Personvernnemnda (Norway) - PVN-2022-22: Difference between revisions
No edit summary |
No edit summary |
||
Line 64: | Line 64: | ||
}} | }} | ||
The Norwegian Privacy Appeals Board (Personvernnemnda) upheld the Norweigen DPA’s decision to fine Grindr NOK 65 million (approximately € 5,8 million). | The Norwegian Privacy Appeals Board (Personvernnemnda) upheld the Norweigen DPA’s decision to fine Grindr NOK 65 million (approximately € 5,8 million). In particular the board confirmed Grindr's processing of sensitive personal data under [[Article 9 GDPR]] their lack of valid consent to do so under [[Article 6 GDPR|Article 6(1) GDPR.]] | ||
== English Summary == | == English Summary == | ||
Line 75: | Line 75: | ||
The Norweigen DPA re-considered the case but found no reason to change its decision. The DPA submitted the case to the Norwegian Privacy Appeals Board (Personvernnemnda) in December 2022. Both Grindr and the NCC were given the opportunity to submit comments. | The Norweigen DPA re-considered the case but found no reason to change its decision. The DPA submitted the case to the Norwegian Privacy Appeals Board (Personvernnemnda) in December 2022. Both Grindr and the NCC were given the opportunity to submit comments. | ||
In August 2023, Grindr requested the right to attend and speak during the case under [https://lovdata.no/dokument/LTI/forskrift/2018-06-15-876 section 5(5) of the Regulations on the processing of personal data,] and requested that the Board's consideration of the case be postponed until the Court of Justice had ruled on cases [ | In August 2023, Grindr requested the right to attend and speak during the case under [https://lovdata.no/dokument/LTI/forskrift/2018-06-15-876 section 5(5) of the Regulations on the processing of personal data,] and requested that the Board's consideration of the case be postponed until the Court of Justice had ruled on cases [https://curia.europa.eu/juris/fiche.jsf?id=C%3B446%3B21%3BRP%3B1%3BP%3B1%3BC2021%2F0446%2FP&nat=or&mat=or&pcs=Oor&jur=C%2CT%2CF&num=C-446&for=&jge=&dates=&language=en&pro=&cit=none%252CC%252CCJ%252CR%252C2008E%252C%252C%252C%252C%252C%252C%252C%252C%252C%252Ctrue%252Cfalse%252Cfalse&oqp=&td=%3BALL&avg=&lgrec=en&lg=&cid=3298842 C-446/21 Schrems v Facebook Ireland] and [https://curia.europa.eu/juris/liste.jsf?nat=or&mat=or&pcs=Oor&jur=C%2CT%2CF&num=C-21%252F23&for=&jge=&dates=&language=en&pro=&cit=none%252CC%252CCJ%252CR%252C2008E%252C%252C%252C%252C%252C%252C%252C%252C%252C%252Ctrue%252Cfalse%252Cfalse&oqp=&td=%3BALL&avg=&lgrec=en&lg=&page=1&cid=3099852 C-21/23 Lindenapotheke] which are both to do with prelimary references about | ||
=== Holding === | === Holding === | ||
Line 84: | Line 84: | ||
Grindr did not have a valid basis for processing for its disclosure of information because the Board concluded that Grindr did not obtain valid consent under [[Article 6 GDPR|Article 6(1) GDPR.]] The standard for consent when processing special categories of data is higher and must be explicit. Clicking “I accept” on a privacy policy cannot be understood as explicit consent as it could also be interpreted as the user simply acknowledging that the information has been provided. In addition, Grindr's consent mechanism, was in the Board’s assessment not designed in such a way that the user can freely decide whether personal data should or should not be disclosed to advertising partners. Opting out of the marketing resulted in changes to app undermining the ability of the consent to be “freely given.” Lastly, the consent was not specific or informed as the privacy policy was unclear on how data was being shared with third party advertising companies. | Grindr did not have a valid basis for processing for its disclosure of information because the Board concluded that Grindr did not obtain valid consent under [[Article 6 GDPR|Article 6(1) GDPR.]] The standard for consent when processing special categories of data is higher and must be explicit. Clicking “I accept” on a privacy policy cannot be understood as explicit consent as it could also be interpreted as the user simply acknowledging that the information has been provided. In addition, Grindr's consent mechanism, was in the Board’s assessment not designed in such a way that the user can freely decide whether personal data should or should not be disclosed to advertising partners. Opting out of the marketing resulted in changes to app undermining the ability of the consent to be “freely given.” Lastly, the consent was not specific or informed as the privacy policy was unclear on how data was being shared with third party advertising companies. | ||
The Board agreed with the Norwegian DPA that Grindr had infringed both [[Article 6 GDPR|Article 6(1)]] and [[Article 9 GDPR]]. The objective conditions for imposing | The Board agreed with the Norwegian DPA that Grindr had infringed both [[Article 6 GDPR|Article 6(1)]] and [[Article 9 GDPR]]. The objective conditions for imposing a fine were thus in principle fulfilled. The Board dismissed Grindr’s point that the DPA had possibly followed outdated non-binding guidelines when deciding on a fine amount. The DPA’s decision was based on the provisions of the GDPR rather than the guidelines of the Norwegian Data Protection Board. The Board also dismissed the view of Grindr that subjective intent had to be proved for a fine. Regardless of whether it was through intent or ignorance, the choice of technical solution and procedure for obtaining user consent was infringent. Lastly, the Board found the fine imposed under [[Article 83 GDPR|Article 83(2) GDPR]] to be proportionate to the severity of the infringement. | ||
== Comment == | == Comment == |
Revision as of 09:21, 4 October 2023
Personvernnemnda - PVN-2022-22 | |
---|---|
Court: | Personvernnemnda (Norway) |
Jurisdiction: | Norway |
Relevant Law: | Article 9 GDPR Article 6(1) GDPR Article 83(2) GDPR |
Decided: | 27.09.2023 |
Published: | |
Parties: | Grindr Datatilsynet |
National Case Number/Name: | PVN-2022-22 |
European Case Law Identifier: | |
Appeal from: | Datatilsynet 20/02136-18 |
Appeal to: | |
Original Language(s): | Norwegian |
Original Source: | PVN-2022-22 (in Norwegian) |
Initial Contributor: | Sophia Hassel |
The Norwegian Privacy Appeals Board (Personvernnemnda) upheld the Norweigen DPA’s decision to fine Grindr NOK 65 million (approximately € 5,8 million). In particular the board confirmed Grindr's processing of sensitive personal data under Article 9 GDPR their lack of valid consent to do so under Article 6(1) GDPR.
English Summary
Facts
In 2020, the Norwegian Consumer Council (NCC), with the assistance of noyb’s legal analysis, filed a complaint to the Norwegian Data Protection Authority against the dating app Grindr. The Norwegian DPA fined Grindr NOK 65 million for failing to collect users' valid consent for sharing data with third parties for profiling and advertising purposes from the Grindr App (Datatilsynet - 20/02136-18).
This decision was appealed by Grindr in February 2022. They argued that; Grindr does not process special categories of data, had obtained valid consent, that there was no legal basis for imposing a fine and that the DPA has misinterpreted Article 83 GDPR when applying the fine.
The Norweigen DPA re-considered the case but found no reason to change its decision. The DPA submitted the case to the Norwegian Privacy Appeals Board (Personvernnemnda) in December 2022. Both Grindr and the NCC were given the opportunity to submit comments.
In August 2023, Grindr requested the right to attend and speak during the case under section 5(5) of the Regulations on the processing of personal data, and requested that the Board's consideration of the case be postponed until the Court of Justice had ruled on cases C-446/21 Schrems v Facebook Ireland and C-21/23 Lindenapotheke which are both to do with prelimary references about
Holding
The Board considered the wording of section 5(5) which states that “the Data Protection Board may in individual cases decide that complainant or others shall be given the right to attend and speak during the Board's consideration of a case". The Board took the wording of "in individual cases" to mean that oral proceedings are an exception to the normal case processing, which are in writing. The use of “may” instead of “shall” also suggested that the Board had free discretion to assess whether the exemption applies or not. The Board considered the case sufficiently well informed to make a decision and did not find it necessary to hold an oral proceeding. The Board also found no basis to postpone the case pending the decisions of the Court of Justice of the European Union.
The Board decided that Grindr's disclosure of information to advertising partners involves a disclosure of special categories of information. There was no doubt that Grindr's disclosure of information, including disclosure of App ID and IP address, constitutes disclosure of personal data under Article 4(1). The question for the Board was whether the additional information, that the person in question is a registered Grindr user, could constitute information covered by Article 9(1) GDPR. The Board concluded that the information that a person is a registered user of the dating app Grindr is in itself information about a "person's sexual relations or sexual orientation" and is therefore, sensitive data. The Board also relied on the case of OT v Vyriausioji tarnybinės etikos komisija, C-184/20 as the CJEU opted for a wide interpretation of data protection concepts especially in relation to special categories of data and what could "reveal" a person’s sexual orientation. The Board also found support for its C-252/21 Meta Platforms and Others (Conditions générales d’utilisation d’un réseau social) where Meta Platforms Ireland's collection of information about users' visits to gay dating websites, as well as information that users themselves have entered on such websites and apps were covered by Article 9(1) GDPR.
