42/264 EU Safe Harbor framework regarding the transfer of personal data from the EU to the United States. EU and U.S. negotiators agreed in February 2016 to a new framework, the Privacy Shield, which would replace the Safe Harbor framework. However, there is currently litigation challenging this framework as well as litigation challenging other EU mechanisms for adequate data transfers (for example, the standard contractual clauses), and it is uncertain whether the Privacy Shield framework and/or the standard contractual clauses similarly will be invalidated by the EU courts in the future. We rely on a mixture of mechanisms to transfer data to and from our EU business to the United States and could be impacted by changes in law as a result of the current challenges to these mechanisms in the European courts. In recent years, U.S. and European lawmakers and regulators have expressed concern over electronic marketing and the use of thirdparty cookies, web beacons, and similar technology for online behavioral advertising. In the EU, under the current Directive 2002/58 on Privacy and Electronic Communications (the “ePrivacy Directive”), informed and freely given consent is required for the placement of certain cookies on a user’s device. Once the GDPR comes into force, the higher standard required for valid consent under the GDPR will equally apply to consent required under the ePrivacy Directive. The ePrivacy Directive is also under reform. A draft of the new Regulation (EC) 2017/0003 concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (the “draft ePrivacy Regulation”) was announced on January 10, 2017. While it was originally intended to become applicable on May 25, 2018 (alongside the GDPR), the current draft ePrivacy Regulation is still going through the European legislative process. Unlike the current ePrivacy Directive, the draft ePrivacy Regulation will be implemented directly into the laws of each of the EU member states, without the need for further enactment. When implemented, the ePrivacy Regulation may impose a requirement for optin consent for the collection of information from Users’ equipment as well as the use of thirdparty cookies, web beacons, and similar technology for tracking users for online behavioral advertising. The current provisions of the draft ePrivacy Regulation extend the strict optin marketing rules with limited exceptions to business to business communications and significantly increase penalties which can reach up to €20 million or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher, for noncompliance. We may find it necessary or desirable to join selfregulatory bodies or other privacyrelated organizations that require compliance with their rules pertaining to privacy and data security. We also may be bound by contractual obligations that limit our ability to collect, use, disclose, share, and leverage User data and to derive economic value from it. New laws, amendments to, or reinterpretations of existing laws, rules of selfregulatory bodies, industry standards, and contractual obligations, as well as changes in our Users’ expectations and demands regarding privacy and data security, may limit our ability to collect, use, and disclose, and to leverage and derive economic value from User data. Restrictions on our ability to collect, access and harness User data, or to use or disclose User data or any profiles that we develop using such data, may require us to expend significant resources to adapt to these changes, and would in turn limit our ability to stream personalized music content to our Users and offer targeted advertising opportunities to our AdSupported Users. In addition, any failure or perceived failure by us to comply with privacy or security laws, policies, legal obligations, industry standards, or any security incident that results in the unauthorized release or transfer of personal data may result in governmental enforcement actions and investigations, including fines and penalties, enforcement orders requiring us to cease processing or operate in a certain way, litigation and/or adverse publicity, including by consumer advocacy groups, and could cause our customers to lose trust in us, which could have an adverse effect on our reputation and business. Such failures could have a material adverse effect on our financial condition and operations. If the third parties we work with (for example, cloudbased vendors) violate applicable laws or contractual obligations or suffer a security breach, such violations also may put us in breach of our obligations under privacy laws and regulations and/or could in turn have a material adverse effect on our business. We have incurred, and will continue to incur, expenses to comply with privacy and security standards and protocols imposed by law, regulation, selfregulatory bodies, industry standards, and contractual obligations. 35
Spotify F1 | Interactive Prospectus Page 41 Page 43