KR - 4512-24: Difference between revisions
From GDPRhub
(added a bunch of links to GDPR articles) |
No edit summary |
||
| Line 76: | Line 76: | ||
}} | }} | ||
The Administrative court of appeal of Stockholm upheld a 58,000,000 SEK (approximately €5,000,000) fine against Spotify | The Administrative court of appeal of Stockholm upheld a 58,000,000 SEK (approximately €5,000,000) fine against Spotify for systematically failing to adequately respond to access requests. An Administrative court had previously lowered the fine to 40,000,000 SEK. | ||
== English Summary == | == English Summary == | ||
Revision as of 12:50, 11 June 2025
| KR - 4512-24 | |
|---|---|
 | |
| Court: | KR (Sweden) |
| Jurisdiction: | Sweden |
| Relevant Law: | Article 12(1) GDPR Article 15(1)(a) GDPR Article 15(1)(b) GDPR Article 15(1)(d) GDPR Article 15(1)(g) GDPR Article 15(1)(c) GDPR Article 15(2) GDPR |
| Decided: | 03.06.2025 |
| Published: | |
| Parties: | IMY Spotify AB |
| National Case Number/Name: | 4512-24 |
| European Case Law Identifier: | |
| Appeal from: | IMY DI-2019-6696 |
| Appeal to: | Unknown |
| Original Language(s): | Swedish |
| Original Source: | KR (in Swedish) |
| Initial Contributor: | cci |
The Administrative court of appeal of Stockholm upheld a 58,000,000 SEK (approximately €5,000,000) fine against Spotify for systematically failing to adequately respond to access requests. An Administrative court had previously lowered the fine to 40,000,000 SEK.
English Summary
Facts
The DPA’s fine
Spotify (the data controller) provided customers (the data subjects) with an online function to download their data directly from the controller’s online platform. This download function was meant to provide data subjects with a response to their access requests.
In 2019 three complaints were filed in Austria, the Netherlands, and Denmark. The complainants used the controller’s download function and claimed that they did not receive clear and complete information. The data subject who filed a complaint in Austria was represented by noyb.
In response to the complaints, the DPA launched an ex officio investigation on Spotify’s handling of access requests from customers.
In 2023, after years of inactivity and an interlocutory ruling from the Stockholm administrative court[1], the DPA finally issued a decision as the lead supervisory authority. The decision was adopted according to the GDPR’s cooperation procedure and addressed both the complaints and the broader findings of the DPA’s investigation.
With regards to the controller’s general practices for handling access requests, the DPA found systematic violations of the right of access. Some of the information in the controller’s responses was incomplete, while other information was complete but unclear, as it was provided in the form of technical log files and without a sufficiently clear explanation[2].
On these grounds, the DPA held that the controller violated violating Articles 15(1)(a)-(d) and (g), 15(2), and 12(1) GDPR. The DPA issued a 58,000,000 SEK (approximately €5,000,000) fine.
With regards to the complaints, the DPA found several violations relating to the content, clarity, and timing of the responses to the Austrian and Dutch complainants. The issued a warning and ordered the controller to properly respond to the access request of the Austrian and Dutch complainants in a clearer and more accessible way. The DPA found no violations with regards to the Danish complaint.
The appeals
The controller later challenged the decision before the Stockholm administrative court. In its ruling, the Court upheld some of the DPA’s findings but lowered the fine to SEK 40,000 (approximately €3,484,720 at the time).
In turn, the DPA challenged the ruling before the Stockholm court of appeal, claiming the original €5,000,000 fine was appropriate.
The Court of appeal had to assess:
- Whether the controller violated Articles 12(1) and 15 GDPR between November 2021 and May 2022, by failing to respond properly to access requests;
- Whether the controller infringed on Articles 12 and 15 when dealing with the Austrian and Dutch access requests specifically.
Holding
The Court confirmed most of the DPA’s findings and established the amount of the fine to the original €5,000,000.