Grindr did not have a valid basis for processing for its disclosure of information because the Board concluded that Grindr did not obtain valid consent under Article 6(1) GDPR. The standard for consent when processing special categories of data is higher and must be explicit. Clicking “I accept” on a privacy policy cannot be understood as explicit consent as it could also be interpreted as the user simply acknowledging that the information has been provided. In addition, Grindr's consent mechanism, was in the Board’s assessment not designed in such a way that the user can freely decide whether personal data should or should not be disclosed to advertising partners. Opting out of the marketing resulted in changes to app undermining the ability of the consent to be “freely given.” Lastly, the consent was not specific or informed as the privacy policy was unclear on how data was being shared with third party advertising companies.
The Board agreed with the Norwegian DPA that Grindr had infringed both Article 6(1) and Article 9 GDPR. The objective conditions for imposing a fine were thus in principle fulfilled. The Board dismissed Grindr’s point that the DPA had possibly followed outdated non-binding guidelines when deciding on a fine amount. The DPA’s decision was based on the provisions of the GDPR rather than the guidelines of the Norwegian Data Protection Board. The Board also dismissed the view of Grindr that subjective intent had to be proved for a fine. Regardless of whether it was through intent or ignorance, the choice of technical solution and procedure for obtaining user consent was infringent. Lastly, the Board found the fine imposed under Article 83(2) GDPR to be proportionate to the severity of the infringement.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
PVN-2022-22 Grindr - disclosure of personal data without valid consent - infringement fee The Norwegian Privacy Board's decision on 27 September 2023 (Mari Bø Haugstad, Bjørnar Borvik, Hans Marius Graasvold, Ellen Økland Blinkenberg, Hans Marius Tessem, Morten Goodwin, Malin Tønseth) The Norwegian Data Protection Authority's reference 20/02136-18 The case concerns a complaint from Grindr LLC (now Grindr Inc.) against the Norwegian Data Protection Authority's decision on 13 December 2021 where the supervisory authority imposed an infringement fee of NOK 65,000,000 on Grindr for handing over personal data of a special category, without a legal basis, in the period 20 July 2018 to 7 April 2020, cf. the personal protection regulation article 6 no. 1 and article 9 no. 1. The course of action On 14 January 2020, the Danish Data Protection Authority received three complaints against Grindr as the Consumer Council, i collaboration with the European Center for Digital Rights (noyb), submitted on behalf of a Norwegian registered user of Grindr. The data subject himself wished to remain anonymous and as an attachment the complaint followed a "power of attorney for representation in a matter which is submitted pursuant to Article 80 (1) in the General Data Protection Regulation". The complaints concerned Grindr's sharing of personal information about its Norwegian users with various analysis and advertising companies for use for marketing. The complaints were based on findings in the Consumer Council's report "Out of control: How consumers are exploited by the online advertising industry", and a technical report prepared by the company Mnemonic on behalf of the Norwegian Consumer Council. The case before the tribunal concerns Grindr's disclosure of personal data to its advertising partners, not the further processing of the information by these advertising partners. The various advertising partners have therefore also not acted as parties in the case before the Norwegian Data Protection Authority. The Norwegian Data Protection Authority asked Grindr for an explanation on 24 February 2020. Grindr explained his processing of personal data 22 May 2020. On 24 January 2021, the Norwegian Data Protection Authority sent a notification that the Norwegian Data Protection Authority was considering imposing Grindr et infringement fee of NOK 100,000,000 for having shared personal data about their Norwegian users with their advertising partners without legal basis. A copy of the notice was sent The Consumer Council. Grindr gave its comments to the notice on March 8, 2021. The Consumer Council gave its comments to the notice on 15 March 2021. The Privacy Board_____________Telephone__________E-mail:________Website:______________________________________________________________ PO Box 6805 St. Olavs plass(+47) 90299216 post@pvn.no www.personvernnemnda.no 0130 OsloPVN PVN-2022-22 Page 2 of 24 The Danish Data Protection Authority asked for a further explanation from Grindr on 29 April 2021. Grindr gave as follows statement 2 June 2021. The Consumer Council commented on Grindr's statement on 6 October 2021. There was a further exchange of letters between the Norwegian Data Protection Authority and Grindr in autumn 2021, with letters from The Norwegian Data Protection Authority on 11 October 2021 and letter from Grindr to the Norwegian Data Protection Authority on 19 November 2021. The Norwegian Data Protection Authority made the following decision on 13 December 2021: "In accordance with the personal data protection regulation article 58 no. 2 letter i, Grindr et infringement fee of NOK 65,000,000 - sixty-five million - for • to have disclosed personal data to advertising partners without a valid legal basis, i contrary to the personal data protection regulation article 6 no. 1 and • to have disclosed special categories of personal data to advertising partners without meet some of the exceptions to the prohibition in the Personal Data Protection Regulation Article 9 No. 1" The Norwegian Data Protection Authority's decision is available in Norwegian and English versions. The tribunal deals with it Norwegian version. After being granted a deadline extension, Grindr timely appealed the decision on 14 February 2022. The Consumer Council gave its opinion on the complaint on 24 March 2022. The Norwegian Data Protection Authority assessed the complaint, but found no grounds for changing its decision. The case was forwarded to the Norwegian Personal Protection Board on 6 December 2022. Both Grindr and the Consumer Council were informed of the case in a letter from the tribunal on 8 December 2022 and had the opportunity to make comments. Grindr has submitted comments in letters on 10 February and 20 March 2023. The Consumer Council has submitted comments on 3. and 31 March 2023. The comments from Grindr and Forbrukerrådet prompted an additional statement from the Norwegian Data Protection Authority particularly related to the assessment of subjective guilt at Grindr. The additional statement is given in letter 8. March 2023. During the case preparation in the tribunal, there has been further correspondence both with The Norwegian Data Protection Authority, Grindr and the Norwegian Consumer Council to clarify the facts, including which fact The Norwegian Data Protection Authority has based its decision on whether there is disagreement about the facts. In a letter dated 8 August 2023, Grindr requested the right to meet and speak during the tribunal's consideration of the case, as well as requesting that the tribunal's processing of the case be postponed in any case until the EU the court has decided cases C-446/21 and C-21/23. The request has been maintained by letter 15 September 2023. Grindr has referred to regulations on the processing of personal data § 5 fifth paragraph, which stipulates that "The Privacy Board may, in individual cases, decide that complainants or others must be given the right to meet and speak during the tribunal's processing of a case". The wording "in some cases" indicates that oral proceedings are an exception to normal proceedings i The Privacy Board, which is in writing. According to the provision's wording, the Personal Protection Board has a completely free discretion when assessing whether the exemption provision should be applied. The provision uses the word "can", as opposed to "shall", and it is not specified further criteria for the exercise of discretion. The tribunal therefore assumes that it is the tribunal's general duty of investigation and information which is decisive for whether oral treatment is to be carried out implemented, cf. the Public Administration Act § 17.PVN PVN-2022-22 Page 3 of 24 The case has been dealt with over several meetings; 25 April, 31 May, 20 June and 14, 15 and 27 September 2023 and the tribunal has received extensive written submissions from all parties to the case in several innings. The tribunal considers the matter sufficiently informed to make a decision and has not found it necessary to conduct oral negotiations. With regard to the issue of postponement of the tribunal's consideration of the case pending EU- the court's decisions in case C-446/21 and case C-21/23, Grindr has shown that the outcome, and EU- the court's clarifications related to the interpretation of the regulation article 9, can have direct impact on the case here. The Privacy Board will return to the question of the scope of Article 9 and suffices here to mention that the tribunal has found no basis to postpone the case pending the European Court of Justice's decisions in the aforementioned cases. The Privacy Board had the following composition during the case: Mari Bø Haugstad (leader), Bjørnar Borvik (deputy leader), Hans Marius Graasvold, Ellen Økland Blinkenberg, Hans Marius Tessem, Morten Goodwin and Malin Tønseth. Head of Secretariat Anette Klem Funderud was also present. The fact of the matter Grindr Inc. is an American company that operates a location-based social network and a mobile application (app) for online dating aimed at gay, bisexual, transgender and queer people (LGBTQ+). The purpose of the Grindr app is to facilitate the sharing of information between users and has approximately millions of active users worldwide. The app has an ad-based version that can be downloaded and used without costing money (the free version). Users can upgrade to paid subscription versions. During the time period for this case, two payment versions were offered, respectively "XTRA" or "Unlimited", which includes more features and is without ads. The case concerns Grindr's disclosure of personal information about its users in Norway i the period from the privacy regulation coming into force on 20 July 2018 and until Grindr changed its consent mechanism on 8 April 2020. Grindr has stated that for the calendar years 2018, 2019 and 2020 had average or active monthly users in Norway. Most of these (stated as approx.