Spotify
Verified“EU-controlled company, US-dependent machine.”
The sovereignty map
who controls the company β Β· where the data lives βEvery dot is a scored company β click any of them. Spotify sits where the verdict says: EU hands on the wheel, foreign ground under the wheels.
Showing 72 of 444 scored companies, picked by reach plus this page’s named alternatives. Spotify is placed by its verified dimensions; peer dots use the automated 0–50 pillar scores, normalized to the same 0–100 axes.
Why 48/100
EU-incorporated parent (Luxembourg), Swedish main operating company, and proven EU enforceability (IMY fine litigated and upheld). Deduction: a US operating subsidiary places part of the business under US jurisdiction.
Voting control is unambiguously EU: two Swedish founders hold 69.3% of votes. But the economic majority is non-EU (~86% of shares US-record-held), the largest outside shareholder is Tencent (voting-neutralized), and the only listing is the NYSE.
Spotify's own 20-F states the 'vast majority' of data storage β including users' personal data β and computing runs on Google Cloud, a US provider subject to the CLOUD Act. Transfers rely on SCCs; there is no published EU-only residency option. This is the dimension that matters most for a user's data, hence the largest weight.
Operating HQ and leadership are in Stockholm and the company reports in euros, but the workforce center of gravity has shifted to the US (3,466 US vs 1,271 Sweden average FTEs in 2025).
How the method works
Methodology v2 (provisional): each dimension is scored only on verified evidence and the total is the weighted average of assessed dimensions β unknowns reduce confidence, never the score. The previous automated score (33, 'Not sovereign') treated missing data as worst-case and subtracted points for popularity; both practices are removed. Dimension weights and judgments are open to challenge β every input fact is sourced below.
Control & Ownership
69.3% EU voting control
Economic majority: non-EU
Tencent 8.1%, voting-neutralized
5 sources
Voting control and economics point in opposite directions: EU founders control the votes, non-EU money owns the economics.
Swedish founders Daniel Ek and Martin Lorentzon control 69.3% of total voting power (28.8% + 40.5%) through 309.9M beneficiary certificates β non-transferable, zero-economic-value instruments carrying one vote each, stacked on top of their ordinary shares.
FY2025 Form 20-F, major shareholders table Β· as of 2025-12-31
The founders' combined direct economic interest is only ~15.1% (Ek ~5.8%, Lorentzon ~9.3%). 86.3% of ordinary shares were held by US record holders at end-2025; aggregate institutional (mostly US/UK) holdings are ~65% of shares. The economic majority of Spotify is non-EU.
FY2025 Form 20-F Β· as of 2025-12-31
Tencent (China) is the largest outside shareholder at 8.1% economic interest (from the December 2017 SpotifyβTencent Music equity swap), but exercises no independent voting power: its votes are cast by Daniel Ek under an irrevocable proxy.
FY2025 Form 20-F, footnotes 1 & 5 Β· as of 2025-12-31
No other shareholder holds above 5%. Baillie Gifford (UK) reported 7.6% economic / 2.9% voting at end-2024 and fell below the disclosure threshold during 2025.
FY2024 & FY2025 Form 20-F Β· as of 2025-12-31
Listed only on the New York Stock Exchange (ticker SPOT) since the April 2018 direct listing. There is no EU listing.
CNBC / Form 20-F Β· as of 2018-04-03
Legal & Jurisdiction
π±πΊ parent Β· πΈπͺ operating co Β· πΊπΈ US subsidiary
SEK 58M GDPR fine, upheld 2025
Not a DSA VLOP
4 sources
EU-incorporated, Swedish-operated β and EU law demonstrably reaches it: the Swedish DPA's fine was litigated through two court instances and upheld.
Parent entity: Spotify Technology S.A., incorporated in Luxembourg (RCS B123052). The main operating company is Spotify AB (Sweden); the US operating company is Spotify USA Inc. (New York).
FY2025 Form 20-F, organizational structure Β· as of 2026-02-10
The Swedish DPA (IMY) fined Spotify AB SEK 58M (~β¬5M) in June 2023 for GDPR Article 15 transparency failures. A court reduced it to SEK 40M in 2024; the Administrative Court of Appeal restored the full SEK 58M on 3 June 2025. Evidence that EU enforcement against Spotify works.
IMY / Digital Policy Alert Β· as of 2025-06-03
Not a designated Very Large Online Platform under the DSA: Spotify self-reports fewer than 45M average monthly EU recipients (against ~195M 'Europe' MAUs, a figure that includes non-EU countries).
European Commission DSA designation list Β· as of 2026-05-28
Spotify has been the EU's most effective private enforcer against a US gatekeeper: its 2019 complaint led to Apple's β¬1.84B antitrust fine (March 2024) and fed the DMA's first enforcement wave (β¬500M Apple fine, April 2025).
