How We Forced Spotify To Change Their TOS
Every corporation, big or small, is subject to the enforcement of the laws they are beholden to. Spotify was no exception.
I just sent a mail to [email protected]:
I’m a paying user of the Spotify music service. I want to exercise my rights under the GDPR article 20 subsection 2 to data portability to transmit my data, namely playlist information, directly to another controller.
It is clear that this is technically possible, as it has been possible in the past. However, Spotify has chosen to force SongShift to disable its API. This is in violation of my rights under the GDPR. I demand that you re-enable this API to allow me to exercise my rights under the GDPR.
I expect a notification of receipt within 5 days. I expect a full answer within 14 days. In case of no reply, or no satisfactory reply, I will enter a complaint (verzoekschriftprocedure) at the Dutch civil court (Rechtbank Midden-Nederland).
Spotify responded:
Thanks for reaching out to us. We deeply understand that this will be a disappointment for you as you can no longer create transfers from Spotify to another music service. This is because it violates our Terms and Conditions.
So here’s your request to download a copy of the personal data that is likely to be most relevant to you:
– Log in to your account page.
– Select Privacy Settings from the menu in the left.
– Under Download your Data, click REQUEST. This page also contains instructions for accessing your data and a summary of the categories of data you can expect to receive.
If you would also like to receive the technical log information we collect to provide and troubleshoot the Spotify service, extended streaming history, or have a special data request, please let us know.
Let us know if we can help with anything else. We’re just an email away.
My response:
Regrettably, the steps which you have outlined for me are not in compliance with the GDPR article 20 subsection 2, which states that “the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.”
Clearly, it is technically feasible to transfer my personal data directly to another controller, as it has been done with SongShift in the past. You decided to disable this method, in violation of the GDPR. Your terms and conditions do not supersede Dutch or European law.
I demand that you re-enable the API or allow for some other method to allow me to exercise my rights under the GDPR, so I can transfer my personal data directly from Spotify to another music service.
If you do not allow me to exercise my rights under the GDPR, I will file a complaint (verzoekschriftprocedure) at the Dutch civil court (Rechtbank Midden-Nederland). I expect that you respond with a timeline about when and how I can exercise my rights under the GDPR within 14 days.
Note: Court cases in the Netherlands are relatively cheap, with a fixed starting cost of € 83, and a maximum of ~€ 2300 in case of loss (as compensation for attorney fees), so it actually seems feasible to go this route.
I also want to challenge them on the export taking multiple days to be generated. This also is in violation of the GDPR as “undue delay”. Many people cite that they have 30 days, but this is actually the maximum time.
Spotify’s Response
Thank you for getting back in touch.
I get that you’ve come to rely on SongShift to transfer your playlists to other services, thus I understand how you feel when the service was removed. However, please know that the service they offer goes against our T&Cs and due to this violation, the app has been taken down.
If you want to transmit your personal data to another service, we can help you request to receive a copy of that data and give it the other service.
Due to the large size and complexity of the data retrieval, you will receive your personal data in three separate packages.
First, you will receive a ZIP file with a copy of most of your personal data via our Download your data function, after you verify your request in the confirmation email sent to your registered email account to ensure secure delivery.
This download will include information about your playlists, streaming history, searches, a list of items saved in Your Library, the number of followers you have, the number of accounts you follow, the names of the artists you follow, and your payment and subscription data. For more detailed information about what is included in each file of your download, please see Understanding My Data.
The second data package will include the technical log information of your account that we collect to provide and troubleshoot the Spotify service. The data description is provided in the Read Me file together with the data.
Finally, the third data package will include your entire listening history for the life of your account. Each of the above data packages will be made available to you as soon as they become ready in the coming weeks.
You can request for the first data package via the Privacy Settings section of your account page. If you want the 2nd and 3rd data package, please let me know your username so we can help you request for these data.
I hope this email clarifies. Let me know if we can help you with anything else.
And I replied with:
Regrettably, your answer didn’t clarify anything at all. In fact, it seems that you are ignoring the substance of my previous two messages.
If you have not already done so, I strongly advise you to forward this email conversation to your legal department. I will not hesitate to file a complaint (verzoekschriftprocedure) at the Dutch civil court (Rechtbank Midden-Nederland) if you do not allow me to exercise my rights under the law.
The process you are describing would fall under GDPR article 20 subsection 1. However, my previous demand isn’t about those rights. Instead, I want to exercise my rights under GDPR article 20 subsection 2 to transfer my data directly from controller to controller, for example (but not limited) to SongShift, when you have specifically shown that it is technically possible.
GDPR article 20 subsection 2 is Dutch and European law. You cannot overrule the law with your terms and conditions. You have an obligation to me, a Dutch citizen, to allow me to transfer my data to another controller when technically feasible. Your message tells me that you are refusing to do so.
I demand, again, that you re-enable the API or allow for some other method to allow me to exercise my rights under the GDPR, so I can transfer my personal data directly from Spotify to another controller such as (but not limited to) SongShift.
Seeing how you responded the previous two times with unsubstantive answers, I’m giving you 3 days to respond substantively. If you promise to provide me a timeline about when and how I can exercise my rights under the GDPR or otherwise want a delay, I will give you an additional 10 days.
If you do not respond or offer no solution, I will send a registered letter (aangetekende brief) to your Dutch offices in Amsterdam with a last warning before starting the verzoekschriftprocedure. Note that I will be hiring a lawyer to draft this letter, and will thus be incurring costs, which I will recover from you as damages.
