A privacy company in Sweden has presented Spotify with a fine due to a failure to provide users with information about how their data is being used.
Within the EU, there are certain regulations for companies to follow. One of these being, digital services who collect user data must allow the users access to this data. They cannot for example, store their location without the user being able to know about it.
However, Spotify have broken these rules which have led to Sweden’s privacy protection authority fining them SEK 58 million (€5m/$5.4m). The complaint was first filed in January 2019 by an individual who cannot be named.
This complaint was backed by representatives noyb (none of your business) who are a not-for-profit. They campaign for privacy rights. This complaint was filed in Austria to start with. It was said Spotify had violated rules set by the EU General Data Protection Regulation (GDPR).
Within these regulations it states that digital companies must provide detailed information about what data is stored and who it’s shared with. This should be given to the user if requested, along with details as to where this information was sourced from.
Not-for-profit company noyb stepped in
The company noyb has said “The right to access does not only grant a right to get a copy of a users’ own data, but also information as to their source, recipients of personal data or details on international data transfers”.
It’s been said Spotify provided information, however it wasn’t the full details. Nor did they allow the user to know how to access the rest of the information. Due to Spotify’s headquarters being located in Sweden, it must be dealt with there.
EU rules state that the complaint must therefore be transferred to the Swedish data protection authority (DPA) known as IMY. However, this has only caused further upset. It’s said GRPD rules state the DPA should make a decision within one month of the complaint.
Swedish administrative court take over
But, unfortunately, this decision had not been made, and with the first filed complaint being made in 2019, it had overran this timeframe significantly. Within November 2022 a Swedish administrative court sided with noyb and said the IMY must issue a decision.
From there it seems the IMY sided with the complainant too. They therefore issued a fine of SEK 58 million to Spotify, saying they did not provide sufficient information to users. However due to the investigation spanning across countries, the process would take longer.
They have said they require the cooperation of data protection authorises from outside of Sweden, and this is what slowed them down previously. Although noyb are happy a decision has finally been made, they say Sweden need to improve this process.
Spotify aren’t the only company to be under fire for breaking GDPR rules. Apple Music, Netflix, SoundCloud and YouTube were amongst others. Spotify aren’t going to take this decision lightly and will likely try to fight back.