EU Imposes $5 Million Fine on Spotify for Violating Data Rules

Swedish authorities have imposed a fine of 58 million kronor ($5.4 million) on music streaming platform Spotify for violating European Union (EU) data regulations.

The penalty was issued by the Swedish Authority for Privacy Protection (IMY) due to Spotify’s failure to adequately inform users about the usage of their collected data.

Spotify has announced its intention to challenge the decision by appealing.

Further, the IMY said it had reviewed “how Spotify handles customers’ right of access to their personal data,” and
“As a result of the shortcomings identified, IMY is imposing a fine of 58 million kronor on the company.”

The IMY emphasized that according to the European data protection law GDPR, individuals have the right to be informed about the data collected by companies and how it is being used.

According to IMY, while Spotify did comply with data requests from individuals, the company failed to provide sufficient clarity regarding the usage of that data.

IMY stated, “Since the information provided by Spotify has been unclear, it has been difficult for individuals to understand how their personal data is processed and to check whether the processing of their personal data is lawful.”

The authority also mentioned that the identified shortcomings were considered relatively minor. The size of the fine imposed on Spotify took into account the company’s user count and revenue.

With its listing on the New York Stock Exchange, the music-streaming giant announced in April that it had surpassed 500 million monthly active users, including 210 million paying subscribers.

In response to the IMY findings, Spotify contested the conclusions and asserted that it provides users with comprehensive information on the processing of personal data. In an emailed statement to AFP, Spotify stated, “We don’t agree with the decision and plan to file an appeal,” while acknowledging that only minor areas of improvement were identified by IMY.

The privacy activist group Noyb, in a separate statement, mentioned that the fine resulted from a complaint and subsequent legal proceedings initiated by the group. While they appreciated the decision, they expressed disappointment over the lengthy duration of the case.

Stefano Rossetti, a privacy lawyer at Noyb, stated, “The case took more than four years and we had to litigate the IMY to get a decision. The Swedish authority definitely has to speed up its procedures.”