Spotify receives a fine due to user privacy deficiencies

The fine is linked to the way Spotify offers users access to the personal data it stores and handles. The General Data Protection Regulation (GDPR), which entered into force in 2018, includes the ‘right of access,’ of individuals, which means that they have the right to know what personal data a business collects about them and how it uses that data. 

The Swedish Authority for Privacy Protection audited the methods used by Spotify to respect users’ rights to access their personal data. The audit revealed that Spotify does indeed release personal data processed by the company upon request. However, there’s not enough transparency about how the data is being used. 

The IMY believes that Spotify should be more specific about how and for what purposes individuals' personal data is handled. In essence, it should be easier for users requesting access to their data to understand how the company uses it. IMY officials also pointed out some shortcomings when it comes to providing users with clear information about their data in their native languages, particularly when it comes to technical information.

How does Spotify organise personal data?

Spotify users who request access to their personal data can choose what kind of data they want to access as Spotify is organising it into several different layers. One of the layers offers information that Spotify finds to be of greatest interest to the individual, including the user’s payment and contact details, as well as the artists followed by the user in question. 

Users can also request a more in-depth view of their personal data, which is delivered as part of a second layer. This layer can include includes technical log files relating to the customer, for instance. The IMY has found that Spotify has done enough to ensure individuals are well-informed about this data organisation procedure.

The authority also recognised Spotify’s overall efforts to meet the requirements for individuals' right to access. In addition, these recently uncovered deficiencies are not particularly serious, which is why the IMY looked at Spotify’s turnover and total number of users and decided to issue an administrative fine of SEK 58 million (EUR 5 million). It’s worth noting that other data protection authorities in the EU were consulted before the decision was made.