Datatilsynet (Norway) - 20/01801-23
From GDPRhub
| Datatilsynet - 20/01801-23 | |
|---|---|
 | |
| Authority: | Datatilsynet (Norway) |
| Jurisdiction: | Norway |
| Relevant Law: | Article 4(4) GDPR Article 5(1)(a) GDPR Article 6(1) GDPR § 2-7b Ekomloven |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | 28.10.2024 |
| Published: | |
| Fine: | n/a |
| Parties: | n/a |
| National Case Number/Name: | 20/01801-23 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Norwegian |
| Original Source: | Datatilsynet (in NO) |
| Initial Contributor: | Ao |
The DPA issued a reprimand to a controller for further processing and sharing data collected via cookies which were placed by the controller without the users consent.
English Summary
Facts
Based on media reports published in 2019, the Norwegian DPA became aware of the fact that the controller, a digital engagement platform provider, assumed the GDPR did not apply to its services. In May 2020 the DPA iniatited an investigation and notified the controller of the application of the GDPR to its services.
The investigation found the following:
The controller had provided Norwegian users with widgets intended for countries where the GDPR does not apply. Cookies set by default, tracked users and shared the data with the controller unless users had blocked cookies through their browser settings. The collected information was used to create interest groups and individual profiling. It further found that the controller had shared the collected data with its parent company.
The controller denied that it carried out any profiling and called this form of processing “segmentation”. Further, the controller posited that as soon as it was made aware of the application of the GDPR by the DPA, it erased the personal data of Norwegian users. In addition, the controller argued that the users consent was obtained through the settings the users had determined in their browser.
Holding
The DPA held that collection of personal data through the placement of cookies was covered under paragraph 2-7b of the Norwegian Electronic Communications Act (§2-7b Lov om elektronisk kommunikasjon (ekomloven)) the national transposition of the EU e-privacy Directive and therefore did not analyse this in the decision.
However, the further processing of the data collected through cookies was held not to fulfill the requirement of freely given informed consent under Article 6(1)(a) GDPR, even if users had actively disabled the cookie blocking function in their browser.
The DPA determined that processing described as “segmentation” by the controller met the definition of profiling under Article 4(4) GDPR. However, as the controller had already deleted the data before the investigation commenced, the DPA could not, on the balance of probabilities, determine whether profiling had taken place.
Pursuant to Article 58(2)(b) GDPR the DPA issued a reprimand to the controller for disclosing personal data to its parent company without a legal basis under Article 6(1) GDPR and in breach of the principle of lawfulness under Article 5(1)(a) GDPR. The DPA explained that as the data had been deleted before the commencement of the investigation, it could merely issue a reprimand as the offence was contested by the controller.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
THE LAW FIRM SCHJØDT AS
PO Box 2444 Solli
0201 OSLO
Your reference Our reference Date
20/01801-23 28.10.2024
Decision on reprimand - processing of personal data without legal action
basis - Disqus Inc.
1. Introduction
We refer to previous correspondence in the matter from 2021 and 2022, including our notice of decision
on infringement fee dated 2 May 2021.
We apologize for the long processing time.
2. Decision on reprimand
The Norwegian Data Protection Authority has today made the following decision:
Pursuant to the Personal Protection Regulation article 58 no. 2 letter b we issue a
reprimand to Disqus Inc., for having disclosed personal information about persons registered in Norway i
real time to the parent company Zeta Global, without a legal basis, cf. the privacy regulation
article 6 no. 1, and contrary to the principle of legality, cf. article 5 no. 1 letter a.
3. The Data Protection Regulation's geographical scope and the Norwegian Data Protection Authority's competence and
authority
Disqus Inc. (hereinafter "Disqus" or "the company") has reserved that both the geographical
the scope of the data protection regulation and the Danish Data Protection Authority's competence in the matter can be contested.
