Personvernnemnda (Norway) - PVN-2022-22: Difference between revisions

From GDPRhub
No edit summary
No edit summary
Line 82: Line 82:
The Board decided that Grindr's disclosure of information to advertising partners involves a disclosure of special categories of information. There was no doubt that Grindr's disclosure of information, including disclosure of App ID and IP address, constitutes disclosure of personal data under Article 4(1). The question for the Board was whether the additional information, that the person in question is a registered Grindr user, could constitute information covered by [[Article 9 GDPR|Article 9(1) GDPR.]] The Board concluded that the information that a person is a registered user of the dating app Grindr is in itself information about a "person's sexual relations or sexual orientation" and is therefore, sensitive data. The Board also relied on the case of [[OT v Vyriausioji tarnybinės etikos komisija, C-184/20]] as the CJEU opted for a wide interpretation of data protection concepts especially in relation to special categories of data and what could ‘reveal’ a person’s sexual orientation. The Board also found support for its [https://curia.europa.eu/juris/document/document.jsf?text=&docid=275125&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=3131382 C-252/21 Meta Platforms and Others (Conditions générales d’utilisation d’un réseau social)] where Meta Platforms Ireland's collection of information about users' visits to gay dating websites, as well as information that users themselves have entered on such websites and apps were covered by [[Article 9 GDPR|Article 9(1) GDPR.]]   
The Board decided that Grindr's disclosure of information to advertising partners involves a disclosure of special categories of information. There was no doubt that Grindr's disclosure of information, including disclosure of App ID and IP address, constitutes disclosure of personal data under Article 4(1). The question for the Board was whether the additional information, that the person in question is a registered Grindr user, could constitute information covered by [[Article 9 GDPR|Article 9(1) GDPR.]] The Board concluded that the information that a person is a registered user of the dating app Grindr is in itself information about a "person's sexual relations or sexual orientation" and is therefore, sensitive data. The Board also relied on the case of [[OT v Vyriausioji tarnybinės etikos komisija, C-184/20]] as the CJEU opted for a wide interpretation of data protection concepts especially in relation to special categories of data and what could ‘reveal’ a person’s sexual orientation. The Board also found support for its [https://curia.europa.eu/juris/document/document.jsf?text=&docid=275125&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=3131382 C-252/21 Meta Platforms and Others (Conditions générales d’utilisation d’un réseau social)] where Meta Platforms Ireland's collection of information about users' visits to gay dating websites, as well as information that users themselves have entered on such websites and apps were covered by [[Article 9 GDPR|Article 9(1) GDPR.]]   


Grindr does not have a valid basis for processing for its disclosure of information,  
Grindr does not have a valid basis for processing for its disclosure of information. The Board concluded that Grindr did not obtain valid consent under [[Article 6 GDPR|Article 6(1) GDPR.]] The standard for consent when processing special categories of data is higher and must be explicit. Clicking “I accept” on a privacy policy cannot be understood as explicit consent as it could also be interpreted as the user simply acknowledging that the information has been provided. In addition, Grindr's consent mechanism, was in the Board’s assessment not designed in such a way that the user can freely decide whether personal data should or should not be disclosed to advertising partners. Opting out of the marketing resulted in changes to app undermining the ability of the consent to be “freely given.” Lastly, the consent was not specific or informed as the privacy policy was unclear on how data was being shared with third party advertising companies.  


infringement fee and the size
infringement fee and the size

Revision as of 13:58, 3 October 2023

Personvernnemnda - PVN-2022-22
Courts logo1.png
Court: Personvernnemnda (Norway)
Jurisdiction: Norway
Relevant Law: Article 9 GDPR
Decided: 27.09.2023
Published:
Parties: Grindr
Datatilsynet
National Case Number/Name: PVN-2022-22
European Case Law Identifier:
Appeal from: Datatilsynet
20/02136-18
Appeal to:
Original Language(s): Norwegian
Original Source: PVN-2022-22 (in Norwegian)
Initial Contributor: Sophia Hassel

The Norwegian Privacy Appeals Board (Personvernnemnda) upheld the Norweigen DPA’s decision to fine Grindr NOK 65 million (approximately € 5,8 million).

English Summary

Facts

In 2020, the Norwegian Consumer Council (NCC), with the assistance of noyb’s legal analysis, filed a complaint to the Norwegian Data Protection Authority against the dating app Grindr. The Norwegian DPA fined Grindr NOK 65 million for failing to collect users' valid consent for sharing data with third parties for profiling and advertising purposes from the Grindr App (Datatilsynet - 20/02136-18).

This decision was appealed by Grindr in February 2022. They argued that; Grindr does not process special categories of data, had obtained valid consent, that there was no legal basis for imposing an infringement fee and that the DPA has misinterpreted Article 83 GDPR when applying the fine.

The Norweigen DPA re-considered the case but found no reason to change its decision. The DPA submitted the case to the Norwegian Privacy Appeals Board (Personvernnemnda) in December 2022. Both Grindr and the NCC were given the opportunity to submit comments.

In August 2023, Grindr requested the right to attend and speak during the case under section 5(5) of the Regulations on the processing of personal data, and requested that the Board's consideration of the case be postponed until the Court of Justice had ruled on cases C-446/21 and C-21/23.

Holding

The Board considered the wording of section 5(5) which states that “the Data Protection Board may in individual cases decide that complainant or others shall be given the right to attend and speak during the Board's consideration of a case". The Board took the wording of "in individual cases" to mean that oral proceedings are an exception to the normal case processing, which are in writing. The use of “may” instead of “shall” also suggested that the Board had free discretion to assess whether the exemption applies or not. The Board considered the case sufficiently well informed to make a decision and did not find it necessary to hold an oral proceeding. The Board also found no basis to postpone the case pending the decisions of the Court of Justice of the European Union.

The Board decided that Grindr's disclosure of information to advertising partners involves a disclosure of special categories of information. There was no doubt that Grindr's disclosure of information, including disclosure of App ID and IP address, constitutes disclosure of personal data under Article 4(1). The question for the Board was whether the additional information, that the person in question is a registered Grindr user, could constitute information covered by Article 9(1) GDPR. The Board concluded that the information that a person is a registered user of the dating app Grindr is in itself information about a "person's sexual relations or sexual orientation" and is therefore, sensitive data. The Board also relied on the case of OT v Vyriausioji tarnybinės etikos komisija, C-184/20 as the CJEU opted for a wide interpretation of data protection concepts especially in relation to special categories of data and what could ‘reveal’ a person’s sexual orientation. The Board also found support for its C-252/21 Meta Platforms and Others (Conditions générales d’utilisation d’un réseau social) where Meta Platforms Ireland's collection of information about users' visits to gay dating websites, as well as information that users themselves have entered on such websites and apps were covered by Article 9(1) GDPR.

Grindr does not have a valid basis for processing for its disclosure of information. The Board concluded that Grindr did not obtain valid consent under Article 6(1) GDPR. The standard for consent when processing special categories of data is higher and must be explicit. Clicking “I accept” on a privacy policy cannot be understood as explicit consent as it could also be interpreted as the user simply acknowledging that the information has been provided. In addition, Grindr's consent mechanism, was in the Board’s assessment not designed in such a way that the user can freely decide whether personal data should or should not be disclosed to advertising partners. Opting out of the marketing resulted in changes to app undermining the ability of the consent to be “freely given.” Lastly, the consent was not specific or informed as the privacy policy was unclear on how data was being shared with third party advertising companies.  

infringement fee and the size

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

PVN-2022-22 Grindr - disclosure of personal data without

valid consent - infringement fee


The Norwegian Privacy Board's decision on 27 September 2023 (Mari Bø Haugstad, Bjørnar Borvik,
Hans Marius Graasvold, Ellen Økland Blinkenberg, Hans Marius Tessem, Morten
Goodwin, Malin Tønseth)



The Norwegian Data Protection Authority's reference 20/02136-18

The case concerns a complaint from Grindr LLC (now Grindr Inc.) against the Norwegian Data Protection Authority's decision on 13 December
2021 where the supervisory authority imposed an infringement fee of NOK 65,000,000 on Grindr for handing over

personal data of a special category, without a legal basis, in the period 20 July 2018 to 7
April 2020, cf. the personal protection regulation article 6 no. 1 and article 9 no. 1.


The course of action
On 14 January 2020, the Danish Data Protection Authority received three complaints against Grindr as the Consumer Council, i
collaboration with the European Center for Digital Rights (noyb), submitted on behalf of a Norwegian
registered user of Grindr. The data subject himself wished to remain anonymous and as an attachment

the complaint followed a "power of attorney for representation in a matter which is submitted pursuant to Article 80 (1)
in the General Data Protection Regulation". The complaints concerned Grindr's sharing of
personal information about its Norwegian users with various analysis and advertising companies for use
for marketing. The complaints were based on findings in the Consumer Council's report "Out of control:

How consumers are exploited by the online advertising industry", and a technical report
prepared by the company Mnemonic on behalf of the Norwegian Consumer Council.

