Hi everyone, I'm James Russell and today I'm joined by Megan Ward. We're two legal advisors at Fieldfisher, Silicon Valley. And today we're going to talk to you about the recent decision by the Swedish Data Protection Regulator issued Spotify a fine of 58 million Swedish crowns,

which is about $5.4 million US dollars for failures in its data subject rights process.

Today, we're going to have a look at what the regulator said,

take away some do's and don'ts,

and see some practical takeaways for businesses from the decision.

So, this complaint against Spotify was actually one of a series

that came out of the immediate aftermath of the coming into force of the GDPR,

and particularly some complaints by NOYB, which many of you will recognize none of your business,

which they had brought against music and video platforms, seeking to test the application of the GDPR,

and in particular, Spotify's handling of its DSARARS during the period between 2018 and 2020.

So with the decision issued four years after the complaints were made, it shows you just how long

these privacy complaints can go on for and how we're still seeing the fallout of some of that

early advocacy of NOYB.

Now the size of the fine, $5.4 million is somewhat irrelevant.

It's not a large fine for someone as big as Spotify.

But what is interesting is that Spotify was still found to have fallen short,

notwithstanding the amount of compliance effort they had put in.

Yeah.

And I think it's also worth emphasizing that whilst the decision has come from the Swedish

regulator,

there was actually an involved cooperation procedure. So it does give us quite a good insight into the standards expected on a pan-European basis.

Because maybe right to go back to the beginning of this story, it originally starts with two complaints made to the Austrian and Dutch regulators in relation to Spotify's handling of their data subject access requests. Those complaints were referred to Spotify's lead data

...