%) used the free version of the app and received advertisements from third parties. During the period in question, Grindr collected personal data from users and disclosed some of the personal data forwarded to various advertising companies that offer personal data to advertisers for use in targeted/behaviour-based marketing. Several of these advertising companies reserves the right to share personal data with its partners. It appeared from Grindr's privacy statement that the company disclosed personal data to advertising partners. One of the advertising partners was named as an example, and users were given the opportunity to follow one link to this advertising partner's privacy policy. The personal information that was handed over to the advertising companies were: • Advertising Identifier (Ad-ID): A unique identifier used by advertising platforms to track user interactions with advertisements • IP adress • Technical information about the user's device and operating system, such as version of operating system, device model and screen resolution • Self-reported age PVN PVN-2022-22 Page 4 of 24 • Self-reported gender provided that the user had reported either male or female • Geographical location based on GPS coordinates • App ID that identifies the origin of this information from Grindr By collating this information, advertising companies could track individual users interaction with the ads, find out which ads a user has clicked on, and to what extent the user has visited other websites or apps with the same advertising company, as well as knowing that the person concerned was a registered user of Grindr. The personal information that was handed over to the advertising companies was partly used by the advertising companies for advertising purposes in Grindr's app, and partly they were passed on by the advertising companies to other businesses that the advertising companies cooperated with for use on other platforms. In the consent mechanism that applied in the period in question, the terms of use were first ("GRINDR TERMS AND CONDITIONS OF SERVICE") shown in full. When the user pressed on "Proceed", a window appeared with the text "I accept the Terms of Service", and with the clickable answer options "Cancel" and "Accept". Then the user was presented for the privacy policy ("GRINDR PRIVACY AND COOKIE POLICY"). It is in this one the declaration the relevant wording on the disclosure of personal data to advertising partners with the purpose of exposing users to behaviour-based marketing, emerges. When the user pressed "Proceed" here, a new window appeared with the text "I accept the Privacy Policy", and with the clickable response options "Cancel" and "Accept". The privacy statement was presented in the language the user specified on the device (language setting). If Grindr did not offer the language the user had selected, the user received the privacy policy in English. Users with a Norwegian language setting got the privacy statement in English unless they chose another foreign language. If the user did not accept the user terms and privacy policy, further registration was required not possible and the user would not be able to use the app. It was not possible to reserve against the disclosure of personal data to advertising partners in the Grindr app itself. Under the heading "How We Use Your Information" i the privacy policy is informed to the user in bullet point 12 ("Third Party Advertising Companies") first about which personal data is disclosed to advertising partners. About the user's option to opt out of behaviour-based marketing, it says in the same bullet point: "See the YOUR CHOICES section of this policy for information on your ability to opt-out of interest-based advertising." The detailed procedure for how the user could opt out of behaviour-based marketing was presented in the privacy policy in this way in bullet point 3 below the heading "Your Choices": "Behavioral Advertising Within The Grindr App. If you are using the Grindr Services on an Apple iOS device, you can opt out of behavioral targeting by going into Settings > Privacy > Advertising on your iOS device, or visiting Apple's website for morePVN PVN-2022-22 Page 5 of 24 information. To opt out on an Android device, open the “Google Settings,” click on “Ads” and enable “Opt out of interest based ads.”» In the period in question, users who wanted to opt out had to do so on a behavioral basis the marketing therefore make changes to the device's operating system that not only had impact for the Grindr app, but which had similar consequences for all apps that were downloaded to the user's device. When it came to the disclosure of location data to advertising partners, the user could choose to hide this personal information from Grindr by changing the settings in the device's operating system that only have consequences for the use of Grindr. One of the app's functions is to find potential partners within the same geographical location. By turning off access to geographic location from the operating system, the Grindr app was thus lost also this function. Personal information about the Grindr users was disclosed to the advertising partners when the user pressed "Accept" and completed the registration the first time. Only after the user has finished the registration gave the person a continuous opportunity to upgrade to a paid one version ("XTRA" or "Unlimited"), which was without third-party advertising and without sharing personal data to the advertising companies. It was only stated that the paid versions were advertising-free, and not presented as a reservation right against handing over personal data to advertising partners. It was not possible to create a user profile directly in the paid versions without first going the route of creating a profile in the free version by registering and accepting the terms of use and the privacy policy. Grindr has stated that the company has started work on putting a new consent mechanism in place June 2019. The new consent mechanism within the EEA was launched on 8 April 2020 and was in place before Grindr gave its explanation to the Norwegian Data Protection Authority in May 2020. The Norwegian Data Protection Authority states that the new the consent mechanism has not been assessed by the supervisory authority, and it is therefore not part of this case. The Norwegian Data Protection Authority has nevertheless emphasized the change in its assessment of the fee. Briefly about the Norwegian Data Protection Authority's decision The Norwegian Data Protection Authority assumed that Grindr has no main activity in the EEA, cf. Article 4 no. 16, and that the relevant processing of personal data therefore does not constitute "cross-border processing" in accordance with Article 4 no. 23. The Norwegian Data Protection Authority has authority to perform tasks in accordance with Article 55 No. 1 to safeguard the privacy of users on Norwegian territory. The Norwegian Data Protection Authority has firstly concluded that Grindr was not valid processing basis for the disclosure of personal data in the Personal Data Protection Regulation article 6 no. 1 letter f (consent). Grindr did not meet the conditions that consent must be a "voluntary", "specific", "informed", "unequivocal" expression of will, and that it must be "equal as easy to withdraw as to give", cf. Article 4 No. 11 and Article 7. Secondly, the Norwegian Data Protection Authority has concluded that Grindr, by sharing information about its users, has disclosed information of a special category, cf. the personal data protection regulation article 9 no. 1: "information about a physical person's sexual relationship or sexual orientation". Delivery of information about the data subject together with information that the data subject is a Grindr user is sufficient for the information to fall under Article 9 No. 1. The sharing of information of a special category is prohibited unless legally required basis in Article 9 no. 2. According to the Norwegian Data Protection Authority's assessment, there is no such legal PVN PVN-2022-22 Page 6 of 24 basis, neither according to Article 9 no. 1 letter a (consent) nor letter e (information such as it is obvious that the data subject has published). After concluding that Grindr has broken the privacy regulation, the Norwegian Data Protection Authority goes through the points the supervisory authority considers relevant for the assessment of whether an infringement fee shall be imposed in accordance with the Personal Data Protection Regulation article 83 no. 2 letter a to k. The Danish Data Protection Authority will impose both the subjective and the objective conditions infringement fee has been met, and that the nature, severity and duration of the violation, as well as the presence of several aggravating circumstances, point in the direction of that an infringement fee is appropriate. The Norwegian Data Protection Authority had notified an infringement fee of NOK 100,000,000. In its final decision the infringement fee was reduced and set at NOK 65,000,000. The inspection justified the reduction in that Grindr's turnover was in the lower tier of what the authority had assumed the notice, and that Grindrs implemented changes to improve the pointed out shortcomings in the app emphasized in the mitigating direction. Grindr's complaint in a nutshell Grindr does not share specific categories of information Downloading and using the app does not reveal any information about the user's specific sexuality briefing. The app represents the modern, inclusive LGBTQ+ community sexual orientations and gender identities. The app has no requirements that users must identify as LGBTQ+ or qualify as "sexual minority - gay, bi, trans or queer', or 'community of peers'. The app is open to users of all sexual orientations orientations, including users who are unsure of their sexual orientation. The Danish Data Protection Authority consistently argues for a broad interpretation of the data protection regulation Article 9, first paragraph. However, such an interpretation will only apply where the relevant information is available expressly identifies individuals as "sexual minorities" according to the Danish Data Protection Authority understanding. In the Ebab case from March 2017 (VG 6 L 250.17, BreckRS2017, 107622) confirmed the administrative court in Berlin that any indirect indication relating to special categories of personal data is not sufficient to justify the use of the personal data protection regulation, article 9, first paragraph. The same must apply here. The Norwegian Data Protection Authority's interpretation will have major ripple effects as any application that corrects itself against the heterosexual, LGBTQ+ community or both, will process data about a natural person sexual relationships or sexual orientation regardless of the purpose of sharing, simply because the source of the shared information is a service that targets individuals who have one sexual orientation. The general prohibition against processing information about persons' sexual relationships or information according to Article 9 No. 1 only applies when the processing serves or may serve a prohibited purpose purpose, for example to determine a person's sexual orientation. Grindr does not process users' data to draw some conclusions about their sexual orientation. Grindr neither tracks or classifies users based on their sexual orientation. It is emphasized that Grindr nor share information about sexual orientation with advertising partners. PVN PVN-2022-22 Page 7 of 24 The Norwegian Data Protection Authority's assumptions about Grindr users' sexual orientation also open the possibility that the the connection to a number of other services or platforms can be defined as special categories of personal data. All information shared by mobile applications to politically oriented organizations (such as organizations that specifically target conservatives); will automatically be considered as special categories of personal data in accordance with Article 9, if one assumes that the political views in the organization are reflected in the users, like this The Norwegian Data Protection Authority proposes. Similarly, an application or website aimed at heterosexuals will users be subject to Article 9 of the Personal Data Protection Ordinance just because it can be inferred sexual orientation through the users' use of these services. The Norwegian Data Protection Authority's approach will create far-reaching and disproportionate obligations for everyone organization that will look after a community of