This statement is rejected by the Norwegian Data Protection Authority, and we maintain that the processing of
personal data to which this case relates and for which Disqus is responsible for processing,
is covered by the personal protection regulation article 3 no. 2, and that it thus falls under it
geographical scope of the regulation. Furthermore, we maintain that the Norwegian Data Protection Authority has
competence and authority in the present case in accordance with the Personal Data Protection Ordinance
articles 55, 57 and 58. We also refer to points 5.3 and 5.4 of our notice of decision, where we
has explained in more detail both the geographical scope of the Personal Data Protection Regulation and
The Norwegian Data Protection Authority's competence and tasks according to the regulation.
Postal address: Office address: Telephone: Org. no: Website:
PO Box 458 Sentrum Trelastgata 3 22 39 69 00 974 761 467 www.datatilsynet.no 1
0105 OSLO 0191 OSLO4. Briefly about the proceedings
Through reports in the media in 2019, the Norwegian Data Protection Authority became aware that Disqus had been mistakenly added
reason that the Personal Data Protection Regulation did not apply in Norway. As a result, the company delivered in
period 20 July 2018 to 12 December 2019, a version of the Disqus widget for Norwegian websites
which was intended for countries outside the EEA where the Personal Data Protection Regulation does not apply. The Norwegian Data Protection Authority
created a supervisory case on the basis of the information that came to light in the media.
In May 2020, we sent a demand for an explanation to Disqus, in order to obtain information in the matter.
We received a response to the statement from Disqus' parent company Zeta Global in July 2020. On
background of the statement from Zeta Global and the information that came to light in the media, notified
The Norwegian Data Protection Authority in May 2021 that we would impose an infringement fee of NOK 25 million on Disqus
kroner.
In July 2021, the Norwegian Data Protection Authority received Disqus' comments on the notified decision, at
law firm Schjødt. Disqus had a number of objections both to the fact that it had been added
reason for the Norwegian Data Protection Authority's notice, and to the Norwegian Data Protection Authority's legal assessments. We are getting closer
back to the comments from Disqus below.
In May 2022, the Norwegian Data Protection Authority sent a new demand for an explanation to Disqus to clarify matters
around the company structure in the group. Schjødt responded on behalf of Disqus in June 2022.
5. The facts of the case
5.1 Introduction
As previously mentioned, it appears from Disqus' comments to the notified decision that
the company in several areas disagrees with the fact that the Norwegian Data Protection Authority used as a basis for the notice. We want in it
the following account for both the parts of the facts on which, in our opinion, there is agreement, and
the disputed parts of fact.
5.2 The time period and affected websites
In the period from 20 July 2018 to 12 December 2019, Disqus provided a version of the company's
comment field service (Disqus widget) which was intended for countries outside the EEA, on the following
Norwegian websites: p3.no, tv2.no/broom, khrono.no, adressa.no, rights.no and document.no.
The comment field service that was delivered to the Norwegian websites was thus not adapted
the rules in the privacy regulation, and had tracking and data sharing with Disqus as
default setting. This meant that it was collected via cookies (Disqus Cookies).
enter data on all visitors to the relevant websites that had not been activated
settings in the browser to not allow cookies.
In the notified decision, the Norwegian Data Protection Authority assumed that the website NRK.no/ytring was also covered.
In the note to the notice, Disqus has stated that they did not collect personal information from
NRK.no/ytring, since it was the ad-free paid version of the service that remained
used on the website. The Norwegian Data Protection Authority sees no reason to dispute this information.
25.3 Data controller
Disqus has confirmed that they consider themselves the controller of personal data
which is collected via Disqus Cookies. The actual location of the cookies and retrieval
of data from these, is not covered by this case. The Norwegian Data Protection Authority's supervision concerns itself exclusively
about the subsequent processing of the personal data. This will be explained in more detail
in point 6.1 below.
5.4 More about the subsequent processing
In the notice, the Norwegian Data Protection Authority assumed that Disqus collected, tracked and analyzed large amounts
personal data, including information about the activity of visitors across the internet.
