Swedish data protection authority IMY has imposed a fine of the equivalent of 5 million euros on Spotify. European privacy laws give Europeans the right to request their data from companies and organizations operating in the EU, and answer what happens to his or her data. The happened insufficiently.
So writes the Swedish privacy watchdog in a press statement (1)
For the beginning of this case, we have to go back to January 2019. Noyb, a foundation from Austria that advocates for our privacy rights, then filed several complaints against Spotify. The reason was that the music streaming service failed to disclose all personal data and other information of customers regarding the use of customer data. The complaint landed on the Swedish regulator's plate because Spotify is headquartered in Sweden.
Then it remained silent for four years and the privacy watchdog failed to act. The IMY argued that the complainants themselves were not parties to the complaint procedure. Thereupon, Noyb decided to file a lawsuit to force the regulator to make a decision. The court ruled in favor of the Austrian privacy foundation.
Thereupon, IMY still conducted an investigation into Noyb's complaints.
The regulator looked at whether Spotify gave users access to their personal data if they requested it. This right, also known as the right of access, is set out in Article 15 of the General Data Protection Regulation (AVG).
IMY concluded that the music streaming service tells what data the company processes when customers ask for it. Spotify, however, does not answer how the company uses this data.
"The information provided by the company on how and for what purposes individuals' personal data is processed should be more specific. The individual requesting access to their data should be able to easily understand how the company uses that data. Moreover, personal data that is difficult to understand, such as data of a technical nature, may need to be explained not only in English but also in the person's own language," the Swedish regulator explained in a press release.
Further, IMY notes that Spotify stores customer data in multiple layers. One layer involves general data, such as listening history over a certain period of time and contact and payment information. The other layer contains more detailed data, such as technical logs related to the customer.
According to the regulator, there is nothing wrong with splitting personal data into multiple layers, as long as a company does not violate the right of access. "It is important that the data subject understands what information is in the different layers and how it can be accessed. We think Spotify has done enough to do this," the privacy watchdog said.
However, the Swedish Data Protection Authority does believe that the information provided by Spotify was unclear. For this reason, it was difficult for customers and users to verify how their personal data was being processed and whether it was done lawfully.
Spotify has since taken steps to comply with European privacy laws. Because the regulator described the deficiencies as "minor," the fine has been limited to 58 million Swedish kronor (about 5 million euros equivalent). The fine decision was made in cooperation with other privacy watchdogs in Europe.
In a response, Noyb says it is satisfied with the ruling. The Austrian privacy foundation does hope that the Swedish regulator will act more quickly in the future. "We are pleased that the Swedish authority has finally taken action. It is a basic right of every user to get full information about the data processed about him. However, the case took more than four years and we had to sue the IMY to get a decision. The Swedish government absolutely needs to speed up its procedures," said Stefano Rossetti, privacy lawyer at Noyb.
https://www.imy.se/nyheter/sanktionsavgift-mot-spotify/
