In response to an investigation by the Swedish Authority for Privacy Protection (IMY), Spotify has been fined SEK 58 million, equivalent to $5.4 million USD. The fine was levied as a result of Spotify’s data handling practices that were found to be in contravention of the General Data Protection Regulation (GDPR), particularly related to a lack of transparency in how the company deals with customer data, leaving individuals unclear about how their data is being used. The situation that Spotify finds itself in is familiar to many other organizations, as regulations are sometimes difficult to navigate, even for large companies with more resources. Fines like this can be avoided by following clear GDPR guidelines, including the use of Privacy-Enhancing Technologies (PETs) to better protect, manage, and use customer data.
What Did Spotify Do Wrong?
After a case was brought by Max Schrems’ organization, noyb, the IMY found that Spotify had not been transparent with their customers about how data was used. The IMY noted that it was “difficult for individuals to understand how their personal data is processed and to check whether the handling of their personal data is lawful.”
As required by the GDPR, organizations must, on request, tell customers what data the organization holds on them, and delete it if requested. Organizations must also disclose the reasons for collecting information, as well as the reasons for the processing of personal information.
When organizations collect data, their governance and data protection strategies must be applied to ensure that data is both protected from a privacy and security standpoint, but can also be managed and kept track of.
Companies must obey “delete my data” requests, which leaves them stripped of valuable data. The application of Privacy-Enhancing Technologies (PETs) is one way that organizations can ensure they don’t fall into the same issues as Spotify.
As required by the GDPR, organizations must, on request, tell customers what data the organization holds on them, and delete it if requested. Organizations must also disclose the reasons for collecting information, as well as the reasons for the processing of personal information.
When organizations collect data, their governance and data protection strategies must be applied to ensure that data is both protected from a privacy and security standpoint, but can also be managed and kept track of.
Companies must obey “delete my data” requests, which leaves them stripped of valuable data. The application of Privacy-Enhancing Technologies (PETs) is one way that organizations can ensure they don’t fall into the same issues as Spotify.
What Are Privacy-Enhancing Technologies?
PETs are technologies that are applied to transform and protect the security and privacy of data from a technological standpoint. When legal policies and governance processes are applied to manage data and to handle the risk of breach, this still isn’t sufficient to stop a breach from occurring. PETs protect data in such a way that legal policies can be enforced at the technological level, significantly reducing the risk of data breach or loss.
Anonos leverages the PETs of Synthetic Data (for anonymization) and Statutory Pseudonymization tools. Each of these technologies can be used in different use cases, but both can help in their own way with similar situations to the one that Spotify is facing.
Anonos leverages the PETs of Synthetic Data (for anonymization) and Statutory Pseudonymization tools. Each of these technologies can be used in different use cases, but both can help in their own way with similar situations to the one that Spotify is facing.
How Can PETs Help?
When collecting data from users and customers, organizations need to apply a range of solutions to ensure that the data is treated appropriately.
One example is the use of synthetic data. In this case, through anonymization, synthetic data is no longer personal data, and can therefore be retained longer. Mitigation of privacy risks is a priority when producing synthetic data, and therefore the privacy of synthetic data always needs to be evaluated for its robustness against linkage attacks and similar issues. Synthetic data may not always be the right solution in cases where safe relinking to original data may be needed, such as for “delete my data” requests or other scenarios in which the organization or the user wants their identity to be revealed. This is also the case in situations such as targeted marketing activities or some targeted offerings, which may very often be the case for B2C companies such as Spotify.
Another useful PET for situations such as these is statutory pseudonymization, in which personal data is protected according to the highest standards while allowing for controlled re-linking. When users need to be able to know what data an organization has collected on them, protecting this data with statutory pseudonymization is one good approach. Statutory pseudonymization allows data to be collected and transformed to separate the information value of the data from the personal identity, where separately stored information is protected with technical and organizational measures. When a user wants to know what information an organization holds on them, statutory pseudonymization can allow identity to be re-linked to the data so that a user can be appropriately notified.
There are also more PETs a company can consider using and combining for different purposes. There is no one-size-fits-all solution, and each use case needs to be considered to determine which PETs are most suitable.
One example is the use of synthetic data. In this case, through anonymization, synthetic data is no longer personal data, and can therefore be retained longer. Mitigation of privacy risks is a priority when producing synthetic data, and therefore the privacy of synthetic data always needs to be evaluated for its robustness against linkage attacks and similar issues. Synthetic data may not always be the right solution in cases where safe relinking to original data may be needed, such as for “delete my data” requests or other scenarios in which the organization or the user wants their identity to be revealed. This is also the case in situations such as targeted marketing activities or some targeted offerings, which may very often be the case for B2C companies such as Spotify.
Another useful PET for situations such as these is statutory pseudonymization, in which personal data is protected according to the highest standards while allowing for controlled re-linking. When users need to be able to know what data an organization has collected on them, protecting this data with statutory pseudonymization is one good approach. Statutory pseudonymization allows data to be collected and transformed to separate the information value of the data from the personal identity, where separately stored information is protected with technical and organizational measures. When a user wants to know what information an organization holds on them, statutory pseudonymization can allow identity to be re-linked to the data so that a user can be appropriately notified.
There are also more PETs a company can consider using and combining for different purposes. There is no one-size-fits-all solution, and each use case needs to be considered to determine which PETs are most suitable.
Conclusion
Large companies like Spotify will not be the last targets of increasing enforcement actions for GDPR violations, and they are certainly not the only ones struggling with regulatory compliance. With the use of PETs, companies can ensure that they are compliant while maintaining their ability to use data for innovation and growth.
