Spotify fined for data breach

In Sweden, music streaming platform Spotify has received a fine of approximately $5.4 million for violating the data access rights of European Union (EU) users. TechCrunch reports that allegations were made against the company for failing to adequately disclose personal data it processes when responding to individual requests. This violation falls under Article 15 of the General Data Protection Regulation (GDPR).
The complaint was lodged at the beginning of 2019 by noyb, a non-profit organisation focused on privacy rights.

The complaint stated that Spotify did not fulfill all the requested personal data, neglected to provide information regarding the purpose of data processing and recipients, and failed to disclose details about international transfers, among other accusations.

Although the complaint was initially submitted in Austria, it was redirected to Sweden due to the GDPR's one-stop-shop mechanism, which aims to simplify the handling of cases involving data processing across national borders. Spotify's main EU presence is located in Sweden.

The complaint remained unresolved for several years, as noyb claims that the Swedish authority conducted a separate ex officio investigation without involving the complainants. This action goes against the GDPR's requirement for data controllers to respond to access requests within one month. Consequently, noyb took the Swedish data protection authority (IMY) to court due to the absence of a decision.

Last year, noyb successfully challenged IMY's stance that the complainant is not a party in procedures. The Stockholm administrative court ruled that complainants have the right to request a decision six months after filing the complaint, as mentioned in the report. In the meantime, Spotify has announced a corporate reorganization that includes laying off 200 employees, which accounts for 2% of its podcast division workforce.