Furthermore, the Norwegian Data Protection Authority assumed that Disqus used the information to create aggregates
interest groups, in addition to individual profiling.
Disqus denies that they have profiled visitors to the Norwegian websites to that extent
The Norwegian Data Protection Authority laid the basis for the notice.
The company has stated in the notice that Disqus Cookies collect the following data: impression
ID, unique ID, URL, referring URL, time stamp, IP address, user ID (for logged in users),
site ID, user agent, language and do not track banner. Disqus has further stated that they collect
enter personal data when visiting other websites that also run the service, but they
denies that the company has logged visits to websites that do not use the service.
Disqus has also stated that they never profile natural persons based on assumed political affiliation
affiliation, religion, sexual orientation, trade union membership or specific
health conditions, and that the company also does not analyze content in comment fields or that
specific content in an article or on a website where the data subject comments.
Furthermore, Disqus has stated that they themselves initially only categorize English speakers
websites, and that they then use broad categories such as "golf", "food" and "travel". For websites
that are not English-language Disqus allows the sites to categorize themselves. This is, like this
we understand the comments from Disqus, an active action that the site administrator himself must
do. The website administrator can choose from ten predefined categories (business,
celebrity, culture, entertainment, games, living, news, tech, style and sports). That's how we are
understand the feedback, only the site's main category used in connection with
the profiling. However, it is unclear whether any of the Norwegian websites were categorized.
Disqus calls this processing "segmentation" of the registered, and we understand that
so that Disqus believes this is not to be considered profiling. We do for the record
please note that the processing of personal data that Disqus calls
"segmentation", in our opinion falls under the definition of profiling i
the privacy regulation article 4 no. 4. The Norwegian Data Protection Authority therefore uses the term profiling when
we refer to this treatment.
We understand the comments from Disqus to mean that the company can neither confirm nor rule out that one
or several of the relevant Norwegian websites had been categorized. According to Disqus had
the company already deleted the personal data of the Norwegian registrants when the Norwegian Data Protection Authority opened
3 the supervisory case, with the result that they cannot check exactly which information was
registered. The companies behind the websites in question are not parties to the supervisory case, and neither is the Norwegian Data Protection Authority
considers it unlikely that any of these will be able to document at the present time
the settings they used in the period 2018/2019.
Out of consideration for the evidence situation, the Danish Data Protection Authority has decided to dismiss Disqus' explanation
the scope of the profiling, as a basis for the decision.
In light of the overall picture of evidence, the Norwegian Data Protection Authority cannot assume that it exists
preponderance of probability that one or more of the Norwegian websites were categorized. IN
nor can the Danish Data Protection Authority base this extension on the fact that it exists
preponderance of probability that the data subjects covered by this case have been profiled
by Disqus.
5.5 About behaviour-based marketing
The Norwegian Data Protection Authority assumed in the notice that Disqus used the collected personal data to
display behavior-based marketing on p3.no, tv2.no/broom, khrono.no, adressa.no, rights.no and
document.no. We further assumed that Norwegian users may have been shown behaviourally
marketing when they have visited foreign websites where Disqus has a presence.
Disqus has indicated in the notes that in the ad-supported version of the service they show
ads in the comments section that are contextual, based solely on the content of
the website where the ads are displayed. The Norwegian Data Protection Authority sees no basis in the case's evidence to contest
this claim, and we therefore assume that Disqus has not used the data collected
the personal data to display behaviour-based marketing in the comment field module (Disqus
widget) on the Norwegian websites.
When it comes to other use of the personal data for marketing purposes, we understand
Disqus' comments to the notice so that the company cannot rule out that they have used
the personal data of persons registered in Norway for purposes related to behaviour-based marketing.
However, this presupposes that those registered have been profiled, which the Norwegian Data Protection Authority based on this
the evidence in the case cannot be established by a preponderance of probability, cf. point 5.4 above. On
Nor can the Norwegian Data Protection Authority assume that this background exists
preponderance of probability that Disqus has mitigated behavioral marketing to them
registered on the basis of the personal information collected from the Norwegian websites.