The case before the tribunal concerns Grindr's disclosure of personal data to its advertising partners,

not the further processing of the information by these advertising partners. The various advertising partners
have therefore also not acted as parties in the case before the Norwegian Data Protection Authority.

The Norwegian Data Protection Authority asked Grindr for an explanation on 24 February 2020. Grindr explained his

processing of personal data 22 May 2020.

On 24 January 2021, the Norwegian Data Protection Authority sent a notification that the Norwegian Data Protection Authority was considering imposing Grindr et
infringement fee of NOK 100,000,000 for having shared personal data about their Norwegian

users with their advertising partners without legal basis. A copy of the notice was sent
The Consumer Council.

Grindr gave its comments to the notice on March 8, 2021. The Consumer Council gave its comments to

the notice on 15 March 2021.



The Privacy Board_____________Telephone__________E-mail:________Website:______________________________________________________________

PO Box 6805 St. Olavs plass(+47) 90299216 post@pvn.no www.personvernnemnda.no
0130 OsloPVN PVN-2022-22 Page 2 of 24


The Danish Data Protection Authority asked for a further explanation from Grindr on 29 April 2021. Grindr gave as follows
statement 2 June 2021. The Consumer Council commented on Grindr's statement on 6 October 2021.
There was a further exchange of letters between the Norwegian Data Protection Authority and Grindr in autumn 2021, with letters from
The Norwegian Data Protection Authority on 11 October 2021 and letter from Grindr to the Norwegian Data Protection Authority on 19 November 2021.


The Norwegian Data Protection Authority made the following decision on 13 December 2021:

   "In accordance with the personal data protection regulation article 58 no. 2 letter i, Grindr et
   infringement fee of NOK 65,000,000 - sixty-five million - for


    • to have disclosed personal data to advertising partners without a valid legal basis, i
        contrary to the personal data protection regulation article 6 no. 1
        and
    • to have disclosed special categories of personal data to advertising partners without
        meet some of the exceptions to the prohibition in the Personal Data Protection Regulation Article 9 No. 1"


The Norwegian Data Protection Authority's decision is available in Norwegian and English versions. The tribunal deals with it
Norwegian version.

After being granted a deadline extension, Grindr timely appealed the decision on 14 February 2022.
The Consumer Council gave its opinion on the complaint on 24 March 2022. The Norwegian Data Protection Authority assessed the complaint, but

found no grounds for changing its decision. The case was forwarded to the Norwegian Personal Protection Board on 6
December 2022. Both Grindr and the Consumer Council were informed of the case in a letter from the tribunal on 8
December 2022 and had the opportunity to make comments. Grindr has submitted
comments in letters on 10 February and 20 March 2023. The Consumer Council has submitted comments on 3.
and 31 March 2023.

The comments from Grindr and Forbrukerrådet prompted an additional statement from the Norwegian Data Protection Authority

particularly related to the assessment of subjective guilt at Grindr. The additional statement is given in letter 8.
March 2023.

During the case preparation in the tribunal, there has been further correspondence both with
The Norwegian Data Protection Authority, Grindr and the Norwegian Consumer Council to clarify the facts, including which fact
The Norwegian Data Protection Authority has based its decision on whether there is disagreement about the facts.


In a letter dated 8 August 2023, Grindr requested the right to meet and speak during the tribunal's consideration of
the case, as well as requesting that the tribunal's processing of the case be postponed in any case until the EU
the court has decided cases C-446/21 and C-21/23. The request has been maintained by letter
15 September 2023. Grindr has referred to regulations on the processing of personal data § 5
fifth paragraph, which stipulates that "The Privacy Board may, in individual cases, decide that

complainants or others must be given the right to meet and speak during the tribunal's processing of a case". The wording
"in some cases" indicates that oral proceedings are an exception to normal proceedings i
The Privacy Board, which is in writing. According to the provision's wording, the Personal Protection Board has a
completely free discretion when assessing whether the exemption provision should be applied.
The provision uses the word "can", as opposed to "shall", and it is not specified further
criteria for the exercise of discretion. The tribunal therefore assumes that it is the tribunal's general

duty of investigation and information which is decisive for whether oral treatment is to be carried out
implemented, cf. the Public Administration Act § 17.PVN PVN-2022-22 Page 3 of 24


The case has been dealt with over several meetings; 25 April, 31 May, 20 June and 14, 15 and 27 September
2023 and the tribunal has received extensive written submissions from all parties to the case in several
innings. The tribunal considers the matter sufficiently informed to make a decision and has not
found it necessary to conduct oral negotiations.


With regard to the issue of postponement of the tribunal's consideration of the case pending EU-
the court's decisions in case C-446/21 and case C-21/23, Grindr has shown that the outcome, and EU-
the court's clarifications related to the interpretation of the regulation article 9, can have direct
impact on the case here. The Privacy Board will return to the question of
the scope of Article 9 and suffices here to mention that the tribunal has found no basis
to postpone the case pending the European Court of Justice's decisions in the aforementioned cases.


The Privacy Board had the following composition during the case: Mari Bø
Haugstad (leader), Bjørnar Borvik (deputy leader), Hans Marius Graasvold, Ellen Økland
Blinkenberg, Hans Marius Tessem, Morten Goodwin and Malin Tønseth. Head of Secretariat
Anette Klem Funderud was also present.


The fact of the matter
Grindr Inc. is an American company that operates a location-based social network and a
mobile application (app) for online dating aimed at gay, bisexual, transgender and queer people
(LGBTQ+). The purpose of the Grindr app is to facilitate the sharing of information between users
and has approximately millions of active users worldwide.


The app has an ad-based version that can be downloaded and used without costing money
(the free version). Users can upgrade to paid subscription versions. During the time period
for this case, two payment versions were offered, respectively "XTRA" or
"Unlimited", which includes more features and is without ads.

The case concerns Grindr's disclosure of personal information about its users in Norway i
the period from the privacy regulation coming into force on 20 July 2018 and until Grindr changed its

consent mechanism on 8 April 2020. Grindr has stated that for the calendar years 2018, 2019 and
2020 had average or active monthly users in
Norway. Most of these (stated as approx.%) used the free version of the app and received
advertisements from third parties.

During the period in question, Grindr collected personal data from users and disclosed some
of the personal data forwarded to various advertising companies that offer personal data to

advertisers for use in targeted/behaviour-based marketing. Several of these advertising companies
reserves the right to share personal data with its partners. It appeared from
Grindr's privacy statement that the company disclosed personal data to advertising partners.
One of the advertising partners was named as an example, and users were given the opportunity to follow one
link to this advertising partner's privacy policy. The personal information that was
handed over to the advertising companies were:


    • Advertising Identifier (Ad-ID): A unique identifier used by
        advertising platforms to track user interactions with advertisements
    •   IP adress
    • Technical information about the user's device and operating system, such as version of
        operating system, device model and screen resolution

    • Self-reported age PVN PVN-2022-22 Page 4 of 24


    • Self-reported gender provided that the user had reported either male or female
    • Geographical location based on GPS coordinates
    • App ID that identifies the origin of this information from Grindr


By collating this information, advertising companies could track individual users
interaction with the ads, find out which ads a user has clicked on, and to what extent
the user has visited other websites or apps with the same advertising company, as well as knowing that
the person concerned was a registered user of Grindr.


The personal information that was handed over to the advertising companies was partly used by
the advertising companies for advertising purposes in Grindr's app, and partly they were passed on by
the advertising companies to other businesses that the advertising companies cooperated with for use
on other platforms.

In the consent mechanism that applied in the period in question, the terms of use were first

("GRINDR TERMS AND CONDITIONS OF SERVICE") shown in full. When the user
pressed on "Proceed", a window appeared with the text "I accept the Terms of Service", and
with the clickable answer options "Cancel" and "Accept". Then the user was presented
for the privacy policy ("GRINDR PRIVACY AND COOKIE POLICY"). It is in this one
the declaration the relevant wording on the disclosure of personal data to
advertising partners with the purpose of exposing users to behaviour-based marketing,

emerges. When the user pressed "Proceed" here, a new window appeared with the text
"I accept the Privacy Policy", and with the clickable response options "Cancel" and "Accept".

The privacy statement was presented in the language the user specified on the device
(language setting). If Grindr did not offer the language the user had selected, the user received
the privacy policy in English. Users with a Norwegian language setting got

the privacy statement in English unless they chose another foreign language.

If the user did not accept the user terms and privacy policy, further registration was required
not possible and the user would not be able to use the app.

It was not possible to reserve against the disclosure of personal data to advertising partners in

the Grindr app itself. Under the heading "How We Use Your Information" i
the privacy policy is informed to the user in bullet point 12 ("Third Party Advertising
Companies") first about which personal data is disclosed to advertising partners. About
the user's option to opt out of behaviour-based marketing, it says in the same
bullet point:


   "See the YOUR CHOICES section of this policy for information on your ability to opt-out
   of interest-based advertising."

