By 
Swedish music streaming giant Spotify has been fined SEK 58 million ($5.4 million) by a Swedish regulator for violating the European Union’s General Data Protection Regulation (GDPR). The penalty comes as a result of issues related to how Spotify manages users’ personal data and provides access to that data for its customers.
Privacy advocacy group Noyb, led by privacy campaigner Max Schrems, filed a complaint against Spotify and other major tech companies in early 2019. The complaint alleged that Spotify had not fully disclosed all personal data to users upon request and had failed to transparently explain the reasons behind processing such data.
The Swedish Authority for Privacy Protection (IMY) concluded that while Spotify does provide users with their processed personal data upon request, the company “does not adequately communicate how this data is utilized.” The IMY stated that Spotify should enhance transparency “regarding the handling of individuals’ personal data and the purposes for which it’s processed.” This lack of clarity has made it challenging for users to comprehend the lawful processing of their personal data, IMY added.
While considering the violations as having “a low level of seriousness,” the regulator acknowledged that Spotify has initiated measures to address these issues. The fine amount was determined based on these factors, as well as Spotify’s revenue and user count. Given that Spotify’s user base spans multiple countries, the IMY collaborated with other EU data protection authorities in making the decision.
In response to the fine, Spotify stated, “We provide all users with comprehensive information about how personal data is processed.” The company, headquartered in Sweden, acknowledged minor areas in its process that require improvement as per the regulator’s findings. However, Spotify disagreed with the decision and plans to file an appeal, as conveyed in a statement to TechCrunch.
Comments