On June 13, 2023, the Swedish Authority for Privacy Protection (IMY) published, its Decision No. DI-2019-6696, as issued on June 12, 2023, in which it imposed a fine of SEK 58 million (approx. $5,4 million) on Spotify AB, for violations of the General Data Protection Regulation (GDPR), following complaints.

Background to the decision

In particular, the IMY highlighted that it received complaints beginning in May 2018, regarding Spotify's handling of data subject requests, and initiated an investigation regarding the exercise of data subject rights in 2019, with specific attention given to exercising the right of access.

Findings of the IMY

Following its investigation, the IMY found that Spotify provides information on exercising data subject rights in 21 different languages on their privacy notice, and that the language of the information provided will be based on the language settings of the browser used. The IMY also recognized that Spotify provides information on the purpose of processing, categories of personal data processed, and source of personal data, among other things, in the privacy notice. Notably, the IMY clarified that Spotify's privacy notice does inform users of how to exercise their right of access, while more information can also be found in the Spotify privacy policy.

However, the IMY stipulated that information under the privacy notice must be designed in such a way that the purpose of the right of access is fulfilled, and that the information must be provided in a manner that meets the requirements of transparency. Therefore, the IMY considered Spotify to have violated Article 12(1) of the GDPR.

In addition, regarding the purpose of the right of access, the IMY held that there is a need to adapt the content of information relating to Article 15(1) and 15(2) of the GDPR, dependent on which services the data subject has chosen to use, such as which categories of personal data are processed, the recipients, and where personal data was collected. The IMY also established that the same requirements to adapt content applies to data transfers to third countries and the appropriate safeguards taken for such transfer, as required under Article 15(2) of the GDPR.

Centrally, the IMY outlined that the information provided to data subjects by Spotify was not specific enough. For example, IMY detailed that it must be easy for data subjects to understand how companies use their data, and regarding the retention of personal data, data subjects must understand how long their data will be stored, with a time of deletion specified. Equally, on third-country data transfers, the IMY provided that data subjects must receive meaningful information that makes it possible to determine whether their personal data has been transferred, and if so, what protective measures have been used.

The IMY further held that Spotify divided the personal data provided to data subjects into different layers. Consequently, the IMY determined that the provision of a sample of personal data concerning the data subject, risks leading the data subject to believe that the personal data sample is a complete copy.

Finally, the IMY provided that Spotify had not taken sufficient measures to ensure data subjects understand the description of data processing in non-technical terms and that the description of data in technical log files was provided by default in English only.

For the above reasons, the IMY considered Spotify to have violated Articles 12(1), 15(1)(a), 15(1)(b), 15(1)(c), 15(1)(d), 15(1)(g), and 15(2) of the GDPR.

Outcomes

In conclusion, IMY imposed a fine of SEK 58 million (approx. $5,4 million) for the above-mentioned violations of the GDPR, noting that the deficiencies are of low severity.

You can read the press release here and the decision here, both only available in Swedish and the European Data Protection Board summary here.