Spotify does not clearly inform its users about how it handles the personal data of its users, said the Swedish data protection authority as it slapped a $5.3 million administrative fine (or 58 million Swedish Kroner) on the streaming service on Wednesday.
This violates the right of access, which empowers individuals to find out what personal data businesses handle and how they use it, held under the European Union’s privacy law, the General Data Protection Regulation.
However, a press release acknowledged that “Spotify has taken several measures with the aim of meeting the requirements for individuals’ right to access, and the deficiencies that have been discovered are considered overall to be of a low level of seriousness.” Spotify may appeal the decision.
STAY ON TOP OF TECH POLICY: Our daily newsletter with the top story of the day from MediaNama, delivered to your inbox before 9 AM. Click here to sign up today!
What did Spotify do wrong? The information provided by Spotify to users on how their information is handled should be more specific, said Karin Ekström, one of the leads in the long-drawn investigation into the company. “It must be easy for the person requesting access to their data to understand how the company uses this data,” Ekström added. “In addition, personal data that is difficult to understand, such as those of a technical nature, may need to be explained not only in English but in the individual’s own, native language.”
Without this information, it is difficult for customers to check if Spotify’s data processing is lawful or not.
And where did it get things right? The Swedish authority’s investigation also examined how Spotify divides customers’ personal data into different layers—such as information deemed to be of greater interest to an individual, like their listening history, payment details, and more. Technical information like the log files linked to a customer form another layer and can also be requested by customers.
“There is no obstacle to dividing the copy of personal data into different layers as long as the right to access is satisfied,” Ekström explained. “In some situations, on the contrary, it can make it easier for the data subject to take in the information if it is presented in different parts, at least when it is a question of an extensive amount of information. It is important that the individual understands what information is in the various layers and how it can be requested. Here we believe that Spotify has done enough.”
How did this investigation start? The investigation was initially sparked by a 2019 complaint filed by privacy rights non-profit ‘noyb’ led by Max Schrems—which alleged that Spotify hadn’t provided adequate details in response to a request for personal data. The company didn’t provide information on the purpose of processing, and on international data transfers, among other concerns. Originally filed in Austria, the petition was later transferred to Sweden, Spotify’s main EU hub.
This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.