On June 13, the world’s largest music streaming service, Spotify, was fined $5.4 million (about Rs. 40 crores) for failing to adequately warn consumers on how the company used the information acquired about them. Sweden fined the company for violating the data rules.
Spotify is planning to appeal against the decision taken by Swedish authorities. Sweden’s body for privacy concerns, the Swedish Authority for Privacy Protection (IMY), stated that it had examined “how Spotify handles customers’ right of access to their personal data”. The authority stated, “As a result of the shortcomings identified, IMY is imposing a fine of SEK 58 million (roughly Rs. 40 crore) on the company”.
The General Data Protection Regulation, GDPR, entered into force in 2018 and strengthened the rights of individuals. According to the regulator, the European data protection act gives consumers “the right of access, which means a right for individuals to find out what personal data a business handles about the person in question and to receive information about how this data is used”.
IMY assessed that “Spotify releases the personal data the company processes when individuals request it, but that the company does not inform clearly enough about how this data is used by the company”.
Karin Ekström, who is one of the legal advisors leading the supervision, noted that there are “certain shortcomings”, “The information that the company provides about how and for what purposes individuals’ personal data is handled should be more specific. It must be easy for the person requesting access to their data to understand how the company uses this data. In addition, personal data that is difficult to understand, such as those of a technical nature, may need to be explained not only in English but in the individual’s own, native language”.
As per the regulator, “Customers who have turned to Spotify to request access to their personal data have been able to choose which personal data they want access to because Spotify has divided the customers’ personal data into different layers. One layer contains the information that Spotify has deemed to be of greatest interest to the individual, for example, the customer’s contact and payment details, which artists the customer follows and listening history for a certain period of time. If the customer wants more detailed information, for example, all technical log files relating to the customer, it has also been possible to request these in another layer”.
IMY added, “There is no obstacle to dividing the copy of personal data into different layers as long as the right to access is satisfied. In some situations, on the contrary, it can make it easier for the data subject to take in the information if it is presented in different parts, at least when it is a question of an extensive amount of information. It is important that the individual understands what information is in the various layers and how it can be requested”. Karin Ekström stated Spotify has done enough to make customers understand about the categorization of data done by them.
The regulator said the purpose of the right of access is to allow individuals to check that processing their personal data is lawful. IMY further said, “That the individual receives sufficient information is often a prerequisite for exercising other rights, for example, the right to have incorrect information corrected or removed”.
The regulator stated that “The information provided by Spotify has been unclear; it has been difficult for individuals to understand how their personal data is processed and to check whether the handling of their personal data is lawful”.
Though Spotify has taken several measures intending to meet the requirements for individuals’ right to access, the deficiencies discovered are considered overall to be of a low level of seriousness. The decision to issue the fine by IMY to Spotify has been made in cooperation with other data protection authorities in the European Union, as the company has a large number of users.
Leave a Comment