Music streaming giant Spotify was fined 58 million kronor ($5.4 million) on Tuesday for failing to adequately inform users about the usage of their collected data, according to Swedish authorities. Spotify has announced its intention to appeal the decision.
The Swedish Authority for Privacy Protection (IMY) conducted a review of “how Spotify handles customers’ right of access to their personal data.” Based on the identified shortcomings, the authority imposed a fine of 58 million kronor on the company.
Under the European data protection act GDPR, users have the right to know what data a company possesses about them and how that data is being used. IMY stated that while Spotify did provide the requested data to individuals, the company did not sufficiently specify how that data was being used.
IMY explained that the lack of clarity in the information provided by Spotify made it difficult for users to understand the processing of their personal data and verify its lawfulness.
The authority emphasized that the identified deficiencies were considered to be of low severity overall. The size of the fine was determined based on Spotify’s user count and revenue. Spotify, listed on the New York Stock Exchange, announced in April that it had surpassed 500 million monthly active users, including 210 million paying subscribers.
Spotify disagreed with the IMY findings and stated that it offers comprehensive information on how personal data is processed to all users. The company plans to file an appeal against the decision.
Noyb, a privacy activist group, issued a separate statement expressing their approval of the fine but criticizing the authorities for the lengthy process. The group had filed a complaint and engaged in subsequent litigation to reach this decision. They urged the Swedish authority to expedite its procedures and quoted a privacy lawyer from Noyb who highlighted the extended duration of the case.