Spotify fined € 5 Million for GDPR violation

Data Subject Rights
 /  13 June 2023

Following a noyb complaint and litigation over inactivity, the Swedish Data Protection Authoirty (IMY) has issued a fine of 58 Mln Swedish Crown (about € 5 Million) against Spotify. While users have a right to get access to all their data and information on the use of their data, Spotify did not fully comply with this obligation. The IMY was in charge of the case because Spotify has its main establishment in Sweden. The noyb complaint was joined with a complaint filed in the Netherlands by Bits of Freedom.

Spotify

Complaint. On 18 January 2019 noyb has filed a number of complaint against various streaming services, as they did not provide users with an easy way to exercise their right to access under Article 15 GDPR. One of these complaints was filed in Austria and concerned Spotify's failure to provide all personal data and information as to the use of the data. Because Spotity is based in Sweden the case was sent to the Swedish Data Protection Authority (IMY).

Litigation against IMY. The complaint was not decided for more than four years. The IMY even said that the complainants are not a party to the procedure. On 22 June 2022 noyb therefore filed litigation against the IMY before the Swedish Courts over the lack of a decision. While the IMY has initially resisted the idea that it must decide over complaints, the Swedish Courts sided with noyb. While the case is still before the Supreme Administrative Court, the IMY has now issued a decision on the noyb complaint as well as on Spotify's wider approach to providing information to the users. The case was joined with another complaint from our colleagues at Bits of Freedom in the Netherlands.

Stefano Rossetti, privacy lawyer at noyb: "We are glad to see that the Swedish authority finally took action. It is a basic right of every user to get full information on the data that is processed about them. However, the case took more than 4 years and we had to litigate the IMY to get a decision. The Swedish authority definitely has to speed up its procedures."

Right to Access. The right to access does not only grant a right to get a copy of a users' own data, but also information as to their source, recipients of personal data or details on international data transfers. In the case of Spotify this information was not fully provided. Moreover, the company only gave access to "some" of the data, without informing the data subject on how to get the rest. IMY ordered Spotify to finally provide the full set of data under Article 58(2)(c) GDPR.

noyb will now assess the decision in detail to see if the IMY has fully enforced the users' rights.