Oslo tingrett - 23-160384TVI-TOSL/04
| Oslo tingrett - 23-160384TVI-TOSL/04 | |
|---|---|
 | |
| Court: | Oslo tingrett (Norway) |
| Jurisdiction: | Norway |
| Relevant Law: | Article 4(11) GDPR |
| Decided: | 01.07.2024 |
| Published: | |
| Parties: | Grindr |
| National Case Number/Name: | 23-160384TVI-TOSL/04 |
| European Case Law Identifier: | |
| Appeal from: | Personvernnemnda PVN-2022-22 |
| Appeal to: | |
| Original Language(s): | Norwegian |
| Original Source: | Datatilsynet (in Norwegian) |
| Initial Contributor: | ec |
A district court upheld the DPA's fine of €6,4 million (NOK 65 million) against Grindr for not having a valid legal basis and disclosing special categories of personal data to advertising partners.
English Summary
Facts
Grindr (the controller) is a location-based social networking app marketed towards the LGBTQ community. The app has an ad-based free version, but users can upgrade to paid subscription versions which include more features and are without ads.
In January 2020, the Norwegian Consumer Council together with noyb lodged a complaint against the controller for unlawful sharing of personal data with third parties for marketing purposes at the Norwegian DPA (“Datatilsynet”). This included GPS location, IP address, Advertising ID, age, gender and the fact that the user in question was on the controller's app. Users could be identified through the data shared, and the recipients could potentially further share the data.
On 13 December 2021, the DPA fined the controller €6,4 million (NOK 65 million) for disclosing personal data to advertising partners without a valid legal basis, violating Article 6(1) GDPR. Furthermore, the controller violated Article 9(1) GDPR for disclosing special categories of personal data to advertising partners.
On 14 February 2022, the controller appealed this decision at the Privacy Appeals Board (“Personvernnemnda”). The Privacy Appeals Board upheld the DPA’s decision.
On 27 October 2023, the controller filed a lawsuit against the Privacy Appeals Board at the Oslo District Court (“Oslo tingrett”). The controller argued that the Appeals Board’s decision should be declared invalid or alternatively that the fine should be reduced.
Holding
Disclosure of special categories of personal data
The court held that by providing the App ID, the controller shared information with their advertising partners that a specific user is a user of their app. The court held that by just being a user of the controller’s app, one can draw the conclusion that the user is not heterosexual and thus is covered by sexual relationships and orientation under Article 9(1) GDPR. Thus, the court concluded that the controller disclosed personal data of special categories of personal data under Article 9(1) GDPR, agreeing with the DPA and the Privacy Appeals Board.
The court dismissed the controller’s argument that this interpretation of Article 9(1) GDPR which was also held by the Privacy Appeals Board, is in conflict with Article 14 ECHR and it is being discriminated against. The court held that Article 9 GDPR is precisely intended to prevent discrimination by ensuring that sensitive personal information is not shared outside the person's control. Therefore, there is no contradiction between Article 9 GDPR and Article 8 and 14 ECHR. To have a claim to protection under Articles 8 and 14 ECHR, a natural or legal person has to have for example a “family life”, “a home” or “a sexual orientation”. The court held that the controller had no sexual orientation and therefore cannot have a claim for protection against discrimination.
Valid consent
The court held that consent was not freely given as there was no real freedom of choice. By only being able to accept the privacy policy and handing over personal data for advertising purposes or cancel and not being able to use the app, the user did not have a “real freedom of choice”.
The court dismissed the controller’s argument that users had a real choice by choosing the paid version. The court noted that the paid version was only available after the user had registered a profile, and thus already clicked accept on the privacy policy and shared their personal data with advertising partners. As there was no simultaneous choice to choose a paid version when accepting the privacy policy and thus consenting to the disclosure of personal data to advertising partners, there was no alternative choice and thus no freely given consent.
The court also dismissed the controller’s argument that the privacy statement contained information about how the user could opt out of behaviour-based marketing by changing the settings on the phone, and that if the user did not do this, it must be seen as consenting to the sharing of personal data. The court did not find this option meeting the requirement for freely given consent as consent requires an active action and not a passive by failing to change the settings on the phone. Moreover, by changing the settings on the phone, it would apply to all the apps the users had on the phone, which is not a fully acceptable option for users.
Thus, the court held that the controller did not meet the requirement for freely given consent under Article 4(11) GDPR, agreeing with the DPA and the Privacy Appeals Board.
The court further held that the controller did not meet the requirements for specific and informed consent under Article 4(11) GDPR. The controller failed to use clear language, making it difficult for users to understand what they were consenting to and what the consequences were of consent.
Fine amount
The court found that the controller was aware that their way of obtaining consent was not good but used it anyways as the other alternatives were more expensive or too complicated. It was therefore a conscious choice to breach the GDPR. Moreover, even if the controller did not have any other choice but to use this way of obtaining consent, it still had controller over what information was given to users. However, the controller still did not fulfil the requirement for information for there to be valid consent. The court thus concluded that the controller had intentionally violated the GDPR.
The court found the breach is of a serious nature as the controller violated the requirement for consent and shared personal data of a special category which requires extra protection. Moreover, it affected a large number of users. The court further found that the controller’s sharing of personal data led to an extensive and uncontrolled spread of personal data to advertising partners for behaviour- based marketing. Thousands of companies gained access to the users' personal data that was shared as the controller had around 10 advertising partners, who also then had over hundreds of partners. Although this case did not cover the advertising partners’ handling of personal date, the court found that this was still relevant as it showed the consequences it had for users of the controller’s app.
The court held that although the controller has changed the way it obtains consent, imposing a fine is still preventative as it will ensure that the controller complies in the future with the obligations that follow from the GDPR and not only related to obtaining valid consent.
Thus, the court concluded there was no basis for reducing the fine amount imposed by the DPA on the controller and thus upheld both the DPA’s and Privacy Appeals Board decision.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
