Spotify, the popular music streaming service, has been fined around €5 million ($5.4M) in Sweden for breaching the data access rights of users in the European Union. The company was accused of not providing full information about personal data it processes in response to individual requests, which is a violation of Article 15 of the General Data Protection Regulation (GDPR). The complaint was filed by noyb, a privacy rights not-for-profit, in 2019. The complaint argued that Spotify failed to provide all personal data requested, did not provide information on the purposes of the processing, nor on recipients, and also did not provide information on international transfers, among other allegations.
The GDPR’s one-stop-shop mechanism meant that the complaint was routed to Sweden where Spotify has its main EU establishment. The complaint then languished undecided for several years as the Swedish authority undertook a parallel ex officio investigation to which the complainants weren’t party. Despite the GDPR stating that data controllers must respond to access requests within a month, noyb ended up taking the Swedish data protection authority (IMY) to court over the lack of a decision. Last year, it successfully challenged IMY’s position that the complainant is not a party in procedures, with the Stockholm administrative court holding that complainants have the right to request a decision after six months.
While that litigation is still ongoing (in front of a higher court), the administrative court decision last November ordering IMY to process and investigate the complaint appears to have moved the DPA to issue a decision in the meanwhile. IMY ordered Spotify to finally provide the full set of data. Although it’s reserving judgement on whether the authority has done everything it asked until it can scrutinize the decision.
The Swedish Authority for Privacy Protection (IMY) has investigated Spotify’s general procedures for handling access requests and found some shortcomings related to the information that should be provided to the individual making the request pursuant to article 15.1 a-h and 15.2 of the GDPR and in relation to the description of the data in the technical logfiles provided by Spotify. IMY has issued an administrative fine of SEK 58 million against Spotify for not providing sufficiently clear information to individuals in this regard. The decision includes violations of articles 12.1, 15.1 a-d, g and 15.2 of the GDPR.
IMY’s investigation has also encompassed an investigation of what has occurred in three different complaints and here IMY found that Spotify had failed in its handling of requests for access related to two of the complaints examined. The decision in this part includes violation of articles 12.1, 12.3, 15.1,15.3 and 15.1 a-h and 15.2 of the GDPR. In relation to these infringements IMY issues a reprimand.
Spotify offers all users comprehensive information about how personal data is processed. During their investigation, the Swedish DPA found only minor areas of our process they believe need improvement. However, we don’t agree with the decision and plan to file an appeal.
The complaint against Spotify was actually one of a series of strategic complaints by noyb against music and video platforms that sought to test the application of the law. noyb argued structural violations of users’ GDPR data access rights were the dysfunctional norm across the eight platforms it tested — namely: Amazon, AppleMusic, DAZN, Flimmit, Netflix, Spotify, SoundCloud and YouTube — many of which it found had set up automated systems to respond to users’ SARs that did not provide all the information Europeans have a legal right to obtain.
Five years+ after the GDPR came into application, back in May 2018, enforcement continues to be a patchwork of highly variable outcomes owing to differences of approach and process (and sometimes also resources) across the national authorities tasked with upholding Europeans’ privacy rights.
noyb founder and chairman, Max Schrems, confirmed the IMY decision contains an order to Spotify to comply with access requests. He also suggested the platform has improved its system during the investigation. “We are expecting a full response now,” he said, adding: “So we need to see what they will send and if it’s enough.”
Asked whether Spotify is amending its response protocol to user data access request in light of the IMY sanction a Spotify spokeswoman told us the company has “nothing to confirm at the moment”, but added: “We are always considering and making improvements to the process to improve transparency.”
Schrems also told us noyb has seen movement on three of the other complaints; including a case being closed after the platform in question (Flimmit) fixed its processes during the procedure; a draft decision being issued by the Dutch DPA on Netflix; and DAZN reportedly close to concluding in Austria (before a court). Beyond that, the picture goes dark. Per Schrems, half of the eight complaints noyb targeted with complaints about data access have resulted in nothing but radio silence from relevant DPAs so far.