5.6 Sharing of data with third parties
Disqus has confirmed that it has shared all the collected personal data in real time with
parent company Zeta Global. However, the company has disputed that the information was also shared
with Viglink and LiveRamp, as the Norwegian Data Protection Authority based the notice.
There was information in Disqus' privacy policy as well as information that appeared in
media, which was the basis for the Norwegian Data Protection Authority's assumption that the personal data was also shared
with Viglink and LiveRamp.
4NRK Beta's journalist has, however, made the Norwegian Data Protection Authority aware that the tests that were
carried out by the consulting company Conzentio, showed that no data was shared with LiveRamp.
The Norwegian Data Protection Authority does not have access to the report from Conzentio which could possibly prove probable
sharing of data with Viglink.
On this basis, we add the information from Disqus that they have only shared
personal data from the Norwegian websites with Zeta Global, as the basis for this case.
5.7 Number of affected data subjects
Disqus has informed the Norwegian Data Protection Authority that they immediately deleted personal information about Norwegians
registered when they became aware that the Personal Data Protection Regulation applies in Norway. Since
the data was deleted when the Norwegian Data Protection Authority opened a supervisory case, it has not been possible for Disqus to indicate
exactly how many Norwegian data subjects had their personal data processed by
the company. However, Disqus has stated that there were 10,377 people who had registered
with a user in the comment field service on one of the Norwegian websites during the period. Furthermore, have
they confirmed that they also collected data on visitors to the sites in question who did not
registered with a user, with the exception of visitors who had activated settings in
browser to not allow cookies.
The Norwegian Data Protection Authority has not carried out its own investigations into the number of visitors to the websites in question in
the period. However, based on the information from Disqus, we assume that they have shared
parent company Zeta Global, personal data on 10,377 registered users in addition to a
unknown number of unregistered visitors to the websites in question who used it
the ad-supported version of the Disqus widget.
6. The Norwegian Data Protection Authority's legal assessment
6.1 The relationship with the Electronic Communications Act § 2-7 b
The use of information cookies is specifically regulated in Section 2-7 b of the Electronic Communications Act, which implements Article 5
1
no. 3 of the EU's communications protection directive.
It follows from § 2-7 b first sentence of the Electronic Communications Act that:
"[s]toring information in the user's communication equipment, or gaining access to
such, are not permitted without the user being informed about which information is being processed,
the purpose of the processing, who processes the information, and has consented to
this."
As the wording shows, the provision first regulates the storage of information on it
data subject's device, for example via a browser. Furthermore, the provision regulates access to
the information stored on the device. In the note to the provision, it is indicated that it is
1 DIRECTIVE 2002/58/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 12 July 2002
concerning the processing of personal data and the protection of privacy in the electronic communications sector
(Directive on privacy and electronic communications)
5"designed so that it is the act itself - storing or retrieving information - which
are covered". 2
The actual collection of personal data that takes place via Disqus Cookies, and the company's
retrieval of the relevant personal data from the data subjects' units is therefore covered by
the scope of the Electronic Communications Act § 2-7 b. The further processing that takes place with
however, the personal data that Disqus has gained access to via Disqus Cookies falls away
outside the scope of § 2-7 b of the Electronic Communications Act, and is thus regulated by the general rules in
the personal data protection regulation. This interpretation is also supported by the EDPB's statement on the relationship
between the Personal Data Protection Regulation and the Communications Protection Directive.
The Norwegian Data Protection Authority has limited the inspection to only apply to Disqus' subsequent processing of
personal data.
6.2 Assessment of the legal basis for the subsequent processing of personal data
Article 6 No. 1 of the Personal Data Protection Regulation requires that all processing of personal data has a
legal basis. In the note to the notice, Disqus stated that they had obtained valid
consent to the subsequent processing of personal data to which this case relates.
