Spotify has been ordered to pay 58 million kronor (approx. €5 million) for breaches of the EU General Data Protection Regulation (GDPR), following a ruling by the Stockholm Court of Appeal.
Court confirms privacy violations
The decision confirms a 2023 ruling by Sweden’s Integrity Protection Authority (Integritetsskyddsmyndigheten, IMY), which found that Spotify had not provided users with sufficient information about how their personal data was handled. Spotify had contested the IMY’s decision, but the Court of Appeal upheld the agency’s findings, concluding that the platform did not make key data easily accessible to users.
According to the court, Spotify failed to meet the GDPR standard that requires companies to provide clear and transparent information enabling users to exercise their data protection rights. The judgment stresses that the deficiencies were significant enough to justify the financial penalty.
Implications for data transparency in the digital sector
The case underscores the growing scrutiny of data practices in the digital services industry, especially for platforms with large user bases in the EU. GDPR, which came into force in 2018, obliges companies to ensure that users can understand and control how their data is collected and used. Failure to comply can lead to substantial fines, with the Spotify case becoming one of the most notable GDPR-related rulings involving a Swedish-based company.
While Spotify has not yet publicly responded to the final judgment, the decision may set a precedent for similar cases involving data transparency and user rights in Europe.
Enforcement by Swedish data authority
The IMY has increased its enforcement actions in recent years, investigating companies across sectors for compliance with GDPR rules. In Spotify’s case, the authority originally opened its investigation in response to a complaint filed by the privacy rights group noyb (None of Your Business), led by Austrian activist Max Schrems.
The organisation argued that Spotify did not provide full access to personal data upon request, nor a detailed explanation of how such data was processed. The IMY agreed, and its decision has now been validated by Sweden’s second-highest court.
This case contributes to a broader trend of European data authorities taking firmer stances on digital privacy and may influence how other companies operating in the EU handle data access and transparency obligations.