The ruling largely focused on the controller’s general practices for handling access requests. However, the Court also ordered the controller to respond adequately to the requests from the complainants within one month of the decision becoming final. Additionally, the Court upheld the DPA’s warning over the inadequate responses to the complainants.
On the interpretation of Article 15
The Court first clarified that the purpose of the right of access is to allow the data subject to ensure the accuracy of their data and the lawfulness of the processing. So, Article 15 can be violated even when the controller does provide the required, if it provides such information in a form that makes it impossible for the data subject to assess accuracy and lawfulness. This rational interpretation of Article 15 is crucial to the ruling (as well as the DPA’s decision, which the ruling largely upheld).
On Articles 15(1)(a)-(c) and (g) GDPR
The DPA held that the controller violated Articles 15(1)(a)-(c) and (g) as well as 12(1) GDPR by providing information in unclear form. In particular, the controller provided the data subjects with log files (some of them inadvertently encrypted) with no description of their content except for a link to its privacy policy, which generically described the categories of personal data collected by the controller. In the DPA’s view, it was not relevant that the response was complete with regards to the information required under Articles 15(1)(a)-(c) and (g), because the information provided was not clear to the data subject.
The Administrative court reversed this finding and held that the controller violated Article 12(1) GDPR but not 15(1)(a)-(c) and (g). Specifically, the Administrative court held that by linking to its privacy policy, the controller provided data subjects with the additional information needed to identify the data contained in the log files.
The Court of appeal upheld the DPA’s original findings and reasoning. So, the Court confirmed that the controller violated not only Article 12(1) GDPR but also Articles 15(1)(a)-(c) and (g).
On Articles 15(1)(d) and 15(2)
The controller used vague and imprecise terms to describe its data retention periods and its safeguard for transfers of personal data to third countries. On this basis, the DPA and the Administrative court held that the controller violated Articles 15(1)(d) and (2) GDPR as well as Article 12(1).
The Court of appeal mostly upheld these findings. However, the Court also held that the DPA did not convincingly show that Article 12(1) was violated specifically[3] by the information provided to fulfill the requirements of Article 15(2).
On the language of Spotify’s explainers
The DPA and the Administrative court both held that the controller further violated Article 12(1) because the detailed descriptions of the data in the technical log files, was only available in English.
The Administrative court of appeal reversed this finding and held that no violation of the Article took place by only including an English explained. In this regard, the Court observed that the controller informed data subjects that they could require a translation. Furthermore, the Court pointed out that higher level information was provided in the data subject’s own language.
Comment
The procedural background of the DPA’s decision was somewhat complex. The DPA’s investigation was formally ex officio despite having been prompted by three complaints. For this reason, the DPA held that the complainants were not parties in the proceedings and did not enjoy the corresponding procedural rights.
The status of the complainants later became a point of contention: when the Austrian complainant challenged the DPA’s inactivity, the DPA claimed that the complainant was not a party and, therefore, had no standing before the Administrative court.
In its 2022 ruling, the Stockholm administrative court held that the complainant enjoyed party status in the proceedings before the DPA. The Court also clarified that the fact that the complaint was cross-border, was not relevant to the determination of the complainants’ status as parties. On this basis, the Court ordered the DPA to issue a decision.
This ruling is not to be confused with the 2024 ruling from the same Court, which reviewed the DPA’s decision and lowered the fine to about €3,500,000.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.
