Privacy

Spotify fined in Sweden over GDPR data access complaint

Comment

A photo of Spotify's app icon on iOS.
Image Credits: Martin Bureau (opens in a new window) / Getty Images

Music streaming giant Spotify is facing a fine of around €5 million ($5.4M) in Sweden years after it was accused of breaching the data access rights of users in the European Union by not providing full information about personal data it processes in response to individual requests.

While the size of the fine is unlikely to grab many headlines, the fact it’s finally happened is notable as further evidence of the mountain European users have to climb to get their data protection rights upheld.

The finding of a breach of Article 15 of the General Data Protection Regulation (GDPR) comes more than four years after a complaint was lodged against Spotify by the privacy rights not-for-profit, noyb. The complaint, which was filed at the start of 2019, alleged Spotify failed to provide adequate detail in response to the complainant’s subject access request (SAR).

The complaint argued the music streaming platform failed to provide all personal data requested; did not provide information on the purposes of the processing; nor on recipients; and also did not provide information on international transfers, among other allegations.

While it was originally filed in Austria the GDPR’s one-stop-shop mechanism, which is supposed to streamline case handling where data-processing crosses national borders, meant the complaint got routed to Sweden where Spotify has its main EU establishment. (Another complaint over the same issue which was filed in the Netherlands was also joined to the case in Sweden.)

The complaint then languished undecided for several years as, according to noyb, the Swedish authority undertook a parallel ex officio investigation to which the complainants weren’t party — despite the GDPR stating data controllers must respond to access requests within a month.

noyb ended up taking the Swedish data protection authority (IMY) to court over the lack of a decision. And last year it successfully challenged IMY’s position that the complainant is not a party in procedures, with the Stockholm administrative court holding that complainants have the right to request a decision after six months.

While that litigation is still ongoing (in front of a higher court) the administrative court decision last November ordering IMY to process and investigate the complaint appears to have moved the DPA to issue a decision in the meanwhile.

noyb said today that IMY ordered Spotify to finally provide the full set of data. Although it’s reserving judgement on whether the authority has done everything it asked until it can scrutinize the decision.

In a statement, Stefano Rossetti, privacy lawyer at noyb, added:

We are glad to see that the Swedish authority finally took action. It is a basic right of every user to get full information on the data that it processed about them. However, the case took more than 4 years and we had to litigate the IMY to get a decision. The Swedish authority definitely has to speed up its procedures.

We reached out to the Swedish authority with questions and it sent the below statement — confirming it identified a number of violations by Spotify pertaining to three complaints it investigated. It also described the case as “complex and comprehensive”, saying it not only looked at individual instances of how it handled data access requests but also assessed general procedures.

Here’s the statement in full:

The Swedish Authority for Privacy Protection (IMY) has investigated Spotify’s general procedures for handling access requests and have found some shortcomings related to the information that should be provided to the individual making the request pursuant to article 15.1 a-h and 15.2 of the GDPR and in relation to the description of the data in the technical logfiles provided by Spotify. IMY has issued an administrative fine of SEK 58 million against Spotify for not providing sufficiently clear information to individuals in this regard. The decision includes violations of articles 12.1, 15.1 a-d, g and 15.2 of the GDPR.

IMYs investigation has also encompassed an investigation of what has occurred in three different complaints and here IMY found that Spotify had failed in its handling of requests for access related to two of the complaints examined. The decision in this part includes violation of articles 12.1, 12.3, 15.1,15.3 and 15.1 a-h and 15.2 of the GDPR. In relation to these infringements IMY issues a reprimand.

The case has been a complex and comprehensive case where we, as explained above, have assessed both Spotify’s general procedures for handling individual access requests, as well as how Spotify has acted in a number of individual situations where we have received complaints to the authority. As Spotify has operations and users in several countries, the work has also included cooperation with other data protection authorities in the EU. This cooperation, and the requirements for similar handling across the EU, also meant that, during the course of supervision, we had to change the focus on supervision, which unfortunately delayed processing. The EU cooperation, which came with GDPR, is something relatively new to us and there is ongoing work within the EU to streamline the cooperation – something we see that there is a need for.

Spotify was also contacted for comment. A company spokesperson sent us this statement — confirming it intends to appeal:

Spotify offers all users comprehensive information about how personal data is processed. During their investigation, the Swedish DPA found only minor areas of our process they believe need improvement. However, we don’t agree with the decision and plan to file an appeal.

