Spotify is sued in SP for accessing memory and deleting songs

Spotify was sued in the Court of Justice of São Paulo (TJSP) for allegedly accessing the memory of devices and deleting the songs of a subscriber to the app’s Premium Family Plan. Although the merits have not yet been judged, the case received an advance relief (advance decision), and the company was prohibited from continuing to access the person’s personal files under penalty of fine.

The process, which is considered unprecedented, was opened by lawyer Vinicius Carneiro. He says that he has been using the app since 2017 and that he opted for the family plan because of its ease, as his relatives are able to access a private account from it and select their own playlists, as well as download the files to their devices.

“Now, in 2021, with a card billing problem, they [Spotify] canceled my plan. I got in touch, I re-enabled the plan, but when I went to see all our music downloaded on the devices’ internal memory had simply been deleted. No warning, no alert, no information,” reported the lawyer.

Carneiro said that his cell phone memory had a folder with about 8 GB of songs, which was simply reset, a fact that also happened to other people who had access to the plan. After the files were deleted — from both iOS and Android devices — and the plan was effectively renewed, he had to download all the songs again so he could listen offline.

  • Spotify announces price increases for all plans in Brazil

“The issue of privacy worried me a lot, especially when I realized that, in fact, all the other users in my family had not paid attention to this detail. In practice, I knew that the songs stayed inside my cell phone, including how much they took up space, but I had no idea they could delete something without my knowing it,” he told the TechWorld.

right to privacy

Carneiro’s abusive practices lawsuit against Spotify asks the Court to quantify compensation for the risk of exposure of the applicant’s data. The minimum value of the action was established at R$ 10 thousand for the purposes of procedural costs and payment of legal fees.

Carneiro is being represented by Eduardo Frederico Augusto Piovesan dos Reis Dourado and Leonardo Cantú, partners at Cantú e Reis Dourado Advogados. Professionals consider the topic to be relevant, as the case could even put at risk the personal information of adolescents who are part of the family plan of the plaintiff.

“There is no guarantee that when Spotify cancels the premium plan and ‘commands’ the deletion of songs remotely, that other data that are in the cell phone’s memory, such as personal photos, videos, texts and other documents, will not be exposed to that invasion or even that there is a loophole for accidental invasions,” the lawyers said.

Spotify

They argue that, in these cases, it is necessary to respect the principles of minimum intervention in the user’s privacy and the purpose of access to sensitive data, which must prevail over commercial or billing actions between the application and the customer.

“This is not about discussing the obvious right that Spotify has to, in not receiving the monthly plan, cancel the subscription and even access to its application. It is about preserving that, under normal conditions, the security of the user, the privacy and protection of their data are at the forefront of the technological process chain,” stated the lawyers.

Injunction against Spotify

The case is being processed at the 1st Civil Court of the TJSP. At the end of last month, Judge Lucas Campos de Souza granted an injunction against Spotify to prevent the app from continuing to have unauthorized access, under penalty of fine, to Carneiro and his family’s files.

“Anyway, the last message sent by the defendant [Spotify] to the author [Vinicius Carneiro] makes it clear that, once the premium plan is terminated, the downloads are undone and, therefore, removed from the internal memory of the devices, in such a way that the claim in the sense that the defendant somehow has access to the internal memory is shown to be plausible. of users’ devices, in order to allow the undoing of downloads”, according to an excerpt of the preliminary decision.

Because of the evidence, the magistrate understood that there is access to the physical memory of phones and other devices by the music app, and that this access can contribute to an increased risk of exposure to sensitive data.

Spotify

Thus, he argued that he found “recommended the partial granting of urgent relief, to determine the defendant to refrain from accessing and, therefore, from deleting files contained in the internal memory of the devices used by the author and the family, and should, in addition, keep free access for the author and his family group to the contracted plan, as long as it is in compliance with the corresponding consideration”. For each proven act of non-compliance with the injunction, Spotify will have to pay a fine of R$ 2 thousand.

What does Spotify say?

Spotify’s support page, in the section on Privacy Policy (which was updated September 30, 2021), recognizes that files in a device’s memory can be consulted. By accepting the terms of the platform, the user allows:

  • That the Spotify Service uses the processor, bandwidth and storage hardware on your device to facilitate the operation of the Spotify Service;
  • Serving advertising and other information, allowing our business partners to do the same, as permitted under Spotify’s Privacy Policy.

O TechWorld contacted Spotify to ask how exactly the memory of people’s devices is accessed when they cancel the plan and to see if the company would comment on the lawsuit. However, until the closing of this article, the company has not responded to the inquiries. The text will update if Spotify responds to queries.

Leave a Comment