COURT OF APPEAL JUDGMENT Page 2 IN STOCKHOLM Department 01 Case No. 4512-24 CLAIMS, ETC. The Swedish Data Protection Authority (IMY) requests that the authority's decision of 12 June 2023 be confirmed. IMY disputes the approval of Spotify AB's (Spotify) claims. Spotify requests, first and foremost, that IMY's decision of 12 June 2023 be quashed. Secondly, the company requests that the decision on a penalty fee be replaced by a decision on a reprimand and, thirdly, that the penalty fee be further reduced. Spotify disputes the approval of IMY's claim. REASONS FOR THE COURT OF APPEAL'S DECISION That case concerns The overall question in the case is whether Spotify should be imposed a penalty fee on the grounds that IMY has put forward. The Court of Appeal's review therefore covers the entire IMY decision. More specifically, the question is whether the information that Spotify has provided to data subjects during the period 16 November 2021–16 May 2022 has met the requirements of Articles 12(1) and 15 of the General Data Protection Regulation (Regulation EU 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC) and whether the provision of technical log files during the period 11 June 2019–16 May 2022 has met the requirements of Article 12(1) of the General Data Protection Regulation. It is also a question of whether Spotify, in the handling of two data subjects' requests for access to their personal data, has infringed Articles 12 and 15 of the Data Protection Regulation. THE COURT OF INTEREST JUDGMENT Page 3 IN STOCKHOLM Department 01 Case No. 4512-24 Premises The right of access to personal data is regulated in Article 15 of the Data Protection Regulation. Article 12 of the Data Protection Regulation regulates the obligations of the data controller to ensure the rights of the data subject in accordance with Articles 15–22. The provisions of Articles 15–22 of the Data Protection Regulation regulate the material content of the individual rights and the provisions of Article 12 regulate the formal external framework that the data controller is obliged to observe with regard to the handling of the rights. The provisions of Article 12 aim to ensure that the data subject can exercise his or her rights in an easy and effective manner and that the rights actually achieve their purpose (see recital 59 of the preamble to the GDPR). In order to ensure this, the Court of Appeals considers that the provisions cannot be understood in any other way than that the controller is obliged to respond to the data subject's requests without undue delay and at the latest within a certain prescribed period and to take the necessary steps to fulfil the substantive content of the individual right or to provide a justification for the reasons why the request cannot be fulfilled. The right of access provided for in Article 15 of the GDPR must enable the data subject to ascertain that the personal data relating to him or her are accurate and that they are being processed lawfully. The interpretation of a Union provision must relate not only to the wording in accordance with its usual meaning in ordinary language, but also to the context and the objectives pursued by the provisions of which the provision forms part (judgment of the Court of Justice of 4 May 2023, Österreichische Datenschutzbehörde and CRIF, C-487/21, EU:C:2023:369, paragraphs 19 and 34.).COURT OF APPEAL JUDGMENT Page 4 I STOCKHOLM Department 01 Case No. 4512-24 The Court of Appeal makes the same assessment as the Administrative Court regarding the burden of proof and the standard of proof and the legal status of the guidelines adopted by the Article 29 Working Party and the European Data Protection Board (EDPB). Information to data subjects pursuant to Article 15(1)(a)-(c) and 15(1)(g) IMY submits that the authority does not share the Administrative Court's assessment that Spotify, by linking to the company's privacy policy, has given the data subject access to the information pursuant to Article 15 of the Data Protection Regulation in a manner that meets the requirements of the provision. The Administrative Court has incorrectly assessed that the information that Spotify provided regarding categories of personal data, purposes, recipients and source pursuant to Article 15(1)(a), (b), (c) and (g) only constituted a violation of Article 12(1) of the Data Protection Regulation and not also of the relevant parts of Article 15. Spotify submits that neither IMY nor the Administrative Court has claimed that the company would have violated Article 12(1) of the Data Protection Regulation by not providing information in writing or in any other form. The presence of the link to the privacy policy and its detailed information on categories of personal data must be irrelevant to the question whether the information on the purposes, recipients and sources was concise, clear, conspicuous and easily accessible in accordance with Article 12(1) of the GDPR. A different system would mean that an infringement of Article 12(1) in relation to Article 15(1)(b) of