The Swedish data protection supervisory authority Integritetsskyddsmyndigheten (IMY) imposed a fine of 58 million Swedish kronor (the equivalent of about EUR 5.03 Million) on the popular music streaming service Spotify AB on 12 June 2023. The reason for the fine was in particular a violation of Art. 15 General Data Protection Regulation (GDPR) and the right to full information of users.
Background of the GDPR fine
Originally, the Austrian data protection association none of your business (noyb), led by lawyer Max Schrems, filed a complaint against Spotify. The complaint included, among other things, the allegation that Spotify did not fully inform users about the data processing carried out in response to requests pursuant to Art. 15 GDPR. The right of access under Art. 15 GDPR guarantees users not only the right to concrete information about the origin of personal data, their recipients and details of international data transfers, but also the right to receive a copy of their data.
In the case of Spotify, this information was not sufficiently provided. The information was only provided selectively without informing data subjects how to access the full dataset.
The Swedish regulator initially did not respond to noyb’s complaint, which led to noyb filing a lawsuit against the authority in mid-2022, accusing it of inaction. In November 2022, the competent court ruled that the IMY had a legal commitment to investigate the complaints – which confirmed noyb’s legal opinion.
The IMY assessed the violations of the popular music streaming service as “not very serious” and stated that the company had already taken measures to remedy the problems. The amount of the fine imposed was determined taking into account these circumstances, Spotify’s turnover and the number of customers. It is important to note that the decision was taken in close cooperation with other data protection authorities in the European Economic Area, as Spotify has users in many EU countries.
In addition to the fine, it was demanded that Spotify provide transparent information in the future about how users’ personal data is processed and for what purposes.
GDPR fines explained
Do not repeat the mistakes of other companies! Better read our analyses of the GDPR fines from European supervisory authorities.
Data protection assessment of the fine
The right of access pursuant to Art. 15 GDPR grants data subjects the right to obtain information on whether and how exactly their personal data are processed. Specifically, the controller must inform the data subjects in a clear and comprehensible manner about the following aspects of the processing activity:
Purposes of processing (Art. 15 (1) (a) GDPR)
First of all, data controllers must provide the data subjects with information about the purposes of processing. This information enables verification of the basic principle of purpose limitation according to Art. 5 (1) (b) GDPR. If there is a change of purpose, the legal basis must be checked and the data subjects must be informed again accordingly. It is important that the purposes are clear, specific and legally legitimate.
Categories of personal data (Art. 15 (1) (b) GDPR)
The controller must specify the categories of personal data that are processed. This includes information such as name, address, e-mail address, payment information, etc. This gives the data subject an idea of what kind of information about them is stored and processed.
Recipients or categories of recipients (Art. 15 (1) (c) GDPR)
Pursuant to Art. 15 (1) (c) GDPR, the controller shall provide the data subject with information on recipients or categories of recipients to whom the data have been or will be disclosed. Recipients can be, for example, third parties such as service providers, partner companies or government agencies. Data subjects should be told exactly who has access to their data.
It is important to note here that there is now no absolute right of choice in favour of the controller between the naming of recipients and categories of recipients. The Court of Justice of the European Union (CJEU) has further tightened the right of access under Art. 15 GDPR, so that data controllers must generally provide precise information on data recipients. The Court allowed only a few exceptions, where the mere naming of categories of recipients is sufficient.
For more information, see the judgment discussion on the right to information.
Storage period (Art. 15 (1) (d) GDPR)
The controller must indicate how long the personal data will be kept or, if this is not possible at the time of collection, the criteria used to determine this period. This will allow data subjects to understand the length of time their data will be kept and whether it may already be deleted.
This requires a deletion concept on the part of the controller. The information must also be complete and precise enough for the data subject to be able to determine the storage period at least approximately on the basis of the criteria given. The general information that the data will only be stored for as long as necessary for the legitimate purposes is not sufficient for this.
In these cases, the Article 29 Working Party recommends specifying different retention periods – and, if necessary, archiving periods – for different categories of personal data and/or different processing purposes.
If the specified storage period has expired, the controller is generally committed to deleting the data pursuant to Art. 17 (1) (a) GDPR, unless the requirements for further processing based on another purpose (e.g. statutory retention obligations) are met.
Data subject rights (Art. 15 (1) (e) GDPR)
It is important that the controller informs about the rights data subjects have under Chapter III of the GDPR. These include the rights of access, to be informed, rectification, erasure, restriction of processing, data portability and objection. Data subjects should know how to exercise these rights and whom to contact.
Right to complain to the supervisory authority (Art. 15 (1) (f) GDPR)
The controller must also inform data subjects about their right to lodge a complaint with the supervisory authority. In doing so, the controller should provide the contact details of the competent authority or refer to the possibilities and procedures for filing a complaint in another appropriate way (e.g. link the contact form).
This enables data subjects to call in the supervisory authority if necessary and to arrange for an independent review of the incident or the data processing.
Automated decision-making including profiling (Art. 15 (1) (e) GDPR)
If automated decision-making and profiling are used in the context of data processing, the controller must explicitly communicate this. The controller must provide the information in an understandable form and allow data subjects to gain insight into the logic of automated decision-making or profiling.
In addition, data subjects have the right to receive an explanation of the decision taken and, if necessary, to request a human review if they do not agree with the automated decision.
Conclusion
It is essential that the controller provides the above information in an easily accessible, clear, concise, and understandable language. Full disclosure of this information will ensure that data subjects have a transparent picture of how their personal data is processed, allowing them to have a basic understanding of the processing activity. If companies and organisations only superficially comply with the requirements of Art. 15 GDPR by providing minimal access to information or incomplete disclosures, the right of access is undermined – as in the case of Spotify.
The decision of the Swedish supervisory authority underlines the importance of holistic and complete compliance with the GDPR requirements and the fact that it is not sufficient to only minimally comply with the data protection requirements.
The fine against Spotify serves as a warning to other companies that breaches of the GDPR are increasingly being discovered and can also have serious consequences.
The non-profit organisation noyb is playing an increasingly important role in enforcing the fundamental rights of EU citizens. The organisation has now established itself as a powerful voice in the field of data protection and contributes significantly to stronger monitoring and enforcement of data protection rules. In addition, the right of associations to sue offers consumer advocates a large attack surface. According to the CJEU, this does not even require an actual violation of the law.
A superficial approach to the requirements of the GDPR should therefore be avoided.