interests. Grindr has obtained valid consent for its sharing of information Grindr obtained valid consent from users of the application's free version for processing of limited data for advertising purposes in line with applicable industry standards. Grindr treated only this information if users allowed such sharing in the device's operating system. These the users had further agreed to Grindr's terms of use, Grindr's privacy policy, and decided not to buy the paid version of the application. Grindr's obtaining user consent for sharing data with advertising partners in the period from 20 July 2018 to 7 April 2020 must be assessed in light of the then-existing norm and privacy practices in the adtech community. The Norwegian Data Protection Authority has assessed Grindr's previous consent practice based on a interpretation of the requirements for valid consent that has no support in the wording i the provisions of the Personal Data Protection Ordinance or in the existing guidance at the time for the alleged violation. At the time of the alleged violation could not Grindr anticipate the decisions of the European Court of Justice, statements from the EU Advocate General or The Norwegian Data Protection Authority (EDPB) on the interpretation of the consent requirements referred to by the Norwegian Data Protection Agency. Grindr's procedure for obtaining user consent for sharing certain data fields with advertising partners in the period in question fulfilled the requirement for voluntariness, cf. article 4 no. 11. Users were provided with readily available information about the sharing of certain data for advertising purposes. At the time in question, there was no legal commitment or interpretation from the European Court of Justice which made it required to obtain separate consents through separate opt-in functions for each individual purpose. The Norwegian Privacy Council's guidelines 05/2020 on consent are not binding rettskilde and Grindr were not obliged to follow these. Although the Norwegian Data Protection Authority's guidelines recommend asking for separate consents if the data processing concerns several purposes, this is not an absolute requirement. It represents no one violation of the regulation not to follow this recommendation. The Privacy Council's guidelines does not exclude, and cannot exclude, that it is possible to ask users for consent for several purposes at the same time, provided the user receives specific information about each purpose in advance the treatment. Grindr made it clear to users that those who did not want to use a paid subscription could use the free version that is supported by third-party ads, both in that it said “Ads help keep Grindr free" on the ads, and through the privacy statement that explained the users' rights options when it came to sharing data. Grindr notes that the app offers the ability to PVN PVN-2022-22 Page 8 of 24 buy a payment subscription immediately after the user account has been created, and before it is settled which self-reported data fields are filled in to complete the public profile. The user's data was not used for advertising purposes if the user withdrew their consent. The advertising partner would then only process technical information that is necessary to deliver contextual ads (mobile type, operating system, etc.). Consequently, users could refuse/withdraw consent without negative consequences. Grindr is under no obligation to provide its services free of charge. The requirement that the consent must be specific must be seen in the context of Article 5 no. 1 letter b on purpose limitation. In the privacy policy under the title "Where We Share" and the subtitle "Third Party Advertising Companies" is the wording "deliver personalized advertising" clearly formulated with a limited purpose. Grindr has thus specified specifics purposes for their treatment activities. The law does not require that information on the sharing of data with advertising partners be presented separately from other information that the controller is obliged to provide. Grindr has complied with them the requirements for information set out in the regulation article 13 and recital 42. The privacy policy was accurate, comprehensive, plain language and structured with titles and subtitles. Through the declaration, the users could familiarize themselves with the identity of it controller and the purposes of the processing of the personal data, cf. point 42. The privacy policy was available on the internet and through a link in Google Play and App Store. The privacy policy was displayed in its entirety during the registration process and is written specifically and with clear and unambiguous language that users will receive advertisements regardless of whether they have consented to the sharing of data for marketing purposes. The double consent mechanism, which required a clear and affirmative active action, allowed Grindr to register users unequivocal consent. Users had to tick off two boxes placed in different places on the screen. The boxes were not unhooked in advance. Consent was very unlikely incorrectly registered. Imposition of infringement fees There is no legal basis for imposing an infringement fee Grindr has not breached Article 6 No. 1 or Article 9 and there is no legal basis to impose an infringement fee in accordance with Article 83 no. 1. Subsidiarily, it is stated that the general conditions for imposing an infringement fee do not is available. The imposition of an infringement fee requires clear and distinct legal authority, as well as ascertainment of guilt (negligence or intent) on the part of a person acting on behalf of the business to which a fee is imposed. These conditions are not met. According to the basic principle of legal certainty that applies in EEA law and in Norwegian administrative law, a clear legal basis is required. Imposing an infringement fee must is also based on "objective, non-discriminatory criteria which are known in advance to the undertakings concerned" to impose an infringement fee, cf. the EFTA Court, case E-9/11 section 100. Such a clear legal basis and previously known "objective, non-discriminatory criteria" does not exist in this case. PVN PVN-2022-22 Page 9 of 24 The substantive conditions in Article 6 No. 1 and Article 9 No. 1 were in the period from 20 July 2018 to 7 April 2020 not sufficiently clear and distinct to provide the legal certainty required in in accordance with Norwegian constitutional and administrative law principles, EEA law and the ECHR, when these requirements are applied to Grindr's procedure for obtaining user consent therein current period. The considerable uncertainty about the understanding of Articles 6 and 9 on this the time must be taken into account. The Norwegian Data Protection Authority has given a new interpretation of the rules with retroactive effect, contrary to the prohibition in Section 97 of the Constitution, as well as the principle of legality in Section 113, as well as the principle of proportionality as it for example appears in EU law and is reflected in EEA law. The person who has acted on behalf of the undertaking that is subject to an infringement fee pursuant to Article 83 must have shown negligence or intent with regard to the violation, cf. HR-2021-797-A. The Norwegian Data Protection Authority has not documented guilt from any specific persons acting on its behalf of Grindr. A decision must be made as to who has been negligent on behalf of Grindr account of the violations of articles 6 and 9. Nor has the inspectorate substantiated intent or negligence by pointing to a particular act or cause of the breach or which could prevented the alleged infringement. The Norwegian Data Protection Authority's assumption that it exists "anonymous intent" is based on a legal argument that is not tenable. Violation of general principles for the imposition of infringement fees The Norwegian Data Protection Authority's assessments and decisions do not meet the requirements for efficiency and proportionality. The Danish Data Protection Authority has not given any assessment of whether other corrective measures would be suitable the alleged infringement. Reference is made in particular to the fact that Grindr on its own already had implemented OneTrust CMP and changed its practice for obtaining consent when the Norwegian Data Protection Authority made his decision. The Norwegian Data Protection Authority's assessment is based on the previous practice, which no longer exists relevant. The fee is also contrary to the basic Norwegian and European principle of equality and the regulation's recital 11. Several national supervisory authorities do not impose a fee, but give criticism, possibly in combination with an order to ensure compliance with Article 6 nos. 1 and 9 no 1. The assessment of the various elements in Article 83 The Norwegian Data Protection Authority has not sufficiently taken into account all relevant factors in Article 83 No. 2. The infringement fee is not effective, and is not in a reasonable relationship with the violation, cf. article 83 no.1. The size of the infringement fee is also disproportionate. Relatively speaking, the size of the fee is one of the highest that has been imposed for a breach of the privacy regulation within EEA, cf. presented overview of agreed infringement fees in Europe. The violation fee is not proportionate to the alleged violation, cf. Article 83 no. 1 and deviates from established practice. It has not been taken into account that the alleged infringement occurred for a limited period and ceased two years before the inspection imposed a fee. Grindr's implementation has also not been taken into account of new procedures for obtaining consent, which give the user detailed control over sharing of information from the app, including simple choices such as "Allow all" or "Reject all" for advertising purposes.PVN PVN-2022-22 Page 10 of 24 Grindr then has a review of the various points referred to in Article 83 in No. 2 letter a – k. The Norwegian Privacy Board's assessment The Norwegian Data Protection Authority and the Norwegian Privacy Board's expertise Grindr is a US-based company and has no establishment within the EEA. The Personal Information Act and the Personal Data Protection Regulation still applies to the processing of personal data about registered users located in Norway if the processing is linked to: a. offer of goods or services to such persons registered in Norway, regardless of whether it is required payment from the registered or not, or b. monitoring of their behaviour, to the extent that their behavior takes place in Norway cf. Personal Data Act § 4 second paragraph letter a and b. There is no doubt that Grindr's disclosure of personal data about its users constitutes a processing of personal data in accordance with the Personal Data Act and the Personal Data Protection Ordinance, and that Norwegian law applies. The Norwegian Data Protection Authority's competence then follows Section 20 of the Personal Data Act and the Personal Protection Board is the appeals body, cf. Section 22 of the Personal Data Act. The parties to the case Although it has no direct bearing on this case, the tribunal finds it appropriate to say something about the Consumer Council's role in the case. The Norwegian Data Protection Authority has assumed that the Consumer Council acts on behalf of a Grindr user who has approached the Consumer Council, but who himself has not wish to advance the case. Reference is made to Article 80 of the Personal Data Protection Regulation as a basis for this this representation. Article 80 of the Personal Data Protection Regulation reads: 1. The registered person shall have the right to give a non-profit body or a non-profit organization or association established in accordance with the national law of a Member State, which has statutory purposes which are in the public interest, and which are active in the area protection of data subjects' rights and freedoms with regard to the protection of their personal data, authorization to complain on behalf of the person concerned, exercise the rights mentioned in articles 77, 78 and 79 on behalf of the person concerned and exercise the right to receive compensation referred to in Article 82 on behalf of the person concerned if it is stipulated in national law of the Member States. 