the GDPR would automatically also entail an infringement of Article 12(1) in relation to Article 15(1)(a), (c) and (g). The Court of Appeal, like the Administrative Court, finds that Spotify, by linking to the company's privacy policy with supplementary descriptions of the processed personal data categories in the Article 15 information provided to data subjects, has provided sufficient information to enable the data subject to understand which data is included in each category. Spotify has thus not violated Article 15(1)(b) of the Data Protection Regulation. Against this background, the Court of Appeal also agrees with the Administrative Court's assessment that the information provided by Spotify about the purposes of the processing, recipients or categories of recipients and the source from which the data was collected for the various personal data categories has been sufficient and that there has thus been no violation of Article 15(1)(a), (c) and (g) of the Data Protection Regulation. The Court of Appeal notes that Article 12(1) of the Data Protection Regulation, in conjunction with recital 58 in the preamble to the Regulation, states that the principle of transparency means that the controller shall ensure that information provided to the data subject is easily accessible and clear. The Court of Appeal makes the assessment that since the information in question has been provided to the data subject in various documents where it is not clearly stated what additional information was available in the privacy policy, it cannot be considered to have been sufficiently clear or easily accessible. Spotify has thus in this regard violated Article 12(1) of the Data Protection Regulation. Information to data subjects pursuant to Article 15(1)(d) and Article 15(2) IMY submits that where the deficiency consists, inter alia, in the use of vague and imprecise terms to describe retention periods and the criteria used to determine retention periods, it is clear that this also constitutes a breach of Article 12(1). The only measure applied at the relevant time was according to Spotify's standard contractual clauses and the use of the term "for example" may lead the data subject to believe that additional appropriate safeguards have been taken. Since the deficiency under Article 15(2) of the Data Protection Regulation was partly due to the fact that the information was not provided in a way that made it intelligible due to unclear wording, the information did not meet the requirements of Article 12(1) of the Data Protection Regulation either, in the light of the purpose of the provision in Article 15(2). Spotify argues that IMY's approach would entail a system in which a complete failure to provide information would give rise to fewer breaches of the Data Protection Regulation than the provision of information. Simultaneous breaches of Articles 12(1) and 15 of the Data Protection Regulation can only be considered to the extent that the objectives pursued by the articles in the individual case do not coincide. Such are not the circumstances in the present case, where the purpose of both provisions is to enable data subjects to check that personal data are correct and are being processed lawfully. The circumstances that have been used as a basis for the infringements of Article 15(1)(d) and 15(2) of the Data Protection Regulation cannot at the same time be used as a basis for infringements of Article 12(1) insofar as the same information is concerned. The Court of Appeal notes at the outset that the provisions of Article 15 of the Data Protection Regulation regulate the substantive content of the individual rights and the provisions of Article 12 the formal external framework that the controller is obliged to observe with regard to the handling of the rights. The fact that both articles aim to enable the data subject to verify that his or her personal data are accurate and are being processed lawfully does not mean that circumstances that have been the basis for a possible infringement of one of the provisions of Article 15 of the GDPR cannot also be the basis for an infringement of the provisions of Article 12 of the same GDPR. The Court of Appeal, like the Administrative Court, considers that the information provided by Spotify on storage periods and criteria for determining these is not sufficient to enable a data subject to verify that his or her personal data are accurate and are being processed lawfully. Spotify has thus violated Article 15(1)(d) of the Data Protection Regulation.COURT OF APPEAL JUDGMENT Page 7 IN STOCKHOLM Department 01 Case No. 4512-24 However, the Court of Appeal finds that the information that Spotify has actually provided pursuant to Article 15(1)(d) does not simultaneously constitute a violation of Article 12(1) of the Data Protection Regulation in this part. The Court of Appeal agrees with the Administrative Court's assessment that it is clear from the wording of Article 15(2) of the Data Protection Regulation that the obligation to provide information relates to