Spotify Faces $5.4 Million Fine in Sweden for GDPR Violations

On Tuesday, the Swedish data protection agency imposed a $5.4 million fine on Spotify, the digital music and podcast web player, for allegedly violating transparency regulations outlined in the EU General Data Protection Regulation (GDPR).

The Swedish Authority for Privacy Protection (IMY) claims that Spotify fails to adequately inform customers about the usage of their data when responding to data access requests. In a press release, the privacy agency stated that Spotify needs to provide clearer and less complex disclosures regarding its data practices, enabling customers to understand how their data is utilized.

The GDPR, enacted in 2018, introduced extensive data privacy requirements that apply across Europe. One regulation of the GDPR affirms individuals’ right to access, which involves understanding how businesses handle their personal data.

Spotify has defended its actions and plans to file an appeal. A Spotify spokesperson stated via email that the platform offers comprehensive information on personal data processing to all users. The Swedish DPA’s investigation, the spokesperson added, identified only minor areas requiring improvement in Spotify’s processes.

The investigation, which began in 2019, originated from three user complaints in 2018, according to the spokesperson.

Swedish privacy regulators highlighted that technical personal data, in particular, should be explained in the user’s native language, an aspect in which they found deficiencies.

However, Swedish officials found other aspects of Spotify’s data access approach to be appropriate. They noted that Spotify segregates personal data into layers, separating relevant information such as contact details, payment information, followed artists, and listening history from more technical data stored separately. This segregation enables customers to access the data they are most likely to seek.

According to Karin Ekström, one of the lawyers involved in the investigation, it is crucial for individuals to understand the information contained in the different layers and how to request it. Swedish officials believe Spotify has fulfilled this requirement adequately.

Nonetheless, Swedish officials stated that due to unclear information provided by Spotify regarding personal data, individuals have found it difficult to comprehend how their data is processed and assess the lawfulness of its handling.

Swedish authorities consider the shortcomings found to be of low severity, acknowledging that Spotify has made some efforts to comply with access requirements.