Swedish company Spotify has been fined SEK 58 million (about $5.4 million) by the Swedish regulator after discovering violations of the European Union’s General Data Protection Regulation (GDPR). The proceedings were related to the processing of users’ personal data and the clients’ access to this information.
The complaint against Spotify and other big tech companies was filed by the NOYB advocacy group, led by Max Schrems, a privacy campaigner. In its complaint, NOYB claimed that Spotify does not provide users with full information about personal data upon request and does not explain the reasons for processing such information, notes NIX Solutions.
The Swedish Privacy Authority (IMY) investigated and found that although Spotify provides user data upon request, the company “does not communicate clearly enough about how this data is used.” IMY stated that Spotify needs to be more transparent about the processing of users’ personal data and explain how and for what purposes this data is used. The lack of clarity in the information makes it “difficult for individuals to understand how their data is being processed and to verify whether such processing is lawful,” IMY added.
While IMY considers these breaches to be of low severity, it noted that Spotify has taken steps to address the issues. The amount of the fine was determined based on the company’s revenue and the size of its user audience. IMY made the decision with the participation of other EU data protection authorities, given the international nature of Spotify and the presence of users in different countries.