the appropriate safeguards that, in accordance with Article 46, have been taken when data has actually been transferred to a third country or to an international organisation. It is only in the event of an actual transfer to a third country or an international organisation that information under Article 46 of the GDPR is required in a request for access under Article 15(2) (cf. EDPB Guidelines 01/2022 on data subject rights – right of access adopted on 28 March 2023, point 122). The information provided by Spotify under the heading “International transfers” has, according to the Court of Appeal, been general and did not enable the data subject to ascertain what appropriate safeguards have been taken. Nor has any information been provided whether the personal data of the data subject have actually been transferred to a third country or to an international organisation. By virtue of these shortcomings in the information in question Spotify has infringed Article 15(2). The Court of Appeal, however, considers that even if the information provided by Spotify has been general and in some respects vague, IMY has not shown in this regard either that Spotify has processed personal data in violation of Article 12(1) of the Data Protection Regulation. The provision of personal data in the form of technical log files IMY argues that the information in the technical log files may need to be explained in order to meet the requirement of clarity in relation to the purpose of the right of access. The judgment of the Court of Justice of the European Union in the case of Österreichische Datenschutzbehörde and CRIF and the judgment of the Court of Justice of the European Union of 26 October 2023 (FT, C-307/22, EU:C:2023:811) support the fact that a controller, who processes difficult-to-understand personal data about the data subject who is to be given access to his data, needs to take steps to make that data understandable and that the data may need to be put into context for that purpose. The provision of the description becomes part of the communication pursuant to Article 15 of the Data Protection Regulation, which must therefore also meet the requirements for clarity in Article 12(1). Spotify disputes that, in order to comply with Article 12(1) of the GDPR, the company should have provided, as a standard and without being asked, the detailed description of technical log files in the users' local language. The meaning of Article 12(1) is determined in the light of Article 15 and cannot be read in isolation. Article 15(3) of the GDPR means that the communication that the controller shall take reasonable steps to provide in an intelligible form under Article 12(1) is the copy of the personal data and the information that Spotify is required to provide under Article 15(3). The Administrative Court's conclusion is not based on Article 15(3) in its wording and risks having far-reaching consequences for controllers. The Court of Appeal notes that Spotify, in connection with the disclosure of technical log files to the data subjects, has provided a “Read Me First” file in the user’s own language, where a detailed description of the files is also provided in English. The document also provides information on the possibility of requesting a translation of the detailed description. Furthermore, the “Read Me First” file contains a link to the document “Understanding My Data” where the data subject can access a general description of the data in the download in their own language. The Court of Appeal considers that the detailed description has enabled the data subject to make use of the information in the files. The question is therefore whether Spotify by providing the description of the technical log files in English as a starting point has infringed Article 12(1) of the Data Protection Regulation.KAMMARRÄTTEN JUDGMENT Page 9 IN STOCKHOLM Department 01 Case No. 4512-24 It follows from Article 12(1) and the case-law of the Court of Justice of the European Union (see FT, paragraph 75) that it is for the controller to take appropriate measures to ensure that the data subject is given access to the information in accordance with Article 15(3) in an intelligible form and using plain and clear language. This also applies to the disclosure of technical log files which, by their nature, may be difficult to make understandable. There is no explicit requirement in the Data Protection Regulation that the information in Article 15 should be provided in a particular language. The Article 29 Working Party Guidelines on Transparency under the GDPR adopted on 29 November 2017 state that the requirement that information should be intelligible means that it should be able to be understood by an average member of the intended target group (paragraph 9). The Court of Appeal finds that Spotify, by providing a detailed description of the technical log files in English and informing about the possibility of requesting a translation of the detailed description into the user's own language, has taken appropriate measures to