European Commission Β· as of 2025-04-23
Data & Infrastructure
Google Cloud hosts the vast majority of data
On GCP since 2016
CLOUD Act exposure
4 sources
By Spotify's own filings, the vast majority of its data β including EU users' personal data β runs on Google Cloud, a US provider subject to the CLOUD Act.
The FY2025 20-F states Spotify relies on Google Cloud Platform 'for the vast majority of our primary data storage (including personal data of users and audio data licensed from rights holders) and computing'.
FY2025 Form 20-F, risk factors (direct quote) Β· as of 2026-02-10
Spotify announced its migration to Google Cloud in February 2016 and completed the move off its own data centers by ~2018. It remains on GCP as of the latest filings.
Google Cloud blog Β· as of 2016-02-23
Google LLC and Spotify USA Inc. are US entities subject to the US CLOUD Act compelled-disclosure regime, which applies to providers under US jurisdiction regardless of where the data physically resides.
US Department of Justice, CLOUD Act resources Β· as of 2026-06-12
Spotify's privacy policy (Section 7) confirms personal data is shared internationally, with transfers outside the EU/EEA protected by Standard Contractual Clauses and adequacy decisions. There is no published EU-only data-residency commitment.
Spotify Privacy Policy, Β§7 Β· as of 2026-06-12
Operations & People
US 3,466 vs SE 1,271 employees
EU leadership (Stockholm)
761M MAU Β· β¬17.19B revenue
3 sources
Stockholm HQ, euro-denominated reporting, EU leadership β but the workforce center of gravity is now the United States.
Workforce by location (2025 average FTE): United States 3,466, Sweden 1,271, UK 887, of 7,287 total. The largest employee base is in the US.
FY2025 Form 20-F Β· as of 2025-12-31
Since 1 January 2026, Daniel Ek serves as Executive Chairman with Alex NorstrΓΆm and Gustav SΓΆderstrΓΆm as Co-CEOs β leadership remains Stockholm-centered.
Q1 2026 shareholder letter / FY2025 20-F Β· as of 2026-01-01
Scale: 761M monthly active users and 293M Premium subscribers (Q1 2026); FY2025 revenue β¬17,186M with net income β¬2,212M, reported in euros. Europe is the largest region at 26% of MAUs (~195M, including non-EU countries).
Q1 2026 results / FY2025 Form 20-F Β· as of 2026-03-31
What we don’t know
4 open questions β they lower confidence, never the score
-
?
Which Google Cloud regions hold EU users' personal data?
Not publicly documented in filings or policy. Even EU regions would remain under CLOUD Act reach via Google, but region transparency would materially change the data-sovereignty read.
-
?
Exact EU-only user count
Spotify discloses only 'fewer than 45M' DSA recipients vs ~195M Europe-region MAUs (which includes non-EU countries). The gap is methodologically contested.
-
?
Further appeal of the IMY fine
No public record of an appeal to the Supreme Administrative Court as of 2026-06-12.
-
?
Precise EU economic ownership
Street-name (DTC) holdings make beneficial-owner geography approximate; we report record-holder data from the 20-F rather than estimating a single percentage.
EU Cloud Sovereignty Framework lens
mapped to the Commission’s official SEAL categories
The EU Cloud Sovereignty Framework (SEAL-0 to SEAL-4, June 2026) formally targets cloud providers, not streaming services. This is an analogous mapping for orientation, not a certification. Spotify's overall profile is roughly SEAL-1-equivalent: jurisdictional sovereignty without data or operational sovereignty. Official framework
Strategic
EU voting control; non-EU economic gravity
Legal & jurisdictional
EU incorporation; EU enforcement proven (IMY)
Data & AI
Personal data on US hyperscaler; CLOUD Act; SCCs only
Operational
Operations depend on GCP; US workforce plurality
Supply chain
Single non-EU provider for the vast majority of storage and compute
Technological
Proprietary stack bound to a proprietary US cloud
Security & compliance
GDPR-compliant posture; fined, litigated, paid
Environmental sustainability
Out of scope for this profile version
EU alternatives
Hi-res streaming owned by Xandrie SA (Pantin, France) β privately held French ownership; the strongest EU-sovereignty profile in music streaming. Hosting details not publicly documented.
Paris HQ, Euronext-listed β but the largest shareholder (~37%) is Access Industries (Len Blavatnik, US/UK). More EU than Spotify on paper; not cleanly EU-controlled.
Listed here so you don't switch by mistake: despite Norwegian roots, Tidal is ~86% owned by Block, Inc. (US) since 2021. Not an EU alternative.
Spotted an error? Every claim is sourced β challenge it and we correct the record.
- 2026-06-12 β Initial golden profile. Supersedes the automated score of 33/'Not sovereign', which treated unknown data as worst-case (e.g. zeroed the entire economic pillar) and subtracted 15 points for popularity. Facts re-verified against the FY2025 Form 20-F, IMY/court records, the EC's DSA list, and Spotify's privacy policy.
Report Incorrect Data
Found an error in this company's profile? Help us improve our data by submitting a correction.