Spotify has been slapped on the wrist by Swedisch authorities for violating GPDR regulations. The long-awaited decision highlights the challenges faced by European users in protecting their data. Privacy rights organisation noyb made the accusation over four years ago, which claimed that Spotify failed to provide sufficient information in response to a subject access request.
The complaint alleged that Spotify did not disclose all the personal data requested, failed to provide details on processing purposes and recipients, and neglected to mention international transfers.
The complaint was initially filed in Austria but was redirected to Sweden due to the GDPR’s one-stop-shop mechanism. The case remained unresolved for years as the Swedish authority conducted a separate investigation, despite the GDPR’s requirement for timely responses.
noyb steps in
noyb took the Swedish data protection authority to court and obtained a ruling last year that complainants have the right to request a decision after six months.
Although the case is ongoing, the administrative court’s decision compelled the authority to process the complaint. The Swedish authority has ordered Spotify to provide the complete dataset, but noyb is reserving judgment until they review the decision.
Privacy lawyer Stefano Rossetti expressed satisfaction now that the move has taken place, emphasizing users’ right to access information about their processed data. However, he criticized the lengthy process and called for faster procedures.
We could see changes going forward
Spotify responded by stating that it provides all users with comprehensive information on data processing, although they plan to appeal the decision. The enforcement of the GDPR remains inconsistent across national authorities, resulting in variable outcomes.
The complaint against Spotify was part of a broader strategy by noyb to test compliance with data access rights among music and video platforms. While it is still under consideration if there has been significant improvement in the enforcement of data access rights, the progress in Spotify’s case may inspire reform.
However, half of the complaints filed by noyb are still awaiting responses from relevant DPAs. We can expect updates in Flimmit and Netflix cases, as procedural changes and draft decisions remain pending.