provide the data subject with access to information pursuant to Article 15(3) in a form that is intelligible to an average user of Spotify's services and that enables the data subject to exercise his or her rights under the GDPR. Providing a translation of the detailed description of the technical log files in every conceivable language as a standard and without the data subject's request does not appear to be a reasonable requirement for action to achieve the purpose of the provision. In this assessment, the variability of the files in question and the number of languages involved have been taken into account. The Court of Appeal therefore considers, in contrast to the Administrative Court, that Spotify has not violated Article 12(1) of the Data Protection Regulation in this part. The complaints IMY has in its decision assessed that Spotify should be reprimanded as a result of violations of Articles 12 and 15 of the Data Protection Regulation in the handling of two data subjects' requests for access. IMY also assessedCOURT OF APPOINTMENT JUDGMENT Page 10 IN STOCKHOLM Department 01 Case No. 4512-24 with regard to complaint 2 that Spotify should be ordered to comply with the complainant's request for access. The Administrative Court upheld IMY's decision in these parts and found with regard to the order that Spotify should be given one month from the date on which the court's judgment became final to comply with it. IMY's decision was therefore not changed in this part either. In its appeal to the Court of Appeal, Spotify has referred to the investigation that the company submitted to the Administrative Court in relevant parts but has not presented anything in the Court of Appeal regarding the complaints. The Court of Appeal has assessed above that Spotify has not violated Article 12(1) of the Data Protection Regulation regarding the provision of personal data in the form of technical log files. Otherwise, the Court of Appeal agrees with the Administrative Court's assessment. This means that in relation to both the complaints, there have been violations of the Data Protection Regulation. Choice of sanction regarding the complaints The Court of Appeal has found that, in relation to complaint 1 and complaint 2, Spotify has handled the complainant's request for access in violation of the Data Protection Regulation. The Court of Appeal assesses that Spotify should be given a reprimand for these violations in accordance with Article 58(2)(b) of the Data Protection Regulation. Furthermore, Spotify shall, with regard to complaint 2, be ordered to comply with the complainant's request for access in accordance with what is stated in the IMY's decision within one month from the date on which the decision and this judgment become final. Choice of penalty for violations of Spotify's general procedures IMY submits that it is clear from the case law of the Court of Justice of the European Union (judgment of 5 December 2023, Nacionalinis visumenes sveikatos centras, C-683/21, COURT OF INTEREST JUDGMENT Page 11 I STOCKHOLM Department 01 Case No. 4512-24 paragraph 81, EU:C:2023:949, and judgment of 5 December 2023, Deutsche Wohnen, C-807/21, paragraphs 76 and 77, EU:C:2023:950) and the Court of Appeal in Stockholm (judgment of 11 March 2024 in case No. 2829-23) that the lower limit for negligence is low. The Administrative Court has stated that it may be considered to follow from the purpose behind the right of access and the requirements in Article 12(1) of the Data Protection Regulation that information to a data subject is provided in a language that he or she understands. Against this background and in line with the aforementioned case law, IMY considers that Spotify, as far as the description of the technical log files is concerned, has in any case acted negligently since the company was not unaware that its actions entailed a violation of the Data Protection Regulation. There are therefore grounds for imposing a penalty fee on the company also for this violation. Spotify submits that IMY states in its decision that, with regard to the information to be provided pursuant to Article 15(1) and 15(2) of the Data Protection Regulation, there has been a lack of detailed guidance on how information should be provided and at what level of detail. This shows that Spotify had no reason to assume that its actions constituted an infringement. The information obligation in Article 15(2) only aims at the appropriate safeguards regulated in Article 46 of the Data Protection Regulation. The Administrative Court's finding that the information requirement also includes an obligation to explicitly inform whether a transfer to a third country or an international organisation has taken place is not supported by the wording of the article. Any ignorance that Spotify may have been in was excusable. The Court of Appeal has assessed that Spotify has infringed the Data Protection Regulation by not providing in its Article 15 information in a clear and easily accessible manner the information that is necessary for the