The detailed procedure for how the user could opt out of behaviour-based
marketing was presented in the privacy policy in this way in bullet point 3 below
the heading "Your Choices":


   "Behavioral Advertising Within The Grindr App. If you are using the Grindr Services on
   an Apple iOS device, you can opt out of behavioral targeting by going into Settings >
   Privacy > Advertising on your iOS device, or visiting Apple's website for morePVN PVN-2022-22 Page 5 of 24


   information. To opt out on an Android device, open the “Google Settings,” click on “Ads”
   and enable “Opt out of interest based ads.”»

In the period in question, users who wanted to opt out had to do so on a behavioral basis

the marketing therefore make changes to the device's operating system that not only had
impact for the Grindr app, but which had similar consequences for all apps that were
downloaded to the user's device. When it came to the disclosure of location data to advertising partners,
the user could choose to hide this personal information from Grindr by changing
the settings in the device's operating system that only have consequences for the use of Grindr. One
of the app's functions is to find potential partners within the same geographical location.

By turning off access to geographic location from the operating system, the Grindr app was thus lost
also this function.

Personal information about the Grindr users was disclosed to the advertising partners when the user
pressed "Accept" and completed the registration the first time. Only after the user has finished
the registration gave the person a continuous opportunity to upgrade to a paid one

version ("XTRA" or "Unlimited"), which was without third-party advertising and without sharing
personal data to the advertising companies. It was only stated that the paid versions were
advertising-free, and not presented as a reservation right against handing over personal data to
advertising partners. It was not possible to create a user profile directly in the paid versions
without first going the route of creating a profile in the free version by registering and accepting
the terms of use and the privacy policy.


Grindr has stated that the company has started work on putting a new consent mechanism in place
June 2019. The new consent mechanism within the EEA was launched on 8 April 2020 and was in place
before Grindr gave its explanation to the Norwegian Data Protection Authority in May 2020. The Norwegian Data Protection Authority states that the new
the consent mechanism has not been assessed by the supervisory authority, and it is therefore not part of this case.
The Norwegian Data Protection Authority has nevertheless emphasized the change in its assessment of the fee.


Briefly about the Norwegian Data Protection Authority's decision
The Norwegian Data Protection Authority assumed that Grindr has no main activity in the EEA, cf. Article 4 no. 16,
and that the relevant processing of personal data therefore does not constitute

"cross-border processing" in accordance with Article 4 no. 23. The Norwegian Data Protection Authority has authority
to perform tasks in accordance with Article 55 No. 1 to safeguard the privacy of users on
Norwegian territory.

The Norwegian Data Protection Authority has firstly concluded that Grindr was not valid
processing basis for the disclosure of personal data in the Personal Data Protection Regulation
article 6 no. 1 letter f (consent). Grindr did not meet the conditions that consent must be

a "voluntary", "specific", "informed", "unequivocal" expression of will, and that it must be "equal
as easy to withdraw as to give", cf. Article 4 No. 11 and Article 7.

Secondly, the Norwegian Data Protection Authority has concluded that Grindr, by sharing information about its users,
has disclosed information of a special category, cf. the personal data protection regulation article 9 no. 1:
"information about a physical person's sexual relationship or sexual orientation". Delivery

of information about the data subject together with information that the data subject is a
Grindr user is sufficient for the information to fall under Article 9 No. 1.

The sharing of information of a special category is prohibited unless legally required
basis in Article 9 no. 2. According to the Norwegian Data Protection Authority's assessment, there is no such legal PVN PVN-2022-22 Page 6 of 24


basis, neither according to Article 9 no. 1 letter a (consent) nor letter e (information such as
it is obvious that the data subject has published).

After concluding that Grindr has broken the privacy regulation, the Norwegian Data Protection Authority goes

through the points the supervisory authority considers relevant for the assessment of whether
an infringement fee shall be imposed in accordance with the Personal Data Protection Regulation article 83 no. 2 letter a to k.
The Danish Data Protection Authority will impose both the subjective and the objective conditions
infringement fee has been met, and that the nature, severity and duration of
the violation, as well as the presence of several aggravating circumstances, point in the direction of that
an infringement fee is appropriate.


The Norwegian Data Protection Authority had notified an infringement fee of NOK 100,000,000. In its final decision
the infringement fee was reduced and set at NOK 65,000,000. The inspection justified
the reduction in that Grindr's turnover was in the lower tier of what the authority had assumed
the notice, and that Grindrs implemented changes to improve the pointed out shortcomings in the app
emphasized in the mitigating direction.


Grindr's complaint in a nutshell
Grindr does not share specific categories of information
Downloading and using the app does not reveal any information about the user's specific sexuality

briefing. The app represents the modern, inclusive LGBTQ+ community
sexual orientations and gender identities. The app has no requirements that users must
identify as LGBTQ+ or qualify as "sexual minority - gay, bi, trans or
queer', or 'community of peers'. The app is open to users of all sexual orientations
orientations, including users who are unsure of their sexual orientation.


The Danish Data Protection Authority consistently argues for a broad interpretation of the data protection regulation
Article 9, first paragraph. However, such an interpretation will only apply where the relevant information is available
expressly identifies individuals as "sexual minorities" according to the Danish Data Protection Authority
understanding.

In the Ebab case from March 2017 (VG 6 L 250.17, BreckRS2017, 107622) confirmed

the administrative court in Berlin that any indirect indication relating to special categories of
personal data is not sufficient to justify the use of
the personal data protection regulation, article 9, first paragraph. The same must apply here.

The Norwegian Data Protection Authority's interpretation will have major ripple effects as any application that corrects itself
against the heterosexual, LGBTQ+ community or both, will process data about a natural person
sexual relationships or sexual orientation regardless of the purpose of sharing, simply

because the source of the shared information is a service that targets individuals who have one
sexual orientation.

The general prohibition against processing information about persons' sexual relationships or
information according to Article 9 No. 1 only applies when the processing serves or may serve a prohibited purpose
purpose, for example to determine a person's sexual orientation. Grindr does not process

users' data to draw some conclusions about their sexual orientation. Grindr neither
tracks or classifies users based on their sexual orientation. It is emphasized that Grindr
nor share information about sexual orientation with advertising partners. PVN PVN-2022-22 Page 7 of 24


The Norwegian Data Protection Authority's assumptions about Grindr users' sexual orientation also open the possibility that the
the connection to a number of other services or platforms can be defined as special
categories of personal data. All information shared by mobile applications to
politically oriented organizations (such as organizations that specifically target conservatives);

will automatically be considered as special categories of personal data in accordance with Article 9,
if one assumes that the political views in the organization are reflected in the users, like this
The Norwegian Data Protection Authority proposes. Similarly, an application or website aimed at heterosexuals will
users be subject to Article 9 of the Personal Data Protection Ordinance just because it can be inferred sexual
orientation through the users' use of these services.


The Norwegian Data Protection Authority's approach will create far-reaching and disproportionate obligations for everyone
organization that will look after a community of interests.

Grindr has obtained valid consent for its sharing of information
Grindr obtained valid consent from users of the application's free version for processing
of limited data for advertising purposes in line with applicable industry standards. Grindr treated

only this information if users allowed such sharing in the device's operating system. These
the users had further agreed to Grindr's terms of use, Grindr's privacy policy, and
decided not to buy the paid version of the application.

Grindr's obtaining user consent for sharing data with advertising partners in the period from
20 July 2018 to 7 April 2020 must be assessed in light of the then-existing norm and privacy practices in

the adtech community. The Norwegian Data Protection Authority has assessed Grindr's previous consent practice based on a
interpretation of the requirements for valid consent that has no support in the wording i
the provisions of the Personal Data Protection Ordinance or in the existing guidance at the time
for the alleged violation. At the time of the alleged violation could not
Grindr anticipate the decisions of the European Court of Justice, statements from the EU Advocate General or
The Norwegian Data Protection Authority (EDPB) on the interpretation of the consent requirements referred to by the Norwegian Data Protection Agency.


Grindr's procedure for obtaining user consent for sharing certain data fields with
advertising partners in the period in question fulfilled the requirement for voluntariness, cf. article 4 no. 11.
Users were provided with readily available information about the sharing of certain data for advertising purposes.

At the time in question, there was no legal commitment or interpretation from the European Court of Justice
which made it required to obtain separate consents through separate opt-in functions for

each individual purpose. The Norwegian Privacy Council's guidelines 05/2020 on consent are not binding
rettskilde and Grindr were not obliged to follow these.

Although the Norwegian Data Protection Authority's guidelines recommend asking for separate consents if
the data processing concerns several purposes, this is not an absolute requirement. It represents no one
violation of the regulation not to follow this recommendation. The Privacy Council's guidelines

does not exclude, and cannot exclude, that it is possible to ask users for consent for several purposes
at the same time, provided the user receives specific information about each purpose in advance
the treatment.

Grindr made it clear to users that those who did not want to use a paid subscription could
use the free version that is supported by third-party ads, both in that it said “Ads help keep

Grindr free" on the ads, and through the privacy statement that explained the users' rights
options when it came to sharing data. Grindr notes that the app offers the ability to PVN PVN-2022-22 Page 8 of 24


buy a payment subscription immediately after the user account has been created, and before it is settled
which self-reported data fields are filled in to complete the public profile.