It follows from Article 6 no. 1 letter a that processing is legal if "the data subject has
consented to the processing of their personal data for one or more specific purposes".
The term "consent" is defined in Article 4 No. 11 of the Personal Data Protection Regulation as:
"any voluntary, specific, informed and unequivocal expression of will by the person registered there
the person concerned, by means of a declaration or a clear confirmation, gives his consent to processing
of personal data concerning the person concerned".
Furthermore, Article 7 No. 1 of the Personal Protection Regulation states:
"If the processing is based on consent, the controller must be able to demonstrate
that the data subject has consented to the processing of personal data about him/her."
In the notes to the notice, Disqus has stated that the company "obtained consent to the use of
cookies and subsequent processing of collected personal data in accordance with NKOM
guidelines that were valid until 27 November 2019". (Our emphasis.) Disqus
has further stated that the Norwegian Data Protection Authority must refer to Nkom's guidelines when assessing whether
Disqus has obtained sufficient consent for the subsequent processing.
The requirements for a valid consent according to the Electronic Communications Act, as the legal situation was in the period in question
when the processing of personal data took place, did not comply with the requirements for a consent
according to the personal data protection regulation. This is also made visible by the legislator in the note to
Section 2-7 b of the Electronic Communications Act, where it says:
2
3Prop.69 L (2012-2013) on p. 102.
Opinion 5/2019 on the interplay between the ePrivacy Directive and the GDPR, in particular regarding the
competence, tasks and powers of data protection authorities, see especially section 41.
6 "For practical reasons, the requirement for consent does not coincide with the requirement for consent
according to the Personal Data Act.” 4
For the record, we point out that the Danish Data Protection Authority has not taken a position on Disqus
obtained a valid consent according to the Electronic Communications Act for the placement of cookies and
retrieval of information from these, as this falls outside the scope of the Norwegian Data Protection Authority
investigations into the case.
The subsequent processing to which the current supervisory case relates is regulated
however, not by the Electronic Communications Act, but by the Personal Data Protection Ordinance, cf. the discussion in section 6.1
above. The Personal Protection Regulation is fully harmonised, and the requirement for consent must be interpreted equally
across the regulation's geographical area of application. This means that the individual
member states are not free to define themselves what constitutes valid consent
regulation, and it is therefore not relevant to look at Nkom's interpretation of the consent requirement
according to the Electronic Communications Act.
Disqus has indicated that the legal basis for the subsequent processing was consent
on the basis of preset settings in the registrants' browsers.
It follows from the regulations reproduced above that there are several conditions that must be met
for a consent to be considered valid according to the Personal Data Protection Regulation. According to the Norwegian Data Protection Authority
assessment, it is clear that a general preset in the data subject's browser does not
fulfills the conditions for a valid consent according to the Personal Protection Regulation Article 6 No. 1
letter a, cf. article 4 no. 11.
Even if an active action were required to activate the setting, consent will not be given
be:
• voluntary, in that consent cannot be given for every purpose
• specific, as the consent is not linked to the specific processing purpose
• informed, because one cannot understand what one consents to in such a general consent
• unambiguous, in that the data controller cannot be sure that the data subject
have intended to consent to their subsequent use of data from cookies, and
nor can prove this in accordance with Article 7 No. 1 of the Personal Data Protection Ordinance
• consent cannot be withdrawn as easily as it has been given
As for the 10,377 people who registered with a user at Disqus, they have
the company stated that as part of the registration process it was mandatory to tick the box
consent to marketing. In the statement, which came from Disqus' parent company Zeta Global,
the parent company itself has expressed that these "consents" do not comply with the requirements of
consent according to the Personal Data Protection Regulation. The Norwegian Data Protection Authority agrees with this assessment.
4Prop.69 L (2012-2013) on page 102.