data subject to be able to exercise his or her rights under the Regulation (Article 12(1)), not providing information on retention periods and criteria for determining these (Article 15(1)(d)) and not providing sufficient information on appropriate safeguards when transferring personal data to a third country or an international organisation (Article 15(2)). The Court of Appeal considers that these are not minor infringements of the Data Protection Regulation. An administrative penalty cannot therefore be replaced by a reprimand. In order for a penalty payment to be imposed, the controller must have been at fault in the sense that it cannot be considered to have been unaware that the action constituted an infringement. This applies regardless of whether the controller was aware that it was infringing the provisions of the Data Protection Regulation (CJEU judgments in cases C- 683/21, paragraph 81, and C-807/21, paragraph 76). Spotify has argued that the company was unaware that the action constituted an infringement and that any ignorance was excusable. Spotify has further argued that IMY has not shown that the company has infringed the Data Protection Regulation intentionally or negligently. The Court of Appeal finds that Spotify, as the controller, is responsible for the processing of personal data that takes place within the company and for ensuring that it takes place in accordance with the applicable regulations. Spotify has not met the requirements of the Data Protection Regulation for the information that must be provided in accordance with the provisions on the rights of the data subject regarding the right of access of the data subject. The Court of Appeal finds that Spotify cannot be considered to have been unaware that its actions entailed violations of the Data Protection Regulation. There are therefore grounds for imposing an administrative penalty on Spotify. The Court of Appeal will therefore assess the size of the penalty. Size of the penalty IMY argues that the current penalty has been calculated taking into account the seriousness with which Spotify's procedures for handling access requests have been breached and that the authority has considered the action as a whole. COURT OF APPEALS JUDGMENT Page 13 IN STOCKHOLM Department 01 Case No. 4512-24 The seriousness of the failure to act has consequently not diminished because the Administrative Court has assessed that the failure to act did not constitute a violation of all the provisions that IMY has found to be a violation of. If the Court of Appeal were to consider that the violation regarding the personal data in the technical log files cannot form the basis for a penalty, it is admitted that this will have significance for the assessment of the seriousness of the failure to act, albeit marginally, and that it would justify a certain reduction in the amount of the penalty. Spotify argues that the Administrative Court's judgment means that the seriousness of the remaining violations is significantly lower than before. The Administrative Court has incorrectly noted that the alleged violation of Article 12(1) of the Data Protection Regulation regarding technical log files, which should not form the basis for the penalty fee, only justifies a reduction of the fee by three million SEK. The Administrative Court's interpretation of Article 83(2)(b) of the Data Protection Regulation makes the use of the term "negligence" in the article redundant, since the consideration to be given to negligence can neither have a mitigating nor aggravating effect. Since neither IMY nor the Administrative Court has taken due account of the existence of negligence when determining the amount of the penalty fee, any penalty fee should also be reduced on this basis. The Administrative Court's conclusions regarding the company's rights under Article 6 of the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR) are incorrect. The Court of Appeal finds that the amount of the penalty payment shall be assessed based on the nature, gravity and duration of the infringement, taking into account the nature, scope or purpose of the personal data processing, as well as the number of data subjects concerned and the damage suffered by them (Article 83(2)(a) of the General Data Protection Regulation). In order to assess the seriousness of the infringement it should also be taken into account whether the infringement was committed intentionally or negligently THE COURT OF APPOINTMENT JUDGMENT Page 14 I STOCKHOLM Department 01 Case No. 4512-24 (Article 83(2)(b)) and the categories of personal data affected by the infringement (Article 83(2)(g)). Infringements of data subjects' rights under Articles 12-22 of the GDPR shall be punishable by administrative fines of up to EUR 20 million or four percent of the global annual turnover in the preceding financial year, whichever is the higher (Article 83(5)(b)). As stated in the IMY's decision, the annual turnover of Spotify's parent company Spotify Technology S.A. for the year 2022 was approximately SEK 