The user's data was not used for advertising purposes if the user withdrew their consent.

The advertising partner would then only process technical information that is necessary to deliver
contextual ads (mobile type, operating system, etc.). Consequently, users could
refuse/withdraw consent without negative consequences.

Grindr is under no obligation to provide its services free of charge.


The requirement that the consent must be specific must be seen in the context of Article 5 no. 1 letter
b on purpose limitation. In the privacy policy under the title "Where We Share" and
the subtitle "Third Party Advertising Companies" is the wording "deliver personalized
advertising" clearly formulated with a limited purpose. Grindr has thus specified specifics
purposes for their treatment activities.


The law does not require that information on the sharing of data with advertising partners be presented separately
from other information that the controller is obliged to provide. Grindr has complied with them
the requirements for information set out in the regulation article 13 and recital 42.
The privacy policy was accurate, comprehensive, plain language and structured with titles and
subtitles. Through the declaration, the users could familiarize themselves with the identity of it
controller and the purposes of the processing of the personal data, cf.

point 42. The privacy policy was available on the internet and through a link in Google
Play and App Store.

The privacy policy was displayed in its entirety during the registration process and is written specifically
and with clear and unambiguous language that users will receive advertisements regardless of whether they have
consented to the sharing of data for marketing purposes. The double consent mechanism,
which required a clear and affirmative active action, allowed Grindr to register users

unequivocal consent. Users had to tick off two boxes placed in different places on
the screen. The boxes were not unhooked in advance. Consent was very unlikely
incorrectly registered.

Imposition of infringement fees

There is no legal basis for imposing an infringement fee
Grindr has not breached Article 6 No. 1 or Article 9 and there is no legal basis to
impose an infringement fee in accordance with Article 83 no. 1.

Subsidiarily, it is stated that the general conditions for imposing an infringement fee do not

is available. The imposition of an infringement fee requires clear and distinct legal authority, as well as
ascertainment of guilt (negligence or intent) on the part of a person acting on behalf of
the business to which a fee is imposed. These conditions are not met.

According to the basic principle of legal certainty that applies in EEA law and in Norwegian
administrative law, a clear legal basis is required. Imposing an infringement fee must

is also based on "objective, non-discriminatory criteria which are known in advance to the
undertakings concerned" to impose an infringement fee, cf. the EFTA Court, case E-9/11
section 100. Such a clear legal basis and previously known "objective, non-discriminatory
criteria" does not exist in this case. PVN PVN-2022-22 Page 9 of 24


The substantive conditions in Article 6 No. 1 and Article 9 No. 1 were in the period from 20 July 2018 to
7 April 2020 not sufficiently clear and distinct to provide the legal certainty required in
in accordance with Norwegian constitutional and administrative law principles, EEA law and the ECHR,
when these requirements are applied to Grindr's procedure for obtaining user consent therein

current period. The considerable uncertainty about the understanding of Articles 6 and 9 on this
the time must be taken into account.

The Norwegian Data Protection Authority has given a new interpretation of the rules with retroactive effect, contrary to the prohibition in
Section 97 of the Constitution, as well as the principle of legality in Section 113, as well as the principle of proportionality as it
for example appears in EU law and is reflected in EEA law.


The person who has acted on behalf of the undertaking that is subject to an infringement fee pursuant to Article 83
must have shown negligence or intent with regard to the violation, cf. HR-2021-797-A.
The Norwegian Data Protection Authority has not documented guilt from any specific persons acting on its behalf
of Grindr. A decision must be made as to who has been negligent on behalf of Grindr
account of the violations of articles 6 and 9. Nor has the inspectorate substantiated intent or

negligence by pointing to a particular act or cause of the breach or which could
prevented the alleged infringement. The Norwegian Data Protection Authority's assumption that it exists
"anonymous intent" is based on a legal argument that is not tenable.

Violation of general principles for the imposition of infringement fees

The Norwegian Data Protection Authority's assessments and decisions do not meet the requirements for efficiency and
proportionality.

The Danish Data Protection Authority has not given any assessment of whether other corrective measures would be suitable
the alleged infringement. Reference is made in particular to the fact that Grindr on its own already had
implemented OneTrust CMP and changed its practice for obtaining consent when the Norwegian Data Protection Authority

made his decision. The Norwegian Data Protection Authority's assessment is based on the previous practice, which no longer exists
relevant.

The fee is also contrary to the basic Norwegian and European principle of equality and
the regulation's recital 11. Several national supervisory authorities do not impose a fee, but give
criticism, possibly in combination with an order to ensure compliance with Article 6 nos. 1 and 9

no 1.

The assessment of the various elements in Article 83
The Norwegian Data Protection Authority has not sufficiently taken into account all relevant factors in Article 83
No. 2. The infringement fee is not effective, and is not in a reasonable relationship with

the violation, cf. article 83 no.1.

The size of the infringement fee is also disproportionate. Relatively speaking, the size of
the fee is one of the highest that has been imposed for a breach of the privacy regulation within
EEA, cf. presented overview of agreed infringement fees in Europe. The violation fee is
not proportionate to the alleged violation, cf. Article 83 no. 1 and deviates from established

practice. It has not been taken into account that the alleged infringement occurred for a limited period and
ceased two years before the inspection imposed a fee. Grindr's implementation has also not been taken into account
of new procedures for obtaining consent, which give the user detailed control over sharing
of information from the app, including simple choices such as "Allow all" or "Reject all" for
advertising purposes.PVN PVN-2022-22 Page 10 of 24


Grindr then has a review of the various points referred to in Article 83 in No. 2
letter a – k.


The Norwegian Privacy Board's assessment
The Norwegian Data Protection Authority and the Norwegian Privacy Board's expertise
Grindr is a US-based company and has no establishment within the EEA. The Personal Information Act
and the Personal Data Protection Regulation still applies to the processing of personal data about
registered users located in Norway if the processing is linked to:


   a. offer of goods or services to such persons registered in Norway, regardless of whether it is required
      payment from the registered or not, or
   b. monitoring of their behaviour, to the extent that their behavior takes place in Norway

cf. Personal Data Act § 4 second paragraph letter a and b.


There is no doubt that Grindr's disclosure of personal data about its users constitutes a
processing of personal data in accordance with the Personal Data Act and the Personal Data Protection Ordinance,
and that Norwegian law applies. The Norwegian Data Protection Authority's competence then follows
Section 20 of the Personal Data Act and the Personal Protection Board is the appeals body, cf.
Section 22 of the Personal Data Act.


The parties to the case
Although it has no direct bearing on this case, the tribunal finds it appropriate to say
something about the Consumer Council's role in the case. The Norwegian Data Protection Authority has assumed that the Consumer Council acts
on behalf of a Grindr user who has approached the Consumer Council, but who himself has not
wish to advance the case. Reference is made to Article 80 of the Personal Data Protection Regulation as a basis for this

this representation.

Article 80 of the Personal Data Protection Regulation reads:

   1. The registered person shall have the right to give a non-profit body or a non-profit organization or
      association established in accordance with the national law of a Member State, which has

      statutory purposes which are in the public interest, and which are active in the area
      protection of data subjects' rights and freedoms with regard to the protection of their
      personal data, authorization to complain on behalf of the person concerned, exercise the rights
      mentioned in articles 77, 78 and 79 on behalf of the person concerned and exercise the right to receive
      compensation referred to in Article 82 on behalf of the person concerned if it is stipulated in
      national law of the Member States.
   2. Member States may provide that any body or organization or

      association mentioned in no. 1 of this article, regardless of a registered person's power of attorney, i
      said Member State has the right to complain to the supervisory authority that has competence in
      in accordance with article 77, and to exercise the rights mentioned in articles 78 and 79 if
      it/it considers that the data subject's rights pursuant to this regulation have been infringed
      as a result of the treatment.


The Consumer Council is not a non-profit organisation, but an administrative body which, according to its own
website should "guide consumers and influence society in a consumer-friendly direction".
The Consumer Council therefore does not fall under the type of organizations mentioned below
assessment can be given the right of representation according to article 80. PVN PVN-2022-22 Page 11 of 24


In any case, the tribunal assumes that Article 80 refers to the Member States' national law when
it concerns the data subject's right to be represented by others, cf. in conclusion "if
it is laid down in the national law of the Member States'. There are rules about this in Norwegian law
the Administration Act when it concerns administrative matters and in the Disputes Act when it concerns matters for

the courts.

In cases before the court, it follows from § 1-4 of the Disputes Act, cf. § 1-3 that public bodies with
task to promote special interests can bring legal action in its own name on matters such as that
lies within the public authority's purpose and natural scope to look after. When
it concerns who can complain about a case to the Norwegian Data Protection Authority, then it is the registered person himself. It

The data subject's right to be assisted by an attorney is regulated in Section 12 of the Administration Act, which i
second paragraph first sentence determines:

   "Any person of legal age or an organization can be used as a proxy
   the person in question is a member of.”


