Advertisement
Engadget
Why you can trust us

Engadget has been testing and reviewing consumer tech since 2004. Our stories may include affiliate links; if you buy something through a link, we may earn a commission. Read more about how we evaluate products.

Spotify has been fined $5.4 million for violating GDPR data rules

A Swedish regulator says the company wasn't transparent enough about its handling of user data.

John Nacion/STAR MAX/IPx

A Swedish regulator has fined Spotify SEK 58 million ($5.4 million) after determining that the company had violated the European Union's General Data Protection Regulation (GDPR). The issue concerns how Spotify handles users' personal data and its customers' access to the information.

Advocacy group Noyb, which is led by privacy campaigner Max Schrems, filed a complaint against Spotify and other major tech companies in early 2019. In the complaint, Noyb asserted that, among other issues, Spotify didn't provide all personal data to users upon request and that it didn't disclose the reasons for processing such information.

The Swedish Authority for Privacy Protection (IMY) found that while Spotify gives users personal data that it processes upon request, it "does not inform clearly enough about how this data is used by the company." It said that Spotify should be more transparent "about how and for what purposes individuals' personal data is handled." The lack of clarity meant that "it has been difficult for individuals to understand how their personal data is processed and to check whether the handling of their personal data is lawful," the IMY added.

The regulator said it considered the issues to be "a low level of seriousness" and noted Spotify, has taken steps to resolve them. The IMY determined the fine based on those factors along with Spotify's revenue and number of users. It noted that it made the decision with the help of other EU data protection authorities, given that Spotify has users in many countries.

"Spotify offers all users comprehensive information about how personal data is processed," the company, which is based in Sweden, told TechCrunch in a statement. It said the regulator "found only minor areas of our process they believe need improvement. However, we don’t agree with the decision and plan to file an appeal.