Woman holding phone with Spotify on the screen showing GDPR violation and GDPR fine for data access request

€5 Million GDPR Violation Fine Issued to Spotify, Four Years After Data Access Request Complaint Filed

Whoever coined the phrase “the wheels of justice turn slowly” might have looked into the future and seen the typical General Data Protection Regulation (GDPR) process. A complaint about the company’s data access request process is set to cost Spotify the equivalent of $5.4 million, though it took four years of wrangling to determine that a GDPR violation took place.

This time, the usual suspect (Ireland’s DPC) is not involved. A complaint filed by privacy crusader Max Schrems and his organization noyb was taken in Austria originally but ultimately handed off to Sweden, where noyb had to take the data protection authority to court to move the case forward.

Stalled Spotify GDPR violation required litigation by complainant to resolve

The GDPR violation involves a mandatory response to a data access request filed by noyb close to the start of 2019, as part of a program of similar complaints meant to test major social media platforms. Spotify failed to provide the full scope of mandatory data requested, details on the purpose of processing and any international transfer, and business partners that may be receiving personal information.

Since the complaint potentially impacts users in nations throughout the EU, it was originally filed in Austria under the “one stop shop” mechanism that was meant to help prevent major delays of this sort. However, it was handed over to Sweden due to the location of Spotify’s central EU offices.

Decisions are supposed to be rendered within six months under Swedish law, and complainants have the right to request that a decision be made within four weeks once this timeframe elapses. The Swedish DPA opted for a loophole in this process, however, opening a parallel ex officio investigation into Spotify during which the data access request could legally be frozen indefinitely (and to which the complainant is not a party).

This prompted a legal challenge to the Swedish government by noyb, resolved in 2022 with a court decision that those bringing a GDPR violation complaint must remain a party to any such parallel lawsuits and that their right to a decision within six months is retained. That decision is being reviewed by a higher court, but in the meantime the DPA was ordered to take up the data access request complaint again.

The Swedish DPA said that the case was “complex and comprehensive,” but confirmed that at least some of noyb’s contentions about the data access request were valid and that the information Spotify provided was not sufficiently clear. A spokesperson for Spotify called the GDPR violation findings “minor” and indicated that the company will file an appeal.

Set of 2019 data access request tests continue to be held up by data authorities

Data access requests of this nature require companies operating in the EU to provide a copy of the user’s stored data, information on any recipients or movements of it internationally, and certain information about the source of the data. If the organization cannot directly provide this data, it needs to give users instructions as to how it can be accessed.

noyb went on a campaign of testing major platforms on this point in 2019, particularly those that have set up an automated process to handle data access requests. In addition to Spotify, seven big names were included: Amazon, AppleMusic, DAZN, Flimmit, Netflix, SoundCloud and YouTube. Of these the organization has reported “movement” on only three other alleged GDPR violations. The Dutch DPA has issued a draft decision that would have Netflix adjust its practices, Flimmit has already changed its data access request process in response to the complaint, and DAZN is in the midst of a court case in Austria. The others have resulted in no response as of yet.

Though the Swedish regulator ultimately came down on the side of noyb and assessed a GDPR violation, it also characterized the data access request mishandling as being of “low” seriousness. While Ireland’s DPA can be expected to take extreme amounts of time with investigations at this point, this incident demonstrates that other regulators are willing to kick the can down the road when it comes to certain issues; of the companies on noyb’s list, only Apple and Google are subject to having the Irish DPA as the lead investigator for potential GDPR violations.

Part of the attitude toward these sorts of procedural data access request complaints may be tied to the ongoing debate amongst EU authorities about whether “strict liability” should be applied to GDPR violations.  The European Advocate General recently took a formal position against this, requiring that there be either a demonstration of intent or failure of management or executive ranks to perform their required duties. The interpretation is awaiting clarification by the European Court of Justice, but in the meantime provides individual states with a good deal of leeway in setting their own standards of proof.