2. Member States may provide that any body or organization or association mentioned in no. 1 of this article, regardless of a registered person's power of attorney, i said Member State has the right to complain to the supervisory authority that has competence in in accordance with article 77, and to exercise the rights mentioned in articles 78 and 79 if it/it considers that the data subject's rights pursuant to this regulation have been infringed as a result of the treatment. The Consumer Council is not a non-profit organisation, but an administrative body which, according to its own website should "guide consumers and influence society in a consumer-friendly direction". The Consumer Council therefore does not fall under the type of organizations mentioned below assessment can be given the right of representation according to article 80. PVN PVN-2022-22 Page 11 of 24 In any case, the tribunal assumes that Article 80 refers to the Member States' national law when it concerns the data subject's right to be represented by others, cf. in conclusion "if it is laid down in the national law of the Member States'. There are rules about this in Norwegian law the Administration Act when it concerns administrative matters and in the Disputes Act when it concerns matters for the courts. In cases before the court, it follows from § 1-4 of the Disputes Act, cf. § 1-3 that public bodies with task to promote special interests can bring legal action in its own name on matters such as that lies within the public authority's purpose and natural scope to look after. When it concerns who can complain about a case to the Norwegian Data Protection Authority, then it is the registered person himself. It The data subject's right to be assisted by an attorney is regulated in Section 12 of the Administration Act, which i second paragraph first sentence determines: "Any person of legal age or an organization can be used as a proxy the person in question is a member of.” The Administration Act therefore does not allow the Consumer Council to act as a proxy for on behalf of a registered person. The tribunal therefore assumes that the Consumer Council is not a party to this the case. Another issue is that the Consumer Council, as a public authority with a mission to, in particular, protect consumers' rights, are free to approach the Norwegian Data Protection Authority about matters they consider are important and which they believe the Norwegian Data Protection Authority should look into more closely. Furthermore, the Norwegian Data Protection Authority is not depending on having a complainant or a representative of a complainant to open a supervisory case against someone who processes personal data. The tribunal has, independently of the Consumer Council lack of party standing, see it as appropriate to obtain views and input from The Consumer Council as part of the work to inform the case, cf. Section 17 of the Administration Act. The tribunal then moves on to consider the substantive issues in the case. The tribunal will first assess whether Grindr's disclosure of information to advertising partners involves a disclosure of particular categories of information. The tribunal then assesses whether Grindr has valid processing basis for the disclosure of information, before the question of infringement fee and the size of this is assessed. Does Grindr provide particular categories of information, cf. the personal data protection regulation article 9? There is no doubt that Grindr's disclosure of information, including disclosure of App ID and IP address, represents disclosure of personal data, cf. article 4 no. 1. Which information that constitutes a special category of information, and which is thus subject to a special protection according to the personal data protection regulation, follows from article 9 no. 1. The provision reads: "Processing of personal data on racial or ethnic origin, political opinion, religion, philosophical belief or trade union membership, as well as processing of genetic information and biometric information for the purpose of unambiguously identify a natural person, health information or information about a natural person person's sexual relationship or sexual orientation is prohibited." In this case, the question is about Grindr's disclosure of information about its users to its own advertising partners involves a disclosure of "a physical person's sexual relationship or sexual orientation". What information Grindr provides is explained above under PVN PVN-2022-22 Page 12 of 24 "The fact of the matter". No information about sexual relationships is disclosed beyond the information provided that the person in question is a registered Grindr user. The question for the tribunal is whether this represents information covered by Article 9 no. 1. The tribunal has come to the conclusion that the information that a person is a registered user of dating The app Grindr itself is information about a "person's sexual relationship or sexual orientation", and that Grindr's disclosure of said type of information thus entails a processing of information that is covered by the prohibition in Article 9 no. 1. The Tribunal will justify their position in more detail below. The tribunal will first point out that the purpose of the Personal Data Protection Regulation is to ensure the protection of physical data persons' fundamental rights and freedoms, in particular their right to protection of personal data, cf. article 1 no. 2. Personal data covered by special categories of information in Article 9 no. 1 are given special protection. It appears from point 51 of the regulation that this is personal information which is particularly sensitive by nature with regard to fundamental rights and freedoms, and which deserve special protection, as the context in which they are processed can create significant risks for the fundamentals rights and freedoms. However, that is not the context or purpose of the processing which determines whether the information is of a special category. There are the selected information types in himself who decides this. The tribunal has found support for this assessment in the grand chamber judgment from the European Court of Justice in case OT v Vyriausioji tarnybinės etikos komisija, C- 184/20 from 1 August 2022. The case concerned a Lithuanian administrative agency's online publication of declarations related to private interests for public officials. The publication was made as part of transparency obligations according to national law for combating corruption. In lists/declarations that were published, one was removed share information of an obvious/presumed sensitive nature. The lists still contained, however information about the name of a cohabitant, spouse or partner. The question in the case was whether publication of such information was suitable for indirectly revealing sexual orientation etc., and therefore constitute a processing of special categories of information. The European Court of Justice assumed that the term "special categories of personal data" in Article 9 No. 1 must be interpreted broadly and concluded that it is sufficient to be covered by the term that information about a physical person's sexual orientation can indirectly be derived from the information, see paragraphs 119-128. The Court believes that a broad interpretation of the provision has support in the purpose of the personal data protection regulation which is to "ensure a high level of protection of natural persons' fundamental rights and freedoms, especially the right to privacy", see paragraphs 125 to 126. In paragraphs 127-128, the European Court of Justice states: "Consequently, these provisions cannot be interpreted in such a way that treatment of personal data, which may indirectly reveal sensitive information about a natural person, is excepted from the enhanced protection scheme, which is laid down in the aforementioned provisions, in that the effective effect of this arrangement and the protection of natural persons fundamental rights and freedoms, which it aims to secure, would otherwise be put in danger.PVN PVN-2022-22 Page 13 of 24 In view of all the above-mentioned considerations, the second question must be answered that article 8, subsection 1, in Directive 95/46 and the data protection regulation, Article 9, subsection 1, shall is interpreted as meaning that publication of personal data on the website for the public authority whose task is to collect and control the content of declarations about private interests, which may indirectly result in the disclosure of information about a physical person a person's sexual orientation constitutes a treatment of special categories of personal data within the meaning of these provisions." Grindr is a social network and online dating mobile application aimed at gay, bisexual, transgender and queer. Grindr markets itself as the world's largest social network network application for "gay, bi, trans and queer people", and the application is marketed as "Grindr - Gay Dating & Chat" on the App Store and as "Grindr - Gay chat" on Google Play. Although users on Grindr have many different sexual orientations, including heterosexual orientation, by registering a profile on Grindr you will be associated with LGBTQ+- community. Although the specific orientation does not appear, the information states that you are a user of Grindr, that you very likely have a sexual orientation that is different from the majority. In the tribunal's view, it is sufficient for the information to be covered by Article 9 No. 1. The tribunal does not see that the Ebab case, which Grindr has referred to, is relevant to the question in this case the case. The Ebab case concerned the disclosure of personal information about gay-friendly landlords who wanted to rent housing to gays. The court assumed that there was no basis for one inference that the landlords were gay even though they described themselves as gay-friendly. By register as a user on a gay, bisexual, transgender and queer dating website, signals a stronger attachment to an environment that says something about sexual orientation than about one describes oneself as gay-friendly. As the facts were different, the case is not considered relevant, and it is not necessary to go into more detail about the weight of the legal source of this decision. The tribunal emphasizes that the prohibition in Article 9 no. 1 against the processing of information about a "natural person's sexual relationship or sexual orientation" does not only apply to sexual ones minorities, but embraces all sexual relationships and orientations. The wording of the provision is neutral and does not provide grounds for distinguishing between minority and majority. The tribunal adds following this on the grounds that a dating site explicitly for heterosexuals will therefore also fall under them same rules. The tribunal finds support for its position in the European Court of Justice's