Five years+ after the GDPR came into application, back in May 2018, enforcement continues to be a patchwork of highly variable outcomes owing to differences of approach and process (and sometimes also resources) across the national authorities tasked with upholding Europeans’ privacy rights.

The complaint against Spotify was actually one of a series of strategic complaints by noyb against music and video platforms that sought to test the application of the law.

noyb argued structural violations of users’ GDPR data access rights were the dysfunctional norm across the eight platforms it tested — namely: Amazon, AppleMusic, DAZN, Flimmit, Netflix, Spotify, SoundCloud and YouTube — many of which it found had set up automated systems to respond to users’ SARs that did not provide all the information Europeans have a legal right to obtain.

More than four years on it’s not clear whether noyb’s earlier snapshot of systemic flouting of users’ data access rights is substantially changed or not.

In the case of Spotify, enforcement actually happening — albeit painfully slowly — does appear to have moved the needle.

noyb founder and chairman, Max Schrems, confirmed the IMY decision contains an order to Spotify to comply with access requests. He also suggested the platform has improved its system during the investigation. “We are expecting a full response now,” he said, adding: “So we need to see what they will send and if it’s enough.”

Asked whether Spotify is amending its response protocol to user data access request in light of the IMY sanction a Spotify spokeswoman told us the company has “nothing to confirm at the moment”, but added: “We are always considering and making improvements to the process to improve transparency.”

Schrems also told us noyb has seen movement on three of the other complaints; including a case being closed after the platform in question (Flimmit) fixed its processes during the procedure; a draft decision being issued by the Dutch DPA on Netflix; and DAZN reportedly close to concluding in Austria (before a court).

Beyond that the picture goes dark.

Per Schrems, half of the eight complaints noyb targeted with complaints about data access have resulted in nothing but radio silence from relevant DPAs so far. (The Irish DPA would be the lead for complaints on Apple and Google-owned YouTube; Luxembourg leads on oversight of Amazon; while SoundCloud is based in Berlin — so would likely fall under the city’s data protection commissioner.)

“The rest is still silence – after 4.5 years,” Schrems added. 

More TechCrunch

Fisker is just a few days into its Chapter 11 bankruptcy, and the fight over its assets is already charged, with one lawyer claiming the startup has been liquidating assets…

The fight over Fisker’s assets is already heating up

A hacker is advertising customer data allegedly stolen from the Australia-based live events and ticketing company TEG on a well-known hacking forum. On Thursday, a hacker put up for sale…

Hacker claims to have 30 million customer records from Australian ticket seller giant TEG

Welcome to Startups Weekly — Haje‘s weekly recap of everything you can’t miss from the world of startups. Sign up here to get it in your inbox every Friday. Elon…

Tesla makes Musk best-paid CEO of all time and Fisker bites the dust

Dot is a new AI companion and chatbot that thrives on getting to know your innermost thoughts and feelings.

Dot’s AI really, really wants to get to know you

The e-fuels startup is working on producing fuel for aviation and maritime shipping using carbon dioxide and other waste carbon streams.

E-fuels startup Aether Fuels is raising $34.3 million, per filing

Fisker was facing “potential financial distress” as early as last August, according to a new filing in its Chapter 11 bankruptcy proceeding, which the EV startup initiated earlier this week.…

Fisker faced financial distress as early as last August

Cruise, the self-driving subsidiary of General Motors, has agreed to pay a $112,500 fine for failing to provide full information about an accident involving one of its robotaxis last year.…

Cruise clears key hurdle to getting robotaxis back on roads in California

Feel Therapeutics has a pretty original deck, with some twists we rarely see; the company did a great job telling the overall story.

Pitch Deck Teardown: Feel Therapeutics’ $3.5M seed deck

The Rockset buy fits into OpenAI’s broader recent strategy of investing heavily in its enterprise sales and tech orgs.