7Based on the above, we conclude that Disqus had not obtained valid
consent according to the Personal Protection Regulation article 6 no. 1 letter a, cf. article 4 no. 11, in order to
hand over personal data in real time to the parent company Zeta Global. Disqus has not listed
other legal basis for the disclosure of personal data to Zeta Global, and
Nor can the Norwegian Data Protection Authority see that there are other relevant legal bases in Article 6.
6.3 The legality principle
Article 5 of the Personal Data Protection Regulation sets out some basic principles for the processing of
personal data. It follows from Article 5 no. 1 letter a, that personal data must
"processed in a legal, fair and transparent manner with respect to the data subject".
The requirement for a legal basis in Article 6 no. 1 is an expression of the principle that
personal data must be processed in a legal manner (the legality principle). Treatment of
personal data without a valid legal basis is illegal, and thus also a breach of
the principle of legality in Article 5 no. 1 letter a.
6.4 Summary of the Norwegian Data Protection Authority's conclusions
In summary, the Norwegian Data Protection Authority concludes that the special rule in the Electronic Communications Act § 2-7 b does not regulate
the subsequent processing activities that are the subject of this case. It is thus
the personal data protection regulation's general rules that apply to the processing.
The Norwegian Data Protection Authority further concludes that Disqus had no legal basis in Article 6 no. 1
to hand over personal data in real time to the parent company Zeta Global.
The processing of the data subjects' personal data was therefore also in breach of
the principle of legality that follows from the personal data protection regulation article 5 no. 1 letter a.
In view of the evidentiary situation in the case, we have not considered it appropriate to proceed further
the other points included in the notice.
7. Reprimand
A reprimand is an administrative reaction with the purpose of highlighting criticism of those mentioned
the violations of the rules. The imposition of a reprimand may be emphasized at a later date
assessment of the imposition of an infringement fee if there is a corresponding breach of
the regulations, cf. personal data protection regulation art. 83 no. 2 letter i.
Processing of personal data without a valid legal basis to which this case applies,
basically indicates that the infringement is serious, and that the supervisory authority is reacting with
infringement fee. In some cases, however, there are conditions which indicate that a reprimand is necessary
appropriate reaction.
In this case, an infringement fee was originally notified for breach of
the privacy regulations. As explained in point 5, Disqus disagrees with that fact in several areas
The Norwegian Data Protection Authority laid the basis for the notice.
8 The Norwegian Data Protection Authority, as mentioned, does not have access to the report from Conzentio, which it could
further documented some of the claims that Disqus disputes in its comments to the notice.
For reasons of evidence, the Danish Data Protection Authority has therefore based Disqus' claims on several points
about the actual conditions in the notes to the notice. The privacy breach the Norwegian Data Protection Authority has
the finding substantiated in this decision is thus of a far smaller scope and severity
than the supposed violations that originally formed the basis of the warning.
Furthermore, this case has regrettably become the subject of a long processing time at
The Norwegian Data Protection Authority. In accordance with the practice of the Norwegian Personal Protection Board, we have emphasized the time course i
our assessment of the final sanction determination. We refer to the Norwegian Personal Protection Authority
decisions in the cases PVN-2022-3, PVN-2021-20, PVN-2021-16, PVN-2021-13 and PVN-
2021-3.
Based on the above, and after an overall assessment, we have come to the conclusion that a
reprimand is the most appropriate form of response in this case.
8. Access to appeal
Disqus Inc. can appeal against the decision on reprimand. Any complaints must be sent to
The Norwegian Data Protection Authority within three weeks after this letter is received, cf. Administration Act §§ 28 and
29. If we uphold our decision, we will forward the case to the Norwegian Personal Protection Board for
complaint processing
9. Publicity and transparency
We would like to inform you that all documents are basically public, cf.
Public Relations Act § 3. If you believe there are grounds for exempting all or part of
the document from public inspection, we ask you to give reasons for this.
With kind regards
Line Coll
director
Miriam Karlsen
senior legal advisor
The document is electronically approved and therefore has no handwritten signatures
9