Grand Chamber decision C-252/21 of July 4, 2023 (The Meta Case). The case concerned Meta Platforms Ireland's fundraising and compilation of information about users' visits to other websites and apps, for for example dating websites for gays, as well as information that users have entered themselves such websites and apps. One of the questions that the European Court of Justice ruled on was whether collection and further compilation of information relating to users' visits and input on the websites/apps constitutes processing of special categories of information because the websites contain information covered by Article 9 No. 1. The European Court of Justice added reason that the dating websites in question, which the users had visited and registered on, contained information covered by Article 9 no. 1. In section 73, the Court of Justice concludes that: "In view of the above, the second question, letter a), must be answered that the data protection regulation's article 9, subsection 1, shall be interpreted as such that if a user PVN PVN-2022-22 Page 14 of 24 of an online social network visit websites or use applications in connection with one or more of the categories referred to in this provision, and possibly enter information herein by creating a profile or making online orders, it shall processing of personal data by the operator of this online social network, and which consists in the collection of information from visits to these websites or use of these applications as well as the information entered by the user through interfaces, cookies or similar storage technologies, compilation of all this information with the user's account on the social network and the operator's use of said information, is considered to constitute »processing of special categories of personal data« as referred to in this provision, which is in principle prohibited subject to the exceptions in this regulation's article 9, subsection 2, when this processing of information can reveal information that is covered by one of these categories, regardless of whether the information concerns a user of this network or any other natural person." In the tribunal's view, the EU Court's statements in the Meta case are relevant to the question in this case the case despite the fact that it did not deal with the issue of extradition of special categories personal data, but on the other hand the question of collection and further compilation of such information. As explained above, the tribunal believes that people who register a profile on Grindr will be associated with the LGBTQ+ community and the tribunal therefore assumes that information about use of the Grindr app is covered by Article 9 No. 1. When the EU Court of Justice i The Meta case concludes that Meta Platforms Ireland's collection and compilation of Information about visitors to gay dating websites constitutes a special treatment categories of personal data, the tribunal believes that such websites also - in this case Grindrs - disclosure of the same type of information for similar compilation purposes constitutes one processing of information that is covered by the personal protection regulation article 9 no. 1. The tribunal therefore assumes that Grindr has provided special categories of information to its advertising partners. The tribunal does not share Grindr's concerns about any negatives ramifications of this conclusion as legal processing of such information may take place by ensuring good and informative processes for obtaining consent in line with the law claim. Has Grindr obtained valid consent for its disclosure of information? In order for the processing of personal data to be lawful, it must have a legal basis. The legal basis for the processing of personal data can be seen from the personal protection regulation article 6 no. 1. It follows from article 6 no. 1 letter a that consent is one of several possible grounds for treatment. The legal definition of consent in Article 4 No. 11 reads as follows: "... any voluntary, specific, informed and unequivocal expression of will by the data subject therein the person concerned gives his consent to processing by means of a declaration or a clear confirmation of personal data concerning the person concerned." Since the tribunal above has come to the conclusion that Grindr, when disclosing personal data to advertising partners have processed special categories of personal data, it follows article 9 no. 2 that the processing – to be legal – must meet the conditions in one of the alternatives in Article 9 no. 2. It follows from Article 9 no. 2 letter a that the registered person must have given "express" consent to the processing of such information. PVN PVN-2022-22 Page 15 of 24 The regulation does not explain in more detail what is involved in the requirement that the registered person has given a "express consent". The tribunal assumes that the wording "expressly" does not involves a stricter consent requirement compared to the requirement in Article 6 no. 1 that the consent must be an "unequivocal expression of will". The central point for both requirements is that it does not there must be doubt that consent has been given. As regards the requirement in Article 4 no. 11 that the expression of will must be "unequivocal", provides clause 32 some guidance. The consent will be unequivocal if it has been given: "... e.g. in the form of a written, including electronic, or an oral declaration. This can involve ticking a box during a visit to a website, choosing technical settings for information society services or any other statement or action as herein connection clearly shows that the data subject accepts the proposed processing of the person's personal data. Silence, pre-ticked boxes or inactivity should therefore not constitute consent.” The key thing is that the registered person has acted in a way that clearly shows that the person concerned accepts the treatment. The tribunal assumes that this also forms the core of the requirement of "express consent" in Article 9 no. 2 letter a. Such an interpretation also harmonizes best with it the controller's duty according to the regulation article 7 no. 1 to demonstrate that it has been given consent. The Norwegian Privacy Council's guidelines on consent (Guidelines 05/2020 on consent under Regulation 2016/679) also states that it is the data subject's expression of will itself that is central to the requirement for unambiguity/expressiveness. In section 75, which applies to it in more detail the content of the requirement that the expression of will must be "unequivocal", it says, among other things, that “…consent requires a declaration or clear confirmation from the data subject, which means that consent always must be given by an active action...", and in section 77 it is further specified that: "A "clear confirmation" implies that the registered person must have acted deliberately to give consent to the treatment in question. There are further guidelines on this in recital 32. Consent can be obtained by written or (recorded) oral declaration, including electronically." And in section 93, which applies to the more detailed content of the requirement in article 9 no. 2 letter a that the consent must be "express", the Norwegian Privacy Council states the following: "The term expressly denotes the manner in which the registered donor consented. The means that the registered person must submit an express declaration of consent. It would be It is logical to have the consent expressly confirmed in a written declaration. When it is appropriate, the data controller can ensure that the written declaration is signed by the registered person, so that in the future there is no doubt about and is not there is no risk that there is no evidence." [Italics in original] The tribunal is of the opinion that if the requirement for unambiguity/expressiveness is to have a independent meaning, so cannot other flaws in the consent mechanism - if this is designed so that the consent cannot be said to be voluntary, specific and informed - to exist obstacle to the expression of will itself fulfilling the requirement of unambiguity/expressiveness. PVN PVN-2022-22 Page 16 of 24 Grindr's consent mechanism in this is initially explained under "Facts of the case". current period. In its decision, the supervisory authority has expressed that the wording "I accept the Privacy Policy" cannot necessarily be understood as an unequivocal or express consent, but can just as well be understood as the data subject simply acknowledging that the information has been provided. After in the tribunal's view, this appears to be a rather strained interpretation of the wording, and the tribunal sees so that the wording in combination with the user having clicked on the answer option "Accept", constitutes express consent that meets the regulation's requirements on this point. In the continuation of this, the tribunal will attach a comment to that part for the sake of clarity the consent mechanism which involves the user making changes to the device operating system, both are given the opportunity to opt out of behaviour-based marketing and to prevent it that Grindr gets access to location data. The tribunal is of the opinion that it is the most obvious to include these aspects of the consent mechanism in the assessment of whether consent is given voluntarily. The tribunal then moves on to assess the other three requirements included in the assessment of if a valid consent has been given to the disclosure of personal data to advertising partners, namely whether the consent is voluntary, specific and informed. As already pointed out above, it is tight ties and partial overlap between these three requirements. The tribunal has come to the conclusion that the consent mechanism of Grindr in the period to which this case applies, not fulfilled the regulation's requirement for valid consent, and will explain his in more detail below assessment of the central shortcomings of the consent mechanism linked to these three requirements. The tribunal assumes that the core of the requirement that consent be voluntary is that personal autonomy. The consent mechanism must be designed in such a way that the person concerned who must give their consent are given real choices in terms of how the personal data should be processed is processed. In recital 42, it is stated that the consent: "... shall not be considered voluntary if the data subject does not have a real freedom of choice, or is not able to refuse to give or withdraw consent without it being detrimental to the person in question.” Much of the same is also pointed out by the Norwegian Data Protection Authority in section 13 of the guidelines on consent: "The element 'free' implies that the registered have a real choice and control. Generally determined that in the data protection regulation, that a consent is invalid, if the data subject is not able to make a real choice, if the data subject feels compelled to give his opinion consent, or if there will be negative consequences, if the data subject does not agrees. …” The consent mechanism of Grindr, as explained under "Fact of the Case", is after the tribunal's assessment is not designed in such a way that the user can freely decide on the question whether personal data should or should not be disclosed to advertising partners. The consent mechanism meant that users who wanted to opt out of the behaviour-based marketing had to make changes to the device's operating system that not only had impact for the Grindr app, but which had similar consequences for all apps that were downloaded to the user's device. Such an arrangement of