.”
However, because some of the personal data information provided by Spotify has been unclear, Swedish officials said, “it has been difficult for individuals to understand how their personal data is processed and to check whether the handling of their personal data is lawful.”
The press release issued by Swedish officials said Spotify has taken some steps to attempt to meet the right to access requirements and shortcomings found “are considered overall to be of a low level of seriousness.”
Suzanne Smalley
is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.