The Swedish Authority for Privacy Protection (“SAPP”) has issued a €5 million to Spotify for its failure to uphold Article 15 of the General Data Protection Regulation (“GDPR”) in respect of its response to data subject access requests.
Context of the Fine
The initial complaint was filed in 2019 by the not-for-profit privacy rights group noyb, who had identified that Spotify did not provide users with a mechanism under which they could exercise their right to access the personal data Spotify held on them under Article 15 GDPR. The complaint was initially filed in Austria, but the GDPR’s current one-stop-shop mechanism meant the complaint was actually heard by SAPP, given Spotify’s main EU office is based in Sweden. The decision comes almost 4 years after the complaint was initially made, with noyb actually taking SAPP to court over their delays and lack of decision. Whilst the case is still being litigated, this could represent a seminal case whereby a national data protection authority is found liable for delays in reaching its decision.
What does this mean for organisations?
Whilst this case highlights that organisations will be held accountable for breaches of GDPR, it also demonstrates the difficulty individuals can experience in enforcing their rights under GDPR. The fact that the complaint took over 4 years to reach a decision, and passed through several data protection authorities in the process, outlines the piecemeal approach to enforcement that remains in place across the EU. Whilst the ICO themselves have issued a number of fines for breaches of data protection law, including the fines issued against Clearview AI, TikTok and Interserve, the approach within the EU ranges significantly depending on the regulatory authority involved. The Irish Data Protection Commission has been extremely active in issuing substantial fines for breaches of the GDPR, including a €1.2 billion fine and €405 million fine against Meta. However, other supervisory authorities have been much less active in this space, as evidenced by the SAPP’s 4-year delay in investigating the breach by Spotify.
Spotify have stated that “Spotify offers all users comprehensive information about how personal data is processed. During their investigation, the Swedish DPA found only minor areas of our process they believe need improvement. However, we don’t agree with the decision and plan to file an appeal”.
Ultimately, organisations should still ensure that they remain alive to their obligations under data protection law and that they have appropriate processes and procedures in place to ensure they comply with their obligations under it, especially in respect of dealing with data subjects exercising their rights.
If you have any questions or would otherwise like to discuss any issue raised in this article, please contact our Data Protection team.