Spotify Fined $5.4 Million For Violating Gdpr Rules

Spotify, the popular music streaming platform, on Tuesday, was issued an administrative fine of SEK 58 million (approx $5.4 million) in Sweden for breaching the data access rights of its users in the European Union.

The IMY emphasized that Spotify should be more transparent “about how and for what purposes individuals’ personal data is handled.” The lack of clarity made it challenging for the users to understand how their personal data was processed and to assess whether the handling of their personal data was lawful.

The regulator also said that the identified shortcomings were considered to be of “a low level of seriousness,” with the fine imposed taking into account Spotify’s revenue and number of users.

Since Spotify has users in many countries, the above decision has been made in cooperation with other data protection authorities in the EU.

The ruling against Spotify comes more than four years after a complaint was lodged against the music streaming platform by the non-profit privacy and digital rights organization noyb at the start of 2019.

The original complaint was filed in Austria, but the case was sent to IMY as Spotify was based in Sweden. Also, a complaint related to the same issue, filed in the Netherlands, was combined into the Swedish case. However, the cases languished with IMY for four years.

“We are glad to see that the Swedish authority finally took action. It is a basic right of every user to get full information on the data that is processed about them. However, the case took more than 4 years and we had to litigate the IMY to get a decision. The Swedish authority definitely has to speed up its procedures,” Stefano Rossetti, a privacy lawyer at noyb, said in a statement.

“Spotify offers all users comprehensive information about how personal data is processed. During their investigation, the Swedish DPA found only minor areas of our process they believe need improvement. However, we don’t agree with the decision and plan to file an appeal,” the company said in a statement.

When asked whether Spotify is making changes to its response protocol to user data access requests taking into consideration the IMY sanctions, a Spotify spokesperson told that the company has nothing to confirm at the moment. However, they did mention that the company is continuously reviewing and improving the process to enhance transparency.