the consent mechanism placed the user in a forced situation where the person concerned either had to accept that the personal data was PVN PVN-2022-22 Page 17 of 24 disclosed to Grindr's advertising partners, or had to make changes to the device's operating system which had consequences for all apps downloaded on the device. This suggests after the tribunal's assessment that it cannot be assumed that the user had voluntarily consented disclosure of personal data to advertising partners. However, when it comes to the disclosure of location data to advertising partners, the user could choose to hide this personal information from Grindr by changing the settings in your device operating system that only had consequences for the use of Grindr. If the user chose to not sharing location data with Grindr, the app also had reduced functionality. Although the app could no longer be used to contact gays, bisexuals, trans people and queers who was nearby, it is the tribunal's assessment that the app still made it possible users to come into contact with other gay, bisexual, transgender and queer people. That choice which the user here was faced with when it came to the provision of location data, is according to the tribunal view not suitable to deprive the disposition characterized by voluntariness. The consent mechanism of Grindr in the relevant period was designed so that it was only after that the registration was complete that the registered person was offered to buy a subscription to one of the payment versions. That the user, after registration has been completed, is given the opportunity to purchase a subscription, as the tribunal considers it, has no impact on the question of that consent which was already given in connection with the user accepting the privacy policy, was voluntary. The tribunal agrees with Grindr that they do not have a duty to offer a free dating app, and the tribunal recognizes that a key feature of the social media business model and applications is that the registered "pay" for the use of social media and applications by accept that their personal data is used commercially, for example by is handed over to advertising partners. Had the user before the registration process ended been given the choice between using the free version of the app or purchasing one of the two paid versions of the app, this had drawn in the direction that the requirement of voluntariness had been met. The user had then had a real choice as to whether the person concerned would pay money to use the application, or if the person concerned would rather "pay" with their personal data. According to the tribunal's assessment, it is irrelevant to the assessment of whether the consent is voluntary, if the disclosure of personal data takes place immediately after registration has been completed, or if something happens later. The assessment must relate to the conditions as they were the time when the registration was completed. It is the quality of the expression of will on this the time which is decisive for the question of whether a valid consent has been given i meaning of the regulation. It is clear from point 43 of the preamble, i.a. that the consent "is assumed not to have been given voluntarily if it it is not possible to give separate consent for different processing activities". Some of it the same is stated in paragraph 32. The Personal Data Protection Council refers to this as a requirement granularity, cf. sections 42-45 of the guidelines on consent. This appeal only applies the question of whether Grindr has obtained a valid consent from the users for the release of personal data to advertising partners. With such a curtailment of the case, the tribunal is of it opinion that the fact does not provide a basis for an independent assessment of this element i the requirement of voluntariness. The tribunal then moves on to assess whether the consent mechanism is designed so that the consent is specific and informed. A central starting point for this assessment can be found in Article 7 no. 2, which reads as follows: PVN PVN-2022-22 Page 18 of 24 "If the data subject's consent is given in connection with a written declaration which also applies to other circumstances, the request for consent must be submitted in a way that it can be clearly distinguished from the aforementioned other conditions, in an understandable and easily accessible form and in clear and simple language. …” This provision must be interpreted and applied in light of the principle of openness and transparency i article 5 no. 1 letter a, and the data subject's right to transparency and information i articles 12 and 13. Information is provided under the heading "How We Use Your Information" in the privacy policy the user i.a. about which personal data is disclosed to advertising partners. Bullet point 12 sounds like this: “Third Party Advertising Companies. We share your hashed Device ID, your device's advertising identifier, a portion of your Profile Information, Distance Information, etc some of your demographic information with our advertising partners. … Note that we do do not sell your personal user information to third parties for advertising purposes. Also note that we do not share information about your Tribe, or about your HIV status, with anyone advertising companies.” The tribunal has strong doubts about this way of informing about which personal data is disclosed to advertising partners, is sufficiently specific for the consent of the user to be considered to be informed. Some of the words are technical terms as to be understandable presupposes an insight that the ordinary user cannot be assumed to have. Other words has a rather unclear content. For example, no further information is given about what kind profile information that is disclosed, only which personal data is not disclosed. The tribunal further believes that it is a deficiency in Grindr's consent mechanism that the consent to disclosure of personal data to advertising partners is included in the privacy policy. This statement explains in detail how Grindr processes personal data, and has for the purpose of fulfilling the controller's duties according to the regulation's article 13. One privacy statement is not a document to which consent must be given in principle. It is a document of an informative nature, and thus differs from the terms of use, which users must consent to. Both privacy statements are structured with headings according to different themes. The privacy policy, which applied until 31 December 2019, was structured with based on the following headings: • What we Collect • How We Use Your Information • Where We Share • Your Choices • How We Protect Personal Information • Miscellaneous Information The privacy policy that applied from 1 January 2020 was expanded with a few more headings, but this difference is irrelevant to the tribunal's assessment here. A user without knowledge to the actual text of the privacy policy, it will give the impression that the text is informative character. The wording in the privacy policy that describes which information PVN PVN-2022-22 Page 19 of 24 is handed over to advertising partners, in the tribunal's assessment therefore cannot be clearly distinguished from one another information provided to the person who registers as a user. The relevant wording on which information is disclosed to the advertising partners is in the tribunal's opinion, nor designed as a request for consent. That the wording is included under the heading "Your Choices", does not change this. The tribunal has moreover, it was noted that Grindr in the privacy policy that applied from 1 January 2020, under heading "How and Why We Use Your Personal Data", has prepared a table that lists up all 25 different processing purposes, and which for each of the purposes indicates the processing legal grounds. Processing purpose 21 applies to "Share your Personal Data with our advertising partners", and it is explicitly stated that the legal basis for this processing of personal data is consent ("Consent"). Even if this benevolently read and seen in isolation can possibly be interpreted as a request for consent, the tribunal is nevertheless in no doubt that these formulations, read in their context, cannot be interpreted in this way. The tribunal points out that the table with all the processing purposes is placed under a heading that gives none indications that the user will find requests for the processing of personal data here to which it must be agreed. The formulations in the two privacy statements therefore comply not the requirement that can be derived from Article 7 No. 2. Grindr has also stated that the paid versions of the app were presented to the user in such a way way that the requirement for specific and informed consent was met. It indicates that the user will be informed that the paid versions are advertising-free, i.a. with formulations such as "No banner ads", "No more ads", No 3rd party ads" and "ZERO third-party ads". The tribunal has above assumed that the detailed design of the payment versions of the app is of no importance for the assessment of whether the consent was voluntary, since the registered person was first offered to buy a subscription to one of these after registration has been completed. The same goes for of course for the assessment of whether the consent was specific and informed; the closer the design of the payment versions has no relevance for this assessment. The tribunal will nevertheless briefly note that the formulations that Grindr refers to, only in a rather indirect way way is suitable to communicate to the user that by choosing to buy a subscription to one of the paid versions, the user's personal data will not be disclosed to advertising partners. This information presupposes technical insight which cannot be assumed ordinary user possesses. On this basis, the tribunal has come to the conclusion that Grindr's consent mechanism, in that period which this case concerns, was designed in such a way that the user's consent was neither voluntary, specific or informed. Although the tribunal above has come to the conclusion that the consent was expressly, the tribunal's conclusion is nevertheless that Grindr did not have valid consent from them registered for the disclosure of personal data to advertising partners, cf. article 6 no. 1 and article 9 no. 2. Violation fee Pursuant to Section 26 of the Personal Data Act, the Danish Data Protection Authority can appoint a data controller infringement fee according to Article 83 of the Personal Data Protection Ordinance. This also follows from Article 83 No. 5 letter a that companies that violate the provisions of Article 6 and Article 9 may be subject to a infringement fee of up to 20,000,000 euros or up to 4% of the total global the annual turnover in the previous financial year, where the highest amount is used. PVN PVN-2022-22 Page 20 of 24 The tribunal has concluded above that Grindr has acted in breach of Article 6 no. 1 and article 9. The objective conditions for being able to impose an infringement fee are thus i basically met. The ban on retroactive legislation and the requirement for clear legal authority for the imposition of a fee The Privacy Board finds reason to comment specifically on Grindr's statement that The Norwegian Data Protection Authority's fee decision is contrary to the ban on retroactive legislation. It is particularly shown that the supervisory authority has based its decision on the Norwegian Privacy Council's guidelines on consent. These were only adopted on 4 May 2020, and Grindr has stated that these cannot be used as a basis for the assessment of the