The Administration Act therefore does not allow the Consumer Council to act as a proxy for
on behalf of a registered person. The tribunal therefore assumes that the Consumer Council is not a party to this
the case.

Another issue is that the Consumer Council, as a public authority with a mission to, in particular,
protect consumers' rights, are free to approach the Norwegian Data Protection Authority about matters they consider

are important and which they believe the Norwegian Data Protection Authority should look into more closely. Furthermore, the Norwegian Data Protection Authority is not
depending on having a complainant or a representative of a complainant to open a supervisory case against
someone who processes personal data. The tribunal has, independently of the Consumer Council
lack of party standing, see it as appropriate to obtain views and input from
The Consumer Council as part of the work to inform the case, cf. Section 17 of the Administration Act.

The tribunal then moves on to consider the substantive issues in the case. The tribunal will first

assess whether Grindr's disclosure of information to advertising partners involves a
disclosure of particular categories of information. The tribunal then assesses whether Grindr has
valid processing basis for the disclosure of information, before the question of
infringement fee and the size of this is assessed.

Does Grindr provide particular categories of information, cf. the personal data protection regulation article

9?
There is no doubt that Grindr's disclosure of information, including disclosure of App ID and
IP address, represents disclosure of personal data, cf. article 4 no. 1. Which
information that constitutes a special category of information, and which is thus subject to a
special protection according to the personal data protection regulation, follows from article 9 no. 1. The provision reads:


   "Processing of personal data on racial or ethnic origin, political
   opinion, religion, philosophical belief or trade union membership, as well as
   processing of genetic information and biometric information for the purpose of
   unambiguously identify a natural person, health information or information about a natural person
   person's sexual relationship or sexual orientation is prohibited."


In this case, the question is about Grindr's disclosure of information about its users to its own
advertising partners involves a disclosure of "a physical person's sexual relationship or
sexual orientation". What information Grindr provides is explained above under PVN PVN-2022-22 Page 12 of 24


"The fact of the matter". No information about sexual relationships is disclosed beyond the information provided
that the person in question is a registered Grindr user.

The question for the tribunal is whether this represents information covered by Article 9 no. 1.


The tribunal has come to the conclusion that the information that a person is a registered user of dating
The app Grindr itself is information about a "person's sexual relationship or sexual
orientation", and that Grindr's disclosure of said type of information thus entails a
processing of information that is covered by the prohibition in Article 9 no. 1. The Tribunal will
justify their position in more detail below.


The tribunal will first point out that the purpose of the Personal Data Protection Regulation is to ensure the protection of physical data
persons' fundamental rights and freedoms, in particular their right to protection of
personal data, cf. article 1 no. 2. Personal data covered by special
categories of information in Article 9 no. 1 are given special protection. It appears from
point 51 of the regulation that this is personal information which is particularly sensitive by nature

with regard to fundamental rights and freedoms, and which deserve special protection,
as the context in which they are processed can create significant risks for the fundamentals
rights and freedoms. However, that is not the context or purpose of the processing
which determines whether the information is of a special category. There are the selected information types in
himself who decides this.


The tribunal has found support for this assessment in the grand chamber judgment from the European Court of Justice in
case OT v Vyriausioji tarnybinės etikos komisija, C- 184/20 from 1 August 2022. The case concerned a
Lithuanian administrative agency's online publication of declarations related to private interests for
public officials. The publication was made as part of transparency obligations according to national
law for combating corruption. In lists/declarations that were published, one was removed
share information of an obvious/presumed sensitive nature. The lists still contained, however
information about the name of a cohabitant, spouse or partner. The question in the case was whether

publication of such information was suitable for indirectly revealing sexual orientation etc.,
and therefore constitute a processing of special categories of information.

The European Court of Justice assumed that the term "special categories of personal data" in Article 9
No. 1 must be interpreted broadly and concluded that it is sufficient to be covered by the term that
information about a physical person's sexual orientation can indirectly be derived from

the information, see paragraphs 119-128. The Court believes that a broad interpretation of the provision
has support in the purpose of the personal data protection regulation which is to "ensure a high level of
protection of natural persons' fundamental rights and freedoms, especially the right
to privacy", see paragraphs 125 to 126.

In paragraphs 127-128, the European Court of Justice states:


   "Consequently, these provisions cannot be interpreted in such a way that treatment of
   personal data, which may indirectly reveal sensitive information about a natural person, is
   excepted from the enhanced protection scheme, which is laid down in the aforementioned provisions,
   in that the effective effect of this arrangement and the protection of natural persons
   fundamental rights and freedoms, which it aims to secure, would otherwise

   be put in danger.PVN PVN-2022-22 Page 13 of 24


   In view of all the above-mentioned considerations, the second question must be answered that
   article 8, subsection 1, in Directive 95/46 and the data protection regulation, Article 9, subsection 1, shall
   is interpreted as meaning that publication of personal data on the website for the public
   authority whose task is to collect and control the content of declarations about

   private interests, which may indirectly result in the disclosure of information about a physical person
   a person's sexual orientation constitutes a treatment of special categories of
   personal data within the meaning of these provisions."

Grindr is a social network and online dating mobile application aimed at gay, bisexual,
transgender and queer. Grindr markets itself as the world's largest social network

network application for "gay, bi, trans and queer people", and the application is marketed
as "Grindr - Gay Dating & Chat" on the App Store and as "Grindr - Gay chat" on Google
Play. Although users on Grindr have many different sexual orientations, including
heterosexual orientation, by registering a profile on Grindr you will be associated with LGBTQ+-
community. Although the specific orientation does not appear, the information states that
you are a user of Grindr, that you very likely have a sexual orientation that is

different from the majority. In the tribunal's view, it is sufficient for the information to be covered by
Article 9 No. 1.

The tribunal does not see that the Ebab case, which Grindr has referred to, is relevant to the question in this case
the case. The Ebab case concerned the disclosure of personal information about gay-friendly landlords who
wanted to rent housing to gays. The court assumed that there was no basis for one

inference that the landlords were gay even though they described themselves as gay-friendly. By
register as a user on a gay, bisexual, transgender and queer dating website,
signals a stronger attachment to an environment that says something about sexual orientation than about
one describes oneself as gay-friendly. As the facts were different, the case is not considered
relevant, and it is not necessary to go into more detail about the weight of the legal source of this decision.

The tribunal emphasizes that the prohibition in Article 9 no. 1 against the processing of information about a

"natural person's sexual relationship or sexual orientation" does not only apply to sexual ones
minorities, but embraces all sexual relationships and orientations. The wording of the provision is
neutral and does not provide grounds for distinguishing between minority and majority. The tribunal adds
following this on the grounds that a dating site explicitly for heterosexuals will therefore also fall under them
same rules.


The tribunal finds support for its position in the European Court of Justice's Grand Chamber decision C-252/21 of
July 4, 2023 (The Meta Case). The case concerned Meta Platforms Ireland's fundraising and
compilation of information about users' visits to other websites and apps, for
for example dating websites for gays, as well as information that users have entered themselves
such websites and apps. One of the questions that the European Court of Justice ruled on was whether
collection and further compilation of information relating to users' visits and

input on the websites/apps constitutes processing of special categories of information
because the websites contain information covered by Article 9 No. 1. The European Court of Justice added
reason that the dating websites in question, which the users had visited and registered on,
contained information covered by Article 9 no. 1.

In section 73, the Court of Justice concludes that:


   "In view of the above, the second question, letter a), must be answered that
   the data protection regulation's article 9, subsection 1, shall be interpreted as such that if a user PVN PVN-2022-22 Page 14 of 24


   of an online social network visit websites or use applications in connection
   with one or more of the categories referred to in this provision, and possibly enter
   information herein by creating a profile or making online orders, it shall
   processing of personal data by the operator of this online social network,

   and which consists in the collection of information from visits to these websites or use of
   these applications as well as the information entered by the user through interfaces,
   cookies or similar storage technologies, compilation of all this information
   with the user's account on the social network and the operator's use of said
   information, is considered to constitute »processing of special categories of personal data«
   as referred to in this provision, which is in principle prohibited subject to

   the exceptions in this regulation's article 9, subsection 2, when this processing of information
   can reveal information that is covered by one of these categories, regardless of whether the information
   concerns a user of this network or any other natural person."

In the tribunal's view, the EU Court's statements in the Meta case are relevant to the question in this case
the case despite the fact that it did not deal with the issue of extradition of special categories

personal data, but on the other hand the question of collection and further compilation of
such information. As explained above, the tribunal believes that people who register a profile
on Grindr will be associated with the LGBTQ+ community and the tribunal therefore assumes that
information about use of the Grindr app is covered by Article 9 No. 1. When the EU Court of Justice i
The Meta case concludes that Meta Platforms Ireland's collection and compilation of
Information about visitors to gay dating websites constitutes a special treatment

categories of personal data, the tribunal believes that such websites also - in this case
Grindrs - disclosure of the same type of information for similar compilation purposes constitutes one
processing of information that is covered by the personal protection regulation article 9 no. 1.

