Spotify said it planned to appeal the decision.
The Swedish Authority for Privacy Protection (IMY) said it had reviewed “how Spotify handles customers’ right of access to their personal data.”
“As a result of the shortcomings identified, IMY is imposing a fine of 58 million kronor on the company,” the authority said.
The regulator noted that under the rules of the European data protection act GDPR, users have a right to know what data a company has about an individual and how that data is being used.
IMY said that while Spotify did hand out the data it had when requested by an individual, it said the company had not been sufficiently specific as to how that data was being used.
“Since the information provided by Spotify has been unclear, it has been difficult for individuals to understand how their personal data is processed and to check whether the processing of their personal data is lawful,” IMY said.
It added that the “shortcomings discovered are considered, overall, to be of low severity,” motivating the size of the fine by Spotify’s user count and revenue.
The streaming giant, which is listed on the New York stock exchange, announced in April it had passed 500 million monthly active users with 210 million paying subscribers.
Spotify rejected the IMY findings, saying in a statement emailed to AFP that it “offers all users comprehensive information about how personal data is processed”.
IMY “found only minor areas of our process they believe need improvement. However, we don’t agree with the decision and plan to file an appeal,” Spotify said.
Privacy activist group Noyb said in a separate statement that the fine followed a complaint and subsequent litigation from the group, and while they welcomed the decision they lamented the tardiness of the authorities.
“The case took more than four years and we had to litigate the IMY to get a decision. The Swedish authority definitely has to speed up its procedures,” Stefano Rossetti, a privacy lawyer at Noyb, was quoted saying in the statement.
AFP