132,000,000,000. It follows that the statutory maximum amount that could be imposed on Spotify in the supervisory case was approximately SEK 5,280,000,000. The EDPB has recommended in its guidelines that when calculating administrative fines for minor infringements, the supervisory authority should set the starting amount for further calculation at a point between zero and ten percent of the applicable statutory maximum amount (Guidelines 04/2022 on the calculation of administrative fines under the General Data Protection Regulation adopted on 24 May 2023, paragraph 60). Spotify's Article 15 information has been found to be deficient in several respects and has meant that a large number of data subjects have been deprived of the opportunity to check whether their personal data is being processed correctly and lawfully. However, the Court of Appeal, like the Administrative Court, considers that the infringements cannot be considered to have been ongoing for any longer period of time. Furthermore, it is clear from the documents in the case that Spotify, on its own initiative, before the supervisory case was initiated, improved its routines regarding the information to be provided pursuant to Article 15 of the Data Protection Regulation. This improvement work has continued continuously during the course of the supervisory case. It is clear that the violations of the Data Protection Regulation have not occurred intentionally. However, as the Administrative Court has established, this only means that the seriousness of the violations does not increase. In a balanced assessment, the Administrative Court of Appeal considers that these may be considered violations of a lower degree of seriousness. If a controller, with regard to the same or linked data processing operations, intentionally or negligently infringes several provisions of the Data Protection Regulation, the total amount of the administrative penalty may not exceed the amount determined for the most serious infringement (Article 83(3) of the Data Protection Regulation). According to the Court of Appeal, this means that the determination of the amount of the penalty shall be made on the basis of the controller's actions as a whole and on the basis of the seriousness of the infringements. The number of provisions of the Data Protection Regulation that have been infringed is therefore of no decisive importance for the calculation in this case. The fact that the Administrative Court has found that Spotify has committed fewer violations than IMY assessed in its decision, and that the Court of Appeal has now concluded that a violation established by the Administrative Court did not constitute a violation, does not mean that a reduction in the imposed penalty fee must be made. The Court of Appeal is also not bound by the fact that IMY has admitted a possible reduction in the fee amount in respect of the violation concerning the technical log files. As regards the processing time at IMY, the Court of Appeal considers that IMY's supervisory case has had significant effects on Spotify from the time when IMY communicated to Spotify what decision the authority intended to make (cf. e.g. European Court of Justice judgment of 23 July 2002 Janosevic v. Sweden paragraphs 91 and 92). Even taking into account that IMY subsequently revised its draft decision and what Spotify has now put forward, the Court of Appeal considers that the processing time cannot be considered to have been unreasonably long or that Spotify's right to be informed without delay of the meaning of and grounds for the accusations has been violated. There is therefore no reason to reduce the penalty under Article 83(2) of the Data Protection Regulation or on the grounds of violations of the ECHR.COURT OF APPOINTMENT JUDGMENT Page 16 IN STOCKHOLM Department 01 Case No. 4512-24 In order to appear as an effective, proportionate and dissuasive measure, the violations of the Data Protection Regulation, despite the fact that they are violations of a lower degree of seriousness, justify the imposition of a penalty of at least SEK 58 million, which is the maximum amount according to the procedural framework in the case. IMY's appeal should therefore be upheld and Spotify's appeal dismissed. _________________________ HOW TO APPEAL, see Appendix B (KR-01). Attorney at Law Council of Appeal Council of Appeal Chairman Rapporteur / Drafting Jurist
- ↑ This ruling was purely procedural. It is not to be confused with the ruling of June 2024 from the same court, which reviewed the DPA’s decision and lowered the fine. For more information on the interlocutory ruling and the procedural background of the case, see the comment.
- ↑ The Court upheld the DPA's reasoning on this point. For more details, please refer to the summary for the DPA's decision.
- ↑ To be clear, the ruling still found that the controller violated Article 12(1). The Court merely held that Article 12(1) was violated not by the information required under 15(2) but by other information provided in response to access requests.