OpenAI buys Rockset to bolster its enterprise AI

The U.S. government announced sanctions against 12 executives and senior leaders of the Russia-based cybersecurity giant Kaspersky. In a press release, the Department of the Treasury’s Office of Foreign Assets…

US government sanctions Kaspersky executives

Style DNA, an AI-powered fashion stylist app, creates a personalized style profile from a single selfie. The app is particularly useful for people interested in seasonal color analysis, a process…

Style DNA gets a generative AI chatbot that suggests outfit ideas based on your color type

Rates of depression, anxiety and suicidal thoughts are surging among U.S. teens. A recent report from the Center of Disease Control found that nearly one in three girls have seriously…

Khosla-backed Marble, built by former Headway founders, offers affordable group therapy for teens

Cover says what sets it apart is the underlying technology it employs, which has been exclusively licensed from NASA’s Jet Propulsion Laboratory.

A new startup from Figure’s founder is licensing NASA tech in a bid to curb school shootings

Spotify is introducing a new “Basic” streaming plan in the United States, the company announced on Friday. The new plan costs $10.99 per month and includes all of the benefits…

Spotify launches a new Basic streaming plan in the US

Photographers say the social media giant is applying a ‘Made with AI’ label to photos they took, causing confusion for users.

Meta is tagging real photos as ‘Made with AI,’ say photographers

Website building platform Squarespace is selling Tock, its restaurant reservation service, to American Express in a deal worth $400 million — the exact figure that Squarespace paid for the service…

Squarespace sells restaurant reservation system Tock to American Express for $400M

Featured Article

Change Healthcare confirms ransomware hackers stole medical records on a ‘substantial proportion’ of Americans

The February ransomware attack on UHG-owned Change Healthcare stands as one of the largest-ever known digital thefts of U.S. medical records.

18 hours ago
Change Healthcare confirms ransomware hackers stole medical records on a ‘substantial proportion’ of Americans

Google said today that it globally paused its experiment that aimed to allow new kinds of real-money games on the Play Store, citing the challenges that come with the lack…

Google pauses its experiment to expand real-money games on the Play Store

Venture firms raised $9.3 billion in Q1 according to PitchBook data, which means this year likely won’t match or surpass 2023’s $81.8 billion total. While emerging managers are feeling the…

Kevin Hartz’s A* raises its second oversubscribed fund in three years

Google is making reviews of all your movies, TV shows, books, albums and games visible under one profile page starting June 24, according to an email sent to users last…

Google is making your movie and TV reviews visible under a new profile page

Zepto, an Indian quick commerce startup, has more than doubled its valuation to $3.6 billion in a new funding round of $665 million.

Zepto, a 10-minute delivery app, raises $665M at $3.6B valuation

Speak, the AI-powered language learning app, has raised new money from investors at double its previous valuation.

Language learning app Speak nets $20M, doubles valuation

SpaceX unveiled Starlink Mini, a more portable version of its satellite internet product that is small enough to fit inside a backpack.  Early Starlink customers were invited to purchase the…

SpaceX debuts portable Starlink Mini for $599

Ali Rathod-Papier has stepped down from her role as global head of compliance at corporate card expense management startup Brex to join venture firm Andreessen Horowitz (a16z) as a partner…

Brex’s compliance head has left the fintech startup to join Andreessen Horowitz as a partner

U.S. officials imposed the “first of its kind” ban arguing that Kaspersky threatens U.S. national security because of its links to Russia.

US bans sale of Kaspersky software citing security risk from Russia 

Apple has released Final Cut Pro for iPad 2 and Final Cut Camera, the company announced on Thursday. Both apps were previously announced during the company’s iPad event in May.…

Apple releases Final Cut Pro for iPad 2 and Final Cut Camera

Paris has quickly established itself as a major European center for AI startups, and now another big deal is in the works.

Poolside is raising $400M+ at a $2B valuation to build a supercharged coding co-pilot

The space industry is all abuzz about how SpaceX’s Starship, Blue Origin’s New Glenn, and other heavy-lift rockets will change just about everything. One likely consequence is that spacecraft will…

Gravitics prepares a testing gauntlet for a new generation of giant spacecraft

LTK (formerly LiketoKnow.it and RewardStyle), the influencer shopping app with 40 million monthly users, announced on Thursday the launch of a free direct message tool for creators to instantly share…

Influencer shopping app LTK gets an automatic direct message tool

YouTube appears to be taking a firm stance against Premium subscribers who attempt to use a VPN (virtual private network) to access cheaper subscription prices in other countries. This week,…

YouTube confirms crackdown on VPN users accessing cheaper Premium plans