Spotify is facing a $5.4 million fine for violating GDPR guidelines by not providing full information about the personal data it stores.
Spotify was found to be in breach of Article 15 of the General Data Protection Regulation (GDPR). The complaint was first lodged by privacy rights not-for-profit organization noyb in 2019. In it, noyb alleges that Spotify failed to provide all personal data requested and did not provide information on the purposes of the processing. The original complaint was filed in Austria before being funneled to Sweden, where it languished for four years.
noyb took the Swedish data protection authority to court over the lack of a decision. IMY finally ordered Spotify to provide the full set of data to the complainant more than four years after the case was originally filed.
“We are glad to see that the Swedish authority finally took action,” adds Stefano Rossetti, a privacy lawyer at noyb. “It is a basic right of every user to get full information on the data processed about them. However, the case took more than four years and we had to litigate the IMY to get a decision. The Swedish authority definitely has to speed up its procedures.”
Spotify says it plans to appeal the decision, arguing that only minor areas of its data processing could use improvement. “Spotify offers all users comprehensive information about how personal data is processed,” a Spotify spokesperson told Digital Music News. “During their investigation, the Swedish DPA found only minor areas of our process they believe need improvement. However, we don’t agree with the decision and plan to file an appeal.”
noyb argues that Spotify isn’t the only platform that violates European users’ GDPR rights to data access. Those companies include Amazon, Apple Music, DAZN, Flimmit, Netflix, Spotify, SoundCloud, and YouTube. Each of these entities set up automated systems to deal with SAR requests which did not provide all information Europeans have a legal right to obtain.