Stockholm court upholds Spotify's €5.4 million fine for data transparency failures

The Stockholm Court of Appeal confirmed on June 3, 2025, that Spotify AB must pay a sanction fee of 58 million Swedish kronor (approximately €5.4 million) for violations of the European Union's General Data Protection Regulation. The decision represents the culmination of a legal process that began with privacy complaints filed in 2019.

According to the Stockholm Administrative Court (Kammarrätten i Stockholm), Spotify breached GDPR requirements by failing to provide clear and easily accessible information necessary for registered users to exercise their rights under the regulation. The court found the streaming giant did not adequately inform users about data storage periods, criteria for determining those periods, or appropriate safeguards when transferring personal data to third countries or international organizations.

Related Stories

• GDPR enforcement data shows low fine rates across European authorities - Analysis of European-wide GDPR enforcement patterns showing only 1.3% of cases result in fines
• LinkedIn Ireland faces €310 Million fine for GDPR violations in data processing - Similar transparency violations in social media platform data processing
• Dutch DPA fines Uber €290 Million for unlawful data transfers to US - Cross-border data transfer violations affecting international companies
• Belgian Data Protection Authority fines telecom company €100,000 for GDPR breach - Timeline delays in responding to data access requests

The case originated from complaints submitted to the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten) in 2019, following an audit of Spotify's data handling practices. Privacy advocacy organization noyb (None of Your Business) filed the initial complaint in Austria in January 2019, which was subsequently transferred to Sweden under the GDPR's one-stop-shop mechanism due to Spotify's European Union headquarters location in Stockholm.

Judge Peder Liljeqvist of the Stockholm Administrative Court stated that Spotify AB "failed in the handling of registered users' rights according to the EU's data protection regulation and must therefore pay a sanction fee." The court's assessment found that while the violations were considered to be of a "low level of seriousness," the significant number of Spotify's registered users and the company's substantial turnover justified the monetary penalty.

The Swedish Authority for Privacy Protection's investigation revealed specific deficiencies in Spotify's implementation of Article 15 of the GDPR, which governs data subjects' right of access. The authority determined that although Spotify provided personal data when requested by users, the company failed to deliver sufficient information about how this data was utilized, presented in a manner that users could easily understand.

The regulatory body found that Spotify's responses to data access requests lacked clarity regarding data processing purposes, storage durations, and transfer safeguards. These transparency requirements form a cornerstone of the GDPR framework, which entered into force in 2018 to strengthen individual privacy rights across the European Union.

According to the European Data Protection Board, the GDPR mandates that data controllers must provide comprehensive information to individuals about personal data processing activities. This includes details about processing purposes, legal bases, retention periods, and any international data transfers. Companies must present this information in concise, transparent, intelligible, and easily accessible language.

The investigation timeline reveals the extended nature of GDPR enforcement procedures. The initial complaint was filed in January 2019, yet the Swedish Authority for Privacy Protection did not issue its decision until June 2023. This four-year gap highlights persistent challenges in cross-border GDPR enforcement, particularly when cases involve multiple jurisdictions and complex technical assessments.

Privacy lawyer Stefano Rossetti from noyb commented on the case, noting that "it is a basic right of every user to get full information on the data that is processed about them." However, Rossetti also criticized the extended timeline, stating that "the case took more than 4 years and we had to litigate the [Swedish Authority] to get a decision."

The Spotify case demonstrates broader patterns in GDPR enforcement across European data protection authorities. According to European Data Protection Board statistics released in December 2023, only 1.3 percent of GDPR cases resulted in monetary penalties between 2018 and 2023, despite authorities handling thousands of complaints and investigations.

The 58 million kronor fine against Spotify falls within the middle range of GDPR penalties imposed by Swedish authorities. While substantially lower than the maximum penalties of up to 4 percent of global annual turnover or €20 million, the amount reflects considerations of the company's revenue scale and user base size.

Spotify's global subscriber count exceeded 500 million as of 2024, with substantial operations across European markets. The company's European headquarters in Stockholm processes personal data for millions of users across the European Union, making compliance with GDPR transparency requirements particularly significant for the streaming platform's operations.

The court's decision also addressed Spotify's handling of specific data access requests. According to the ruling, the company failed to adequately respond to requests from two of the three complainants examined in the case. The Authority for Privacy Protection issued both a reprimand and an order requiring Spotify to comply with outstanding access requests.

Technical aspects of the violations centered on insufficient documentation of data processing activities and inadequate explanations of automated decision-making processes. The GDPR requires companies to provide meaningful information about algorithmic processing, including the logic involved and the significance of such processing for individuals.

Data protection experts view the Spotify decision as part of a broader enforcement trend focusing on transparency obligations. Similar cases across European jurisdictions have emphasized companies' responsibilities to provide clear, comprehensive information about data processing practices rather than merely confirming that data exists.

The case's resolution comes amid heightened regulatory scrutiny of technology companies' data practices. European data protection authorities have imposed billions of euros in fines since GDPR implementation, with particular focus on transparency violations, unlawful data transfers, and insufficient legal bases for processing.

Spotify retains the option to appeal the Stockholm Administrative Court decision to Sweden's Supreme Administrative Court. However, that court typically accepts only cases deemed to have precedential significance for legal interpretation. The company has not announced whether it intends to pursue further appeals.

For marketing professionals, this decision underscores critical compliance requirements in data-driven advertising and customer analytics. Companies collecting consumer data for marketing purposes must ensure comprehensive transparency about data usage, retention periods, and sharing practices. The Spotify case demonstrates that inadequate transparency documentation can result in substantial financial penalties even when data processing activities themselves may be lawful.

The ruling reinforces the importance of implementing robust data subject request procedures that provide meaningful information beyond basic data downloads. Marketing organizations must prepare detailed explanations of algorithmic processing, data combination practices, and international transfer arrangements to meet GDPR transparency standards.

Timeline

January 2019: noyb files initial GDPR complaint against Spotify in Austria regarding data access rights

2019: Complaint transferred to Swedish Authority for Privacy Protection under one-stop-shop mechanism

2020-2023: Extended investigation period with parallel regulatory proceedings

June 2023: Swedish Authority for Privacy Protection issues initial decision with 58 million kronor fine

2023-2025: Spotify appeals decision to Stockholm Administrative Court

June 3, 2025: Stockholm Court of Appeal upholds fine, confirming GDPR violations (5 days ago from today)