The world’s leading audio platform Spotify was fined 58 million kroner (5 million euros) by Swedish authorities under the General Data Protection Regulation (GDPR) on Tuesday 13 June. The company has announced that it intends to appeal the decision.
The Swedish Data Protection Authority (Integritetsskyddsmyndigheten, IMY) estimated that the streaming giant did not communicate precisely enough how it uses its users’ data. “An individual requesting access to their data needs to be able to easily understand how the company is using it,” said Karin Ekstrom, one of the lawyers leading the agency’s investigation.
And in some more complex cases, the explanations of these data must be available “not only in English but also in the language of the data subject”. “We identified gaps in these areas,” said Ms. Ekström. But these are “not serious overall,” she added, noting that Spotify “has taken several steps to meet the needs of the people’s right of access.”
The size of the fine is justified by the place the platform occupies in the legal music streaming arena and by the number of its users: more than 515 million as of April.
Also read: Article for our GDPR subscribers: What are the implications of the sanctions five years after the regulation came into effect?
“Accelerate Operations”
The Noyb company, which filed the lawsuit against Spotify, welcomed the Swedish decision but regretted its long-term consequences. “The case lasted more than four years and we had to contact IMY to get a decision. “The Swedish authority absolutely needs to speed up its procedures,” stressed Stefano Rossetti, a lawyer specializing in data protection at Noyb.
In a statement sent to Agence France-Presse, Spotify pledged to “give all users full information on how their personal data is processed”. Only a few “minor aspects” identified by the agency need improvement, the group said.
The GDPR has been in force in the European Union for five years and has gradually been incorporated into the legislation of each country. The text, in force by the national authorities of the Member States since May 2018, provides for penalties of up to 20 million euros, or 4% of a company’s global turnover.
Also read: Article reserved for our subscribers Max Schrems: “The GDPR has an impact because it is and will remain the global standard”