Swedish music streaming platform Spotify has incurred a fine of approximately $5.4 million in Sweden for violating the data access rights of European Union (EU) users.
TechCrunch reports that allegations were made against the company for failing to provide complete information regarding personal data processing in response to individual requests, thus breaching Article 15 of the General Data Protection Regulation (GDPR).
The complaint was initially filed in early 2019 by noyb, a non-profit organization dedicated to privacy rights. According to the complaint, Spotify failed to fulfill all requests for personal data, neglected to disclose the purposes and recipients of data processing, and did not provide information about international transfers, among other allegations.
Although the complaint was initially lodged in Austria, the GDPR’s one-stop-shop mechanism, designed to streamline cross-border case handling, resulted in the case being redirected to Sweden, where Spotify maintains its main EU presence.
However, noyb claims that the complaint remained unresolved for several years because the Swedish authority conducted a separate investigation without involving the complainants. This action contradicted the GDPR’s requirement for data controllers to respond to access requests within a month.
Due to the lack of a decision, noyb took the Swedish data protection authority (IMY) to court. Last year, noyb successfully challenged IMY’s position that complainants are not parties in the procedures. The Stockholm administrative court ruled that complainants have the right to request a decision within six months of filing the complaint.