130/264 consumer protection, content regulation, and other laws and regulations are very stringent and vary from jurisdiction to jurisdiction. In particular, we are subject to the data protection/privacy regulation under the laws of the EU. The framework legislation at an EU level with respect to data protection currently is Directive 95/46/EC (the “Data Protection Directive”). The purpose of the Data Protection Directive is to provide for the protection of the individual’s right to privacy with respect to the processing of personal data. Each member state is obligated to have national legislation consistent with the Data Protection Directive. We are therefore subject to the local implementing rules of the European countries where we are established (for example, Luxembourg and Sweden). These local laws can impose stringent rules relating to the way in which we process personal data. The Data Protection Directive will be superseded by the General Data Protection Regulation (“GDPR”), which will come into effect on May 25, 2018. The GDPR is intended to create a single legal framework that applies across all EU member states. However, there are certain areas where EU member states can derogate from the requirements in their own legislation. It is therefore likely that we will need to comply with these local regulations in addition to the GDPR. Local Supervisory Authorities will be able to impose fines of up to 4% of annual worldwide turnover of the preceding financial year or €20 million, whichever is greater, for noncompliance. These data protection authorities will have the power to carry out audits, require companies to cease or change processing, request information, and obtain access to premises. Where consent is relied upon as the legal basis for processing personal data, businesses must be able to demonstrate that the data subjects gave their consent to the processing of their personal data and will bear the burden of proof that consent was validly obtained and can be withdrawn at any time. The GDPR will implement more stringent operational requirements for processors and controllers of personal data, including, for example, requiring enhanced disclosures to data subjects about how personal data is processed, limiting retention periods of personal data, requiring mandatory data breach notification, and requiring additional policies and procedures to comply with the accountability principle under the GDPR. In addition, data subjects have more robust rights with regard to their personal data. Our privacy policy and terms and conditions of use describe our practices concerning the use, transmission, and disclosure of User information and are posted on our website. Legal Proceedings The Company is from time to time subject to various claims, lawsuits and other legal proceedings. Some of these claims, lawsuits and other legal proceedings involve highly complex issues, and often these issues are subject to substantial uncertainties. Accordingly, our potential liability with respect to a large portion of such claims, lawsuits and other legal proceedings cannot be estimated with certainty. Management, with the assistance of legal counsel, periodically reviews the status of each significant matter and assesses potential financial exposure. The Company recognizes provisions for claims or pending litigation when it determines that an unfavorable outcome is probable and the amount of loss can be reasonably estimated. Due to the inherent uncertain nature of litigation, the ultimate outcome or actual cost of settlement may materially vary from estimates. If management’s estimates prove incorrect, current reserves could be inadequate and the Company could incur a charge to earnings which could have a material adverse effect on its results of operations, financial condition, net worth, and cash flows. Between December 2015 and January 2016, two putative class action lawsuits were filed against us in the U.S. District Court for the Central District of California, alleging that we unlawfully reproduced and distributed musical compositions without obtaining licenses. These cases were subsequently consolidated in May 2016 and transferred to the U.S. District Court for the Southern District of New York in October 2016, as Ferrick et al. v. Spotify USA Inc ., No . 1:16cv8412AJN (S.D.N.Y). In May 2017, the parties reached a signed class action settlement agreement which the court has preliminarily approved, pursuant to which we will be responsible for (i) a $43 million cash payment to a fund for the class, (ii) all settlement administration and notice costs, expected to be between $1 million to $2 million, (iii) a direct payment of class counsel’s attorneys’ fees of up to $5 million dollars, (iv) future royalties for any tracks identified by claimants, as well as other class members who provide 123
Spotify F1 | Interactive Prospectus Page 129 Page 131