The tribunal therefore assumes that Grindr has provided special categories of information
to its advertising partners. The tribunal does not share Grindr's concerns about any negatives
ramifications of this conclusion as legal processing of such information may take place

by ensuring good and informative processes for obtaining consent in line with the law
claim.

Has Grindr obtained valid consent for its disclosure of information?
In order for the processing of personal data to be lawful, it must have a legal basis.
The legal basis for the processing of personal data can be seen from

the personal protection regulation article 6 no. 1. It follows from article 6 no. 1 letter a that consent
is one of several possible grounds for treatment.

The legal definition of consent in Article 4 No. 11 reads as follows:

   "... any voluntary, specific, informed and unequivocal expression of will by the data subject therein

   the person concerned gives his consent to processing by means of a declaration or a clear confirmation
   of personal data concerning the person concerned."

Since the tribunal above has come to the conclusion that Grindr, when disclosing personal data to
advertising partners have processed special categories of personal data, it follows
article 9 no. 2 that the processing – to be legal – must meet the conditions in one of

the alternatives in Article 9 no. 2. It follows from Article 9 no. 2 letter a that the registered person must have
given "express" consent to the processing of such information. PVN PVN-2022-22 Page 15 of 24


The regulation does not explain in more detail what is involved in the requirement that the registered person has given a
"express consent". The tribunal assumes that the wording "expressly" does not
involves a stricter consent requirement compared to the requirement in Article 6 no. 1 that
the consent must be an "unequivocal expression of will". The central point for both requirements is that it does not

there must be doubt that consent has been given.

As regards the requirement in Article 4 no. 11 that the expression of will must be "unequivocal", provides
clause 32 some guidance. The consent will be unequivocal if it has been given:

   "... e.g. in the form of a written, including electronic, or an oral declaration. This can

   involve ticking a box during a visit to a website, choosing technical settings for
   information society services or any other statement or action as herein
   connection clearly shows that the data subject accepts the proposed processing of
   the person's personal data. Silence, pre-ticked boxes or inactivity
   should therefore not constitute consent.”


The key thing is that the registered person has acted in a way that clearly shows that the person concerned
accepts the treatment. The tribunal assumes that this also forms the core of the requirement of "express
consent" in Article 9 no. 2 letter a. Such an interpretation also harmonizes best with it
the controller's duty according to the regulation article 7 no. 1 to demonstrate that it has been given
consent.


The Norwegian Privacy Council's guidelines on consent (Guidelines 05/2020 on consent under
Regulation 2016/679) also states that it is the data subject's expression of will itself that is
central to the requirement for unambiguity/expressiveness. In section 75, which applies to it in more detail
the content of the requirement that the expression of will must be "unequivocal", it says, among other things, that “…consent
requires a declaration or clear confirmation from the data subject, which means that consent
always must be given by an active action...", and in section 77 it is further specified that:


   "A "clear confirmation" implies that the registered person must have acted deliberately to give
   consent to the treatment in question. There are further guidelines on this in
   recital 32. Consent can be obtained by written or (recorded) oral declaration,
   including electronically."

And in section 93, which applies to the more detailed content of the requirement in article 9 no. 2 letter a that

the consent must be "express", the Norwegian Privacy Council states the following:

   "The term expressly denotes the manner in which the registered donor consented. The
   means that the registered person must submit an express declaration of consent. It would be
   It is logical to have the consent expressly confirmed in a written declaration. When it is
   appropriate, the data controller can ensure that the written declaration is

   signed by the registered person, so that in the future there is no doubt about and is not
   there is no risk that there is no evidence." [Italics in original]

The tribunal is of the opinion that if the requirement for unambiguity/expressiveness is to have a
independent meaning, so cannot other flaws in the consent mechanism - if this is

designed so that the consent cannot be said to be voluntary, specific and informed - to exist
obstacle to the expression of will itself fulfilling the requirement of unambiguity/expressiveness. PVN PVN-2022-22 Page 16 of 24


Grindr's consent mechanism in this is initially explained under "Facts of the case".
current period. In its decision, the supervisory authority has expressed that the wording "I accept the
Privacy Policy" cannot necessarily be understood as an unequivocal or express consent,
but can just as well be understood as the data subject simply acknowledging that the information has been provided. After

in the tribunal's view, this appears to be a rather strained interpretation of the wording, and the tribunal sees
so that the wording in combination with the user having clicked on the answer option
"Accept", constitutes express consent that meets the regulation's requirements on this point.

In the continuation of this, the tribunal will attach a comment to that part for the sake of clarity
the consent mechanism which involves the user making changes to the device

operating system, both are given the opportunity to opt out of behaviour-based marketing and to prevent it
that Grindr gets access to location data. The tribunal is of the opinion that it is the most
obvious to include these aspects of the consent mechanism in the assessment of whether
consent is given voluntarily.

The tribunal then moves on to assess the other three requirements included in the assessment of

if a valid consent has been given to the disclosure of personal data to advertising partners,
namely whether the consent is voluntary, specific and informed. As already pointed out above, it is
tight ties and partial overlap between these three requirements. The tribunal has come to the conclusion that
the consent mechanism of Grindr in the period to which this case applies, not fulfilled
the regulation's requirement for valid consent, and will explain his in more detail below
assessment of the central shortcomings of the consent mechanism linked to these three requirements.


The tribunal assumes that the core of the requirement that consent be voluntary is that
personal autonomy. The consent mechanism must be designed in such a way that the person concerned
who must give their consent are given real choices in terms of how the personal data should be processed
is processed. In recital 42, it is stated that the consent:

   "... shall not be considered voluntary if the data subject does not have a real freedom of choice, or

   is not able to refuse to give or withdraw consent without it being detrimental to
   the person in question.”

Much of the same is also pointed out by the Norwegian Data Protection Authority in section 13 of the guidelines on
consent:


   "The element 'free' implies that the registered have a real choice and control. Generally determined
   that in the data protection regulation, that a consent is invalid, if the data subject is not
   able to make a real choice, if the data subject feels compelled to give his opinion
   consent, or if there will be negative consequences, if the data subject does not
   agrees. …”


The consent mechanism of Grindr, as explained under "Fact of the Case", is after
the tribunal's assessment is not designed in such a way that the user can freely decide on the question
whether personal data should or should not be disclosed to advertising partners.

The consent mechanism meant that users who wanted to opt out of the behaviour-based
marketing had to make changes to the device's operating system that not only had

impact for the Grindr app, but which had similar consequences for all apps that were
downloaded to the user's device. Such an arrangement of the consent mechanism placed the user in
a forced situation where the person concerned either had to accept that the personal data was PVN PVN-2022-22 Page 17 of 24


disclosed to Grindr's advertising partners, or had to make changes to the device's operating system
which had consequences for all apps downloaded on the device. This suggests after
the tribunal's assessment that it cannot be assumed that the user had voluntarily consented
disclosure of personal data to advertising partners.


However, when it comes to the disclosure of location data to advertising partners, the user could choose
to hide this personal information from Grindr by changing the settings in your device
operating system that only had consequences for the use of Grindr. If the user chose to
not sharing location data with Grindr, the app also had reduced functionality. Although the app
could no longer be used to contact gays, bisexuals, trans people and queers who

was nearby, it is the tribunal's assessment that the app still made it possible
users to come into contact with other gay, bisexual, transgender and queer people. That choice
which the user here was faced with when it came to the provision of location data, is according to the tribunal
view not suitable to deprive the disposition characterized by voluntariness.

The consent mechanism of Grindr in the relevant period was designed so that it was only after

that the registration was complete that the registered person was offered to buy a subscription to one of
the payment versions. That the user, after registration has been completed, is given the opportunity to purchase a
subscription, as the tribunal considers it, has no impact on the question of that consent
which was already given in connection with the user accepting the privacy policy, was
voluntary. The tribunal agrees with Grindr that they do not have a duty to offer a free dating app, and
the tribunal recognizes that a key feature of the social media business model and

applications is that the registered "pay" for the use of social media and applications by
accept that their personal data is used commercially, for example by
is handed over to advertising partners. Had the user before the registration process ended been given
the choice between using the free version of the app or purchasing one of the two paid versions
of the app, this had drawn in the direction that the requirement of voluntariness had been met. The user
had then had a real choice as to whether the person concerned would pay money to use the application,
or if the person concerned would rather "pay" with their personal data.


According to the tribunal's assessment, it is irrelevant to the assessment of whether the consent is voluntary,
if the disclosure of personal data takes place immediately after registration has been completed,
or if something happens later. The assessment must relate to the conditions as they were
the time when the registration was completed. It is the quality of the expression of will on this
the time which is decisive for the question of whether a valid consent has been given i

meaning of the regulation.

It is clear from point 43 of the preamble, i.a. that the consent "is assumed not to have been given voluntarily if it
it is not possible to give separate consent for different processing activities". Some of it
the same is stated in paragraph 32. The Personal Data Protection Council refers to this as a requirement
granularity, cf. sections 42-45 of the guidelines on consent. This appeal only applies

the question of whether Grindr has obtained a valid consent from the users for the release of
personal data to advertising partners. With such a curtailment of the case, the tribunal is of it
opinion that the fact does not provide a basis for an independent assessment of this element i
the requirement of voluntariness.

