Spotify fined by the Swedish Authority for Privacy Protection

In 2019, the Swedish Authority for Privacy Protection (IMY) launched an investigation into Spotify, to determine whether the company's handling of data subjects' requests for access is in accordance with the General Data Protection Regulation (GDPR). The investigation included, inter alia, an audit of the company's general procedures for handling access requests. The investigation resulted in the administrative fine of SEK 58 million. The article will focus on this part of the decision. However, IMY also issued a reprimand against Spotify for deficiencies in its handling of access requests related to complaints.

In the decision, IMY states that the purpose of the right of access is for the data subject to be aware of the processing and to check that the processing is lawful. The information provided by Spotify is "generally stated". Generally stated information is information which may be suitable for standardized services that include personal data processing IMY states. However, the supervisory authority points out that in order for the data subjects to understand how their data is processed, it must be clear which information is applicable in which situations, based on the information provided. It must be clear whether the data subject is affected by the information based on their own situation.

First, IMY examines whether the information provided about the categories of personal data, the purposes, the recipients and the source is clear. The information provided has been divided based on categories of personal data. In the decision, IMY states that the categories of personal data, in several cases, have lacked a detailed description of which personal data that may be included. Data subjects have been unable to understand what personal data may be included in the different categories. Thus, it has not been possible for the data subject to understand how his or her personal data is processed. The requirements of art. 15.1(a)-(c), (g) and 12.1 of the GDPR are therefore not met according to IMY.

IMY also reviews the information provided on retention periods. The information on how long the data is retained has been generally stated; however, it has in most cases, not been clearly related to any category of personal data, IMY states. Therefore, it has been difficult to determine which of the data subject's personal data has been retained and for how long. In addition, the criteria for determining the retention period has been very imprecise according to IMY. Thus, the information provided about the retention periods does not meet the requirements of art. 15.1 (d) and 12.1 of the GDPR.

IMY further assess the information on third country transfers. This information has also been found to be generally stated, and not related to the individual situations of the data subjects. It has not been clear whether the data subject's personal data were transferred to third countries, nor to which countries, or what appropriate safeguards were taken according to IMY. IMY therefore states that the requirements of art. 15.2 and 12.1 of the GDPR are not met.

Spotify has divided the customers' personal data undergoing processing into different layers: Type 1, 2 and 3, which may be requested in different ways. Type 1 contains profile information and the personal data that Spotify has deemed to be of greatest interest to the data subject. Type 2 consists of technical log files, and Type 3 consists of information specifically requested by a data subject. In the decision, IMY accepts the division of the personal data. According to IMY, the information provided is sufficiently clear in order for the data subject to understand how the copy is divided, what data is in the different layers, and how the layers should be requested. Furthermore, it is possible to request all information at the same time and all measures can easily be taken via Spotify's website.

Regarding the data contained in the technical log files, a more detailed description of the data is required, according to IMY. Spotify provides the description of the data in the technical log files in English. However, IMY believes that the data subjects should be able to obtain information in a language that they are proficient in, at least when the controller directs its activities to countries where it constitutes an official language. According to IMY, it follows from the purpose of the right of access, i.e., that the data subject should become aware of the processing and be able to check that the processing is lawful, as well as the requirement of transparency in art. 12.1 of the GDPR. In the decision, it is stated that Spotify has reported significant difficulties in translating the description of the information contained in the technical log files into local languages. This is due to constant changes in the data and the fact that many technical concepts are difficult to translate from English. However, Spotify provides almost all other information to data subjects in accordance with art. 15 of the GDPR in the local language. Further, Spotify has stated that at the request of a data subject it can
translate the description into a local language, as far as it is possible to translate the technical terms. IMY concludes that a translation is therefore possible in practice. Thus, IMY considers that a translation should be provided to the data subject before a request for translation has been made - at least to the extent necessary for understanding the data contained in the technical log files. IMY therefore states that Spotify has processed the data in violation of art. 12.1 of the GDPR.

In its decision IMY states that there have been no minor infringements, and an administrative fine should therefore be issued. The basis for calculating the administrative fine is the annual turnover reported by Spotify Technology S.A in 2022, which was SEK 132 billion. The maximum amount of the fine that can be determined based on that number is SEK 5.28 billion, which is four percent of the annual turnover.

In assessing the seriousness of the infringements, IMY takes into account several aspects, including the following. IMY notes that the infringements have been able to affect a large number of data subjects, they have been going on for a long period of time, and the lack of information has meant that data subjects have been unable to exercise their rights. The data subject's right of access risks being lost, due to the difficulties in understanding which parts of their personal data has been processed and how. Thus, the data subjects have not been able to check whether the processing has been lawful. Furthermore, Spotify's processing of personal data has included a large amount of information about each data subject which also affects many data subjects in several countries.

At the same time, IMY notes that the processing does not include special categories of personal data. In addition, processing takes place within the framework of a customer relationship in the provision of a music streaming service, which normally does not have such a major impact on the data subjects. IMY further acknowledges that Spotify has had challenges in providing the comprehensive information about complex personal data processing. The supervisory authority also considers the fact that the company had, by its own initiative, taken several measures and put extensive work into developing and improving processes for access requests before the supervision matter was initiated by IMY. Further, there has been a lack of guidance on how the information should be provided, and at what level of detail. In summary, IMY concludes that the infringements are of low severity and that the administrative fine should be set relatively low in relation to the current maximum amount. At this stage, IMY recognises that the high turnover on which the fine is calculated should also be taken into account.

When determining the amount of the administrative fine, IMY considers mitigating circumstances. It has been possible for the data subjects to contact Spotify's customer service through several different channels to obtain further individualized information, and the company has made updates in the information to data subjects so they can understand the specific personal data processing that is applicable to their unique use. IMY also recognises that the data subjects have been given the opportunity to have their Spotify description explained or translated into their local language.

Considering the above, IMY sets the administrative fine at SEK 58 million, approximately 1 percent of the maximum possible amount of the fine. The supervisory authority writes that the amount is effective, proportionate and dissuasive, and is in accordance with the GDPR.