A lot has been written about how Spotify is changing its EULA, and we at SpyAware have certainly seen it taking a huge amount of information.

2015-08-21 17.06.19

Screenshot of Spotify’s behavior after about 45 minutes of installation.

See what Spotify is up to on Your Android Phone

SpyAware watches Spotify data as it moves in and out of your Android phone. The screenshot at right shows that, within less than an hour of installation, Spotify has already sent almost a megabyte of data to servers all over the world including Belgium and Tokyo.  Is Spotify the reason your battery ran down or your data plan was used up so quickly?  Find out – download SpyAware the anti-piracy app.

SpyAware’s mission is to shine a light on what apps like Spotify do with your data. Then we give you options to complain to the FCC, share what the apps are doing with your social media or uninstall the app.

The Real Story

The articles on Spotify that we’ve seen so far miss the real story, we think:

Spotify’s new terms and conditions appear to be an attempt to do an end-run around EU and US privacy laws. 

European Union regulations currently prohibit data from being sent outside your country of residence.

In the EULA, this portion is most concerning:

BY ACCEPTING THE PRIVACY POLICY, YOU EXPRESSLY AUTHORISE SPOTIFY TO USE AND SHARE WITH OTHER COMPANIES IN THE SPOTIFY GROUP, AS WELL AS CERTAIN TRUSTED BUSINESS PARTNERS AND SERVICE PROVIDERS, WHICH MAY BE LOCATED OUTSIDE OF THE COUNTRY OF YOUR RESIDENCE (INCLUDING COUNTRIES WHICH DO NOT PROVIDE THE SAME LEVEL OF PROTECTION FOR THE PROCESSING OF PERSONAL DATA AS THE COUNTRY OF YOUR RESIDENCE), THE INFORMATION PROVIDED BY YOU TO SPOTIFY, EVEN IF SUCH INFORMATION IS COVERED BY LOCAL BANKING SECRECY LAWS. YOU ACKNOWLEDGE AND AGREE TO THE IMPORTANCE OF SHARING SUCH INFORMATION FOR THE PROVISION OF THE SPOTIFY SERVICE AND ALSO AGREE THAT, BY ACCEPTING THIS PRIVACY POLICY, WHERE APPLICABLE AND TO THE EXTENT PERMITTED BY APPLICABLE LAW, YOU EXPRESSLY WAIVE YOUR RIGHTS UNDER SUCH BANK SECRECY LAWS WITH REGARD TO SPOTIFY, ANY COMPANY IN THE SPOTIFY GROUP, AND ANY TRUSTED BUSINESS PARTNERS AND SERVICE PROVIDERS, WHICH MAY BE LOCATED OUTSIDE YOUR COUNTRY OF RESIDENCE. THIS CONSENT IS GIVEN FOR THE DURATION OF YOUR RELATIONSHIP WITH SPOTIFY.

In plain English, you agree that they can send your information to any other company or server, wherever they are located. On its face, this appears to be a way of avoiding EU privacy regulations.

But remember that, even if you sign a contract, it may be deemed unfair by regulators if, for instance, the contract says that you do not have rights that the constitution grants you. For example, you can’t sign away all of your rights to free speech or habeas corpus.

Fast and loose?

Spotify seems to be violating that broad legal principle here, in claiming that users in the EU can be required to allow Spotify to break EU regulations.

This seems like a very bold move from Spotify, and we wonder how long it can stand in court.

If you want to know what Spotify does with your information, install SpyAware’s free app today.