Spotify faces €5M fine in Sweden for alleged GDPR violation

Spotify has been slapped on the wrist by Swedisch authorities for violating GPDR regulations. The long-awaited decision highlights the challenges faced by European users in protecting their data. Privacy rights organisation noyb made the accusation over four years ago, which claimed that Spotify failed to provide sufficient information in response to a subject access request.

The complaint alleged that Spotify did not disclose all the personal data requested, failed to provide details on processing purposes and recipients, and neglected to mention international transfers.

The complaint was initially filed in Austria but was redirected to Sweden due to the GDPR’s one-stop-shop mechanism. The case remained unresolved for years as the Swedish authority conducted a separate investigation, despite the GDPR’s requirement for timely responses.

noyb steps in

noyb took the Swedish data protection authority to court and obtained a ruling last year that complainants have the right to request a decision after six months.

Although the case is ongoing, the administrative court’s decision compelled the authority to process the complaint. The Swedish authority has ordered Spotify to provide the complete dataset, but noyb is reserving judgment until they review the decision.

Privacy lawyer Stefano Rossetti expressed satisfaction now that the move has taken place, emphasizing users’ right to access information about their processed data. However, he criticized the lengthy process and called for faster procedures.

We could see changes going forward

Spotify responded by stating that it provides all users with comprehensive information on data processing, although they plan to appeal the decision. The enforcement of the GDPR remains inconsistent across national authorities, resulting in variable outcomes.

The complaint against Spotify was part of a broader strategy by noyb to test compliance with data access rights among music and video platforms. While it is still under consideration if there has been significant improvement in the enforcement of data access rights, the progress in Spotify’s case may inspire reform.

However, half of the complaints filed by noyb are still awaiting responses from relevant DPAs. We can expect updates in Flimmit and Netflix cases, as procedural changes and draft decisions remain pending.

Also read: EC eyes Amazon, Apple and Spotify amid content law misconduct

Top story

The sovereign cloud offers no guarantees, how can it do so?

Using the public cloud inherently requires a degree of trust in the chosen provider. Critical industries and ...

Erik van Klinken February 19, 2025

Whitepapers

Stay tuned, subscribe!

Google brings Gemini to on-premises data centers with Distributed Cloud

Data breach at Dutch ministries caused by incorrect document uploading

MITRE’s CVE database to go dark as funding dries up

MuleSoft meets AI: Powering the Agentforce revolution

E-commerce solutions provider puts its own portfolio on display

Intel and Altera aim to bring AI to edge computing with new series of chips

AI-powered cameras shake up retail

Manhattan Associates provides supply chain software, is it more than a fancy name?

Try the latest high-end Synology backup system for free

Enhance your data protection strategy for 2025

Strengthen your cybersecurity with DNS best practices

Are you data and AI ready?

VeeamON 2025

GITEX ASIA

SAS Innovate 2025

.NEXT 2025

LambdaConf 2025

Qlik Connect 2025

Cloud Account Executive – Slack

AI & Data Architect