Spotify has been fined SEK 58 million ($5.4 million) by a Swedish regulator after the company was found to have breached the European Union’s General Data Protection Regulation (GDPR, General Data Protection Regulation). The dispute revolves around the music service’s handling of users’ personal data and customer access to this information.
Advocacy group NOYB, led by privacy activist Max Schrems, filed a complaint against Spotify and other big tech companies in early 2019. In the complaint, NOYB claimed that Spotify does not provide services to users All personal data is provided upon request and the reasons for processing this data are not disclosed.
The Swedish Data Protection Agency (IMY) has found that while Spotify provides users with personal data, which it processes upon request, the company “It is not clear enough how the data will be used“. Management said that Spotify needs to be more transparent.about how and for what purposes the personal data of users is processed“. The lack of clarity means that “It is difficult for individuals to understand how their data is being processed and to check whether the processing of personal data is lawful”, – added to IMY.
The regulator said it is taking those issues into account “low severity” and noted that Spotify has taken steps to address these issues. IMY calculated the amount of the fine based on these factors, as well as Spotify’s revenue and audience size. He pointed out that since Spotify has users in many countries, he made the decision with the help of other EU data protection authorities.