The tribunal then moves on to assess whether the consent mechanism is designed so that the consent is

specific and informed. A central starting point for this assessment can be found in Article 7 no. 2,
which reads as follows: PVN PVN-2022-22 Page 18 of 24


   "If the data subject's consent is given in connection with a written declaration which also
   applies to other circumstances, the request for consent must be submitted in a way that
   it can be clearly distinguished from the aforementioned other conditions, in an understandable and easily accessible form and
   in clear and simple language. …”


This provision must be interpreted and applied in light of the principle of openness and transparency i
article 5 no. 1 letter a, and the data subject's right to transparency and information i
articles 12 and 13.

Information is provided under the heading "How We Use Your Information" in the privacy policy

the user i.a. about which personal data is disclosed to advertising partners. Bullet point 12
sounds like this:

   “Third Party Advertising Companies. We share your hashed Device ID, your device's
   advertising identifier, a portion of your Profile Information, Distance Information, etc
   some of your demographic information with our advertising partners. … Note that we do

   do not sell your personal user information to third parties for advertising purposes. Also note
   that we do not share information about your Tribe, or about your HIV status, with anyone
   advertising companies.”

The tribunal has strong doubts about this way of informing about which personal data
is disclosed to advertising partners, is sufficiently specific for the consent of the user to be considered

to be informed. Some of the words are technical terms as to be understandable
presupposes an insight that the ordinary user cannot be assumed to have. Other words
has a rather unclear content. For example, no further information is given about what kind
profile information that is disclosed, only which personal data is not disclosed.

The tribunal further believes that it is a deficiency in Grindr's consent mechanism that the consent to
disclosure of personal data to advertising partners is included in the privacy policy.

This statement explains in detail how Grindr processes personal data, and has
for the purpose of fulfilling the controller's duties according to the regulation's article 13. One
privacy statement is not a document to which consent must be given in principle. It is
a document of an informative nature, and thus differs from the terms of use, which
users must consent to.


Both privacy statements are structured with headings according to different themes.
The privacy policy, which applied until 31 December 2019, was structured with
based on the following headings:

• What we Collect
• How We Use Your Information

• Where We Share
• Your Choices
• How We Protect Personal Information
• Miscellaneous Information

The privacy policy that applied from 1 January 2020 was expanded with a few more headings,

but this difference is irrelevant to the tribunal's assessment here. A user without knowledge
to the actual text of the privacy policy, it will give the impression that the text is informative
character. The wording in the privacy policy that describes which information PVN PVN-2022-22 Page 19 of 24


is handed over to advertising partners, in the tribunal's assessment therefore cannot be clearly distinguished from one another
information provided to the person who registers as a user.

The relevant wording on which information is disclosed to the advertising partners is

in the tribunal's opinion, nor designed as a request for consent. That
the wording is included under the heading "Your Choices", does not change this. The tribunal has
moreover, it was noted that Grindr in the privacy policy that applied from 1 January 2020, under
heading "How and Why We Use Your Personal Data", has prepared a table that lists
up all 25 different processing purposes, and which for each of the purposes indicates the processing
legal grounds. Processing purpose 21 applies to "Share your Personal Data with our

advertising partners", and it is explicitly stated that the legal basis for this processing
of personal data is consent ("Consent"). Even if this benevolently read and seen in isolation
can possibly be interpreted as a request for consent, the tribunal is nevertheless in no doubt that
these formulations, read in their context, cannot be interpreted in this way. The tribunal points out that
the table with all the processing purposes is placed under a heading that gives none
indications that the user will find requests for the processing of personal data here

to which it must be agreed. The formulations in the two privacy statements therefore comply
not the requirement that can be derived from Article 7 No. 2.

Grindr has also stated that the paid versions of the app were presented to the user in such a way
way that the requirement for specific and informed consent was met. It indicates that the user will be
informed that the paid versions are advertising-free, i.a. with formulations such as "No banner

ads", "No more ads", No 3rd party ads" and "ZERO third-party ads". The tribunal has above
assumed that the detailed design of the payment versions of the app is of no importance
for the assessment of whether the consent was voluntary, since the registered person was first offered to
buy a subscription to one of these after registration has been completed. The same goes for
of course for the assessment of whether the consent was specific and informed; the closer
the design of the payment versions has no relevance for this assessment. The tribunal will
nevertheless briefly note that the formulations that Grindr refers to, only in a rather indirect way

way is suitable to communicate to the user that by choosing to buy a subscription to one of
the paid versions, the user's personal data will not be disclosed to advertising partners.
This information presupposes technical insight which cannot be assumed
ordinary user possesses.

On this basis, the tribunal has come to the conclusion that Grindr's consent mechanism, in that period

which this case concerns, was designed in such a way that the user's consent was neither
voluntary, specific or informed. Although the tribunal above has come to the conclusion that the consent was
expressly, the tribunal's conclusion is nevertheless that Grindr did not have valid consent from them
registered for the disclosure of personal data to advertising partners, cf. article 6 no. 1 and
article 9 no. 2.


Violation fee
Pursuant to Section 26 of the Personal Data Act, the Danish Data Protection Authority can appoint a data controller
infringement fee according to Article 83 of the Personal Data Protection Ordinance. This also follows from Article 83
No. 5 letter a that companies that violate the provisions of Article 6 and Article 9 may be subject to a
infringement fee of up to 20,000,000 euros or up to 4% of the total global
the annual turnover in the previous financial year, where the highest amount is used. PVN PVN-2022-22 Page 20 of 24


The tribunal has concluded above that Grindr has acted in breach of Article 6 no. 1 and
article 9. The objective conditions for being able to impose an infringement fee are thus i
basically met.


The ban on retroactive legislation and the requirement for clear legal authority for the imposition of a fee
The Privacy Board finds reason to comment specifically on Grindr's statement that
The Norwegian Data Protection Authority's fee decision is contrary to the ban on retroactive legislation. It is
particularly shown that the supervisory authority has based its decision on the Norwegian Privacy Council's guidelines on consent.
These were only adopted on 4 May 2020, and Grindr has stated that these cannot be used as a basis for

the assessment of the processing of personal data that took place in the period such as this one
the appeal applies, namely from the time the regulation entered into force on 20 July 2018 and until
the consent mechanism was changed on 8 April 2020.

According to the tribunal's assessment, there is no evidence in the reasons for the decision that the supervisory authority has
based this on legal rules derived from these guidelines. The tribunal has in its practice

expressed that such guidelines have limited value as a source of law, but have formed the basis
that they provide useful guidance since they give expression to management practices at the supervisory authorities in the EU and
EEA, cf. PVN-2020-14 and PVN-2019-02. This is how the tribunal reads the Authority's reasoning i
present case, this is based on a similar view of the legal meaning of
the guidelines. The authority's decision is based on the regulation's provisions.


Furthermore, Grindr states that the authority's interpretation of the regulation's consent provisions does not
is expressed clearly enough in the wording, and consequently does not sufficiently meet the requirement of
predictability. Practice from the human rights court in Strasbourg (EMD) provides good results
points of reference for the details of the requirement for clear legal authority and predictability i
the European Convention on Human Rights (ECHR).


The tribunal is content to refer to Sanchez v. France, Grand Chamber judgment of 15 May
2023 (application no. 45581/15). Sections 125-127 summarize - with reference to
previous judgments from the ECHR – the central elements of the requirement for clear legal authority in the ECHR:

   "... That person must be able to - if need be with appropriate advice - to foresee, to a
   degree that is reasonable in the circumstances, the consequences which a given action may

   entail. … Accordingly, many laws are inevitably couched in terms which, to a greater or
   lesser extent, are vague, and whose interpretation and application are questions of practice
   … The level of precision required of domestic legislation – which cannot provide for everyone
   eventuality – depends to a considerable degree on the content of the law in question, the
   field it is designed to cover and the number and status of those to whom it is addressed …


   … A margin of doubt in relation to borderline facts does not therefore by itself make a
   legal provision unpredictable in its application. Nor does the mere fact that a provision is
   capable of more than one construction means that it fails to meet the requirement of
   "foreseeability" for the purposes of the Convention.

   … The novel character of a legal question that has not hitherto been raised, particularly

   with regard to previous decisions, is not in itself incompatible with the requirements of
   accessibility and foreseeability of the law, provided the solution adopted is consistent with
   one of the possible and reasonably foreseeable interpretations ...»PVN PVN-2022-22 Page 21 of 24


It is in this that the EMD accepts that the more detailed content of the vaguely formulated
legal provisions must find their clarification in practice, and that this is not in conflict with the requirements of the ECHR
about clear legal authority and predictability.


It is the tribunal's assessment that the Norwegian Privacy Council's guidelines on consent are sound
within what can be deduced from the preamble and the relevant provisions of the regulation interpreted in
its context and based on the regulation's purpose of strengthening the protection of data subjects
own personal data. In the continuation of this, the tribunal will point out that these guidelines,
which was adopted on 4 May 2020, for all practical purposes implies an unchanged continuation of
The Article 29 group's guidelines on consent (Guidelines on consent under Regulation

2016/679 (WP259.01)) from 10 April 2018. In other words, the consent guidelines have
remained fixed throughout the period to which this complaint relates.

According to the tribunal's assessment, the same applies to what constitutes a special category of
information, cf. article in article 9 no. 1. The Norwegian Data Protection Authority's decision also represents no one
new or changed interpretation of the adopted rules on this point. The Personal Data Act entered into force

in force on 20 July 2018, the same day as the decision incorporating the regulation into the EEA
the agreement entered into force. The Personal Data Protection Regulation was adopted in the EU in April 2016 and came into force
in EU member states from 25 May 2018. Subsequent legal sources, which the Norwegian Data Protection Authority refers to in its
decision, clarifies and clarifies what was the applicable law at the time of Grindr's release
of personal data about its users to advertising partners. Such legal clarification is a
central task for the courts and does not represent any change to the legal situation.


Especially about the requirement of subjective guilt
The Supreme Court has stated in HR-2021-797-A, section 23 that it is not compatible with Article 6 of the ECHR
No. 2 and Article 7 to punish an enterprise if no one has proven guilty. The Supreme Court refers to more recent
practice from the European Court of Human Rights (ECHR) where a "mental link" is required

between the act and the actual circumstances that establish criminal liability, cf. in particular
ECtHR grand chamber judgment 28 June 2018 G.I.E.M. S.r.l. with several against Italy (EMD-2006-1828)
and ECtHR's judgment of 20 January 2009 Sud Fondi S.r.l. with several against Italy (EMD-2001-75909).

As a result of this legal development, and that infringement fees are considered to have the character of punishment,
cf. Rt-2012-1556, Section 46 of the Public Administration Act was amended in 2022 so that a requirement is now also set out

on subjective fault (negligence) in the imposition of infringement fees for businesses and public authorities
authorities, unless otherwise specified. The tribunal lays down the basis for the assessment in
this case that the regulation established a requirement of subjective fault (at least negligence)
with the person or persons who have acted on behalf of the company so that the infringement fee could
is also imposed during the period to which this case applies.


The tribunal cannot point out who at Grindr has been responsible for choosing it in the past
established the solution for obtaining consent, and which, according to the tribunal's assessment, represents
violation of both article 6 no. 1 and article 9 no. 1. According to case law, it is also not a requirement
that the blame is individualized. Both anonymous and cumulative errors can form the basis for
liability when imposing a corporate penalty, cf. HR-2022-1271-A, section 46-50.


Choice of technical solution and procedure for obtaining user consent was undoubtedly one
conscious choice on Grindr, which implies a deliberate violation of
the personal data protection regulation. If this, as stated, was due to ignorance on the part of Grindr
which requirements the Personal Data Protection Ordinance set for obtaining consent for the disclosure of
users' personal data to advertising partners, regardless of whether it is an ignorance as PVN PVN-2022-22 Page 22 of 24


is not excusable and thus without significance for the tribunal's assessment of whether the subjective
the conditions are met.

There is thus an intentional infringement and both subjective and objective conditions for

impose an infringement fee is fulfilled.

Assessment of whether an infringement fee should be imposed and assessment of the fee
The question for the tribunal is, after this, whether according to the Personal Protection Ordinance, Article 83 no. 2
an infringement fee must be imposed, and if it is imposed, how much the fee must be.


It follows from Article 83 No. 1 that the imposition of an infringement fee in each individual case shall
be effective, be proportionate to the infringement and act as a deterrent. Both wood
the assessment of whether a fee should be imposed and when calculating the fee, it must be taken into account
the elements of the personal data protection regulation article 83 no. 2 letters a to k.


It is central to this assessment to look at the nature, severity and
duration, cf. article 83 no. 2 letter a. It follows from the provision that account must be taken of
the nature, extent or purpose of the processing in question, as well as the number of registered persons who are affected and
the extent of the damage they have suffered.

In this case, it concerns the disclosure of special categories of information about a large

number of users without valid consent having been obtained for this. It is about one
intentional infringement that lasted over almost two years, in the period from 20 July 2018 to 7 April
2020. The illegal disclosure of personal data was based on a desire to
financial gain at Grindr. The tribunal assumes that the sale of personal data to
use of behaviour-based marketing has contributed to the financing of the service and contributed to
Grindr's earnings. The tribunal agrees with the Norwegian Data Protection Authority that profiling is too targeted

marketing is a form of processing of personal data that can be perceived
intrusive and often seems opaque and unclear to the data subjects. It is aggravating
that Grindr was aware that their disclosure of information to various advertising partners as well
involved a further dissemination of the information beyond Grindr's control.

The tribunal agrees with the Norwegian Data Protection Authority that the low number of complaints about the app is not a matter of

must be given additional weight in the mitigating direction. A lack of complaints may partly be due to lack
knowledge on the part of the registered about what rights they have and partly a lack of knowledge about what
what happens to their personal data if they choose to register as a user with
Grindr. The tribunal refers to what has been said above about what information was given to
the users and the availability of this information.


As regards the significance of any technical and organizational measures pursuant to Article 25
and 32, cf. article 83 second paragraph letter d, in the tribunal's opinion this has little significance
when it concerns an intentional disclosure of personal data without valid legal authority
basis.

In addition to Grindr handing over information covered by Article 9 no. 1 (information about a

person's sexual relationship or sexual orientation), information about it is also disclosed
data subject's geographical location. The tribunal agrees with the Norwegian Data Protection Authority that the processing of
this category of information requires careful consideration. GPS location can be particular
revealing of the lives and habits of those registered, and can be used to derive large amounts
information. For example, location data may reveal where the data subject works and where hePVN PVN-2022-22 Page 23 of 24


or she lives. The data can also be used to reveal potentially sensitive information such as
religion through religious meeting houses, or sexual orientation through the places that are
visited. The tribunal shares the Norwegian Data Protection Authority's assessment that the processing is registered
geographic location, depending on the circumstances, can be very intrusive and has a potential

for abuse if the information is shared with data controllers who have such wishes.

The tribunal has then come to the conclusion that it is correct to impose an infringement fee on Grindr, cf.
§ 26 of the Personal Data Act, cf. Article 83 of the Personal Data Protection Ordinance.

Both in the assessment of whether a fee should be imposed and in the assessment of the fee, it shall

as pointed out above, account is taken of the points in the Personal Data Protection Ordinance, Article 83 No. 2
letters a to k. The tribunal therefore refers to its assessment above.

It follows from the personal protection regulation article 83 no. 5 that violation of articles 5, 6, 7 and 9 of
accordance with article 83 no. 2 shall be imposed an infringement fee of up to 20,000,000 euros or,
if it concerns an enterprise, of up to 4% of the total global annual turnover i

previous financial year, where the highest amount is used. Grindr has in its notes to
notice of decision stated that the global turnover in 2020 was USD Det
thus becomes 20,000,000 euros, which constitutes the upper ceiling in this case.

The Danish Data Protection Authority originally notified NOK 100,000,000 in infringement fees, but reduced this
to NOK 65,000,000 in its final decision. The reduction from original notice of

NOK 100,000,000 to NOK 65,000,000 was justified in the decision by the fact that Grindr's turnover
was in the lower tier of what the inspectorate based on the notice, as well as that Grindrs implemented measures to
improve the shortcomings of their previous consent mechanism was emphasized in a mitigating direction.

The Privacy Board has found no reason to change the amount of the fixed fee.
In its decision, the Norwegian Data Protection Authority has discussed the objections Grindr has had to the assessed fee
and given his explanation of why the fee is set higher in this case than in other cases pointed out

on by Grindr. The tribunal agrees with the assessments expressed by the supervisory authority. It measured out
the fee is less than 30% of the maximum amount permitted by the Personal Data Protection Ordinance i
this case. The seriousness of the infringement, in particular the number of registered persons affected, the category of
relevant information, that the infringement has been going on for almost two years, and that it concerns
refers to an intentional act where one has deliberately chosen a technical solution that does not do so
possible to register without simultaneously "approving" the release of information for use

in behaviour-based marketing, indicates that the infringement fee is not considered disproportionate. That
the technical solution allows for opt-out after registration, does not change the tribunal's assessment of
this. A fee of NOK 65,000,000 is considered necessary to have a sufficient deterrent
effect.

The tribunal notes that, in the assessment, it has not emphasized that the consent mechanism is

changed, as the new technical solution has not been assessed by the Norwegian Data Protection Authority and the tribunal.
The tribunal assumes that Grindr aligns itself with the requirements of the privacy regulation
poses and which the tribunal has explained in this case.

Grindr does not succeed in the complaint.


Conclusion
The Norwegian Data Protection Authority's decision is upheld. PVN PVN-2022-22 Page 24 of 24



The decision is unanimous.


                                 Oslo, 27 September 2023




                                     Mari Bø Haugstad
                                           Manager