processing of personal data that took place in the period such as this one the appeal applies, namely from the time the regulation entered into force on 20 July 2018 and until the consent mechanism was changed on 8 April 2020. According to the tribunal's assessment, there is no evidence in the reasons for the decision that the supervisory authority has based this on legal rules derived from these guidelines. The tribunal has in its practice expressed that such guidelines have limited value as a source of law, but have formed the basis that they provide useful guidance since they give expression to management practices at the supervisory authorities in the EU and EEA, cf. PVN-2020-14 and PVN-2019-02. This is how the tribunal reads the Authority's reasoning i present case, this is based on a similar view of the legal meaning of the guidelines. The authority's decision is based on the regulation's provisions. Furthermore, Grindr states that the authority's interpretation of the regulation's consent provisions does not is expressed clearly enough in the wording, and consequently does not sufficiently meet the requirement of predictability. Practice from the human rights court in Strasbourg (EMD) provides good results points of reference for the details of the requirement for clear legal authority and predictability i the European Convention on Human Rights (ECHR). The tribunal is content to refer to Sanchez v. France, Grand Chamber judgment of 15 May 2023 (application no. 45581/15). Sections 125-127 summarize - with reference to previous judgments from the ECHR – the central elements of the requirement for clear legal authority in the ECHR: "... That person must be able to - if need be with appropriate advice - to foresee, to a degree that is reasonable in the circumstances, the consequences which a given action may entail. … Accordingly, many laws are inevitably couched in terms which, to a greater or lesser extent, are vague, and whose interpretation and application are questions of practice … The level of precision required of domestic legislation – which cannot provide for everyone eventuality – depends to a considerable degree on the content of the law in question, the field it is designed to cover and the number and status of those to whom it is addressed … … A margin of doubt in relation to borderline facts does not therefore by itself make a legal provision unpredictable in its application. Nor does the mere fact that a provision is capable of more than one construction means that it fails to meet the requirement of "foreseeability" for the purposes of the Convention. … The novel character of a legal question that has not hitherto been raised, particularly with regard to previous decisions, is not in itself incompatible with the requirements of accessibility and foreseeability of the law, provided the solution adopted is consistent with one of the possible and reasonably foreseeable interpretations ...»PVN PVN-2022-22 Page 21 of 24 It is in this that the EMD accepts that the more detailed content of the vaguely formulated legal provisions must find their clarification in practice, and that this is not in conflict with the requirements of the ECHR about clear legal authority and predictability. It is the tribunal's assessment that the Norwegian Privacy Council's guidelines on consent are sound within what can be deduced from the preamble and the relevant provisions of the regulation interpreted in its context and based on the regulation's purpose of strengthening the protection of data subjects own personal data. In the continuation of this, the tribunal will point out that these guidelines, which was adopted on 4 May 2020, for all practical purposes implies an unchanged continuation of The Article 29 group's guidelines on consent (Guidelines on consent under Regulation 2016/679 (WP259.01)) from 10 April 2018. In other words, the consent guidelines have remained fixed throughout the period to which this complaint relates. According to the tribunal's assessment, the same applies to what constitutes a special category of information, cf. article in article 9 no. 1. The Norwegian Data Protection Authority's decision also represents no one new or changed interpretation of the adopted rules on this point. The Personal Data Act entered into force in force on 20 July 2018, the same day as the decision incorporating the regulation into the EEA the agreement entered into force. The Personal Data Protection Regulation was adopted in the EU in April 2016 and came into force in EU member states from 25 May 2018. Subsequent legal sources, which the Norwegian Data Protection Authority refers to in its decision, clarifies and clarifies what was the applicable law at the time of Grindr's release of personal data about its users to advertising partners. Such legal clarification is a central task for the courts and does not represent any change to the legal situation. Especially about the requirement of subjective guilt The Supreme Court has stated in HR-2021-797-A, section 23 that it is not compatible with Article 6 of the ECHR No. 2 and Article 7 to punish an enterprise if no one has proven guilty. The Supreme Court refers to more recent practice from the European Court of Human Rights (ECHR) where a "mental link" is required between the act and the actual circumstances that establish criminal liability, cf. in particular ECtHR grand chamber judgment 28 June 2018 G.I.E.M. S.r.l. with several against Italy (EMD-2006-1828) and ECtHR's judgment of 20 January 2009 Sud Fondi S.r.l. with several against Italy (EMD-2001-75909). As a result of this legal development, and that infringement fees are considered to have the character of punishment, cf. Rt-2012-1556, Section 46 of the Public Administration Act was amended in 2022 so that a requirement is now also set out on subjective fault (negligence) in the imposition of infringement fees for businesses and public authorities authorities, unless otherwise specified. The tribunal lays down the basis for the assessment in this case that the regulation established a requirement of subjective fault (at least negligence) with the person or persons who have acted on behalf of the company so that the infringement fee could is also imposed during the period to which this case applies. The tribunal cannot point out who at Grindr has been responsible for choosing it in the past established the solution for obtaining consent, and which, according to the tribunal's assessment, represents violation of both article 6 no. 1 and article 9 no. 1. According to case law, it is also not a requirement that the blame is individualized. Both anonymous and cumulative errors can form the basis for liability when imposing a corporate penalty, cf. HR-2022-1271-A, section 46-50. Choice of technical solution and procedure for obtaining user consent was undoubtedly one conscious choice on Grindr, which implies a deliberate violation of the personal data protection regulation. If this, as stated, was due to ignorance on the part of Grindr which requirements the Personal Data Protection Ordinance set for obtaining consent for the disclosure of users' personal data to advertising partners, regardless of whether it is an ignorance as PVN PVN-2022-22 Page 22 of 24 is not excusable and thus without significance for the tribunal's assessment of whether the subjective the conditions are met. There is thus an intentional infringement and both subjective and objective conditions for impose an infringement fee is fulfilled. Assessment of whether an infringement fee should be imposed and assessment of the fee The question for the tribunal is, after this, whether according to the Personal Protection Ordinance, Article 83 no. 2 an infringement fee must be imposed, and if it is imposed, how much the fee must be. It follows from Article 83 No. 1 that the imposition of an infringement fee in each individual case shall be effective, be proportionate to the infringement and act as a deterrent. Both wood the assessment of whether a fee should be imposed and when calculating the fee, it must be taken into account the elements of the personal data protection regulation article 83 no. 2 letters a to k. It is central to this assessment to look at the nature, severity and duration, cf. article 83 no. 2 letter a. It follows from the provision that account must be taken of the nature, extent or purpose of the processing in question, as well as the number of registered persons who are affected and the extent of the damage they have suffered. In this case, it concerns the disclosure of special categories of information about a large number of users without valid consent having been obtained for this. It is about one intentional infringement that lasted over almost two years, in the period from 20 July 2018 to 7 April 2020. The illegal disclosure of personal data was based on a desire to financial gain at Grindr. The tribunal assumes that the sale of personal data to use of behaviour-based marketing has contributed to the financing of the service and contributed to Grindr's earnings. The tribunal agrees with the Norwegian Data Protection Authority that profiling is too targeted marketing is a form of processing of personal data that can be perceived intrusive and often seems opaque and unclear to the data subjects. It is aggravating that Grindr was aware that their disclosure of information to various advertising partners as well involved a further dissemination of the information beyond Grindr's control. The tribunal agrees with the Norwegian Data Protection Authority that the low number of complaints about the app is not a matter of must be given additional weight in the mitigating direction. A lack of complaints may partly be due to lack knowledge on the part of the registered about what rights they have and partly a lack of knowledge about what what happens to their personal data if they choose to register as a user with Grindr. The tribunal refers to what has been said above about what information was given to the users and the availability of this information. As regards the significance of any technical and organizational measures pursuant to Article 25 and 32, cf. article 83 second paragraph letter d, in the tribunal's opinion this has little significance when it concerns an intentional disclosure of personal data without valid legal authority basis. In addition to Grindr handing over information covered by Article 9 no. 1 (information about a person's sexual relationship or sexual orientation), information about it is also disclosed data subject's geographical location. The tribunal agrees with the Norwegian Data Protection Authority that the processing of this category of information requires careful consideration. GPS location can be particular revealing of the lives and habits of those registered, and can be used to derive large amounts information. For example, location data may reveal where the data subject works and where hePVN PVN-2022-22 Page 23 of 24 or she lives. The data can also be used to reveal potentially sensitive information such as religion through religious meeting houses, or sexual orientation through the places that are visited. The tribunal shares the Norwegian Data Protection Authority's assessment that the processing is registered geographic location, depending on the circumstances, can be very intrusive and has a potential for abuse if the information is shared with data controllers who have such wishes. The tribunal has then come to the conclusion that it is correct to impose an infringement fee on Grindr, cf. § 26 of the Personal Data Act, cf. Article 83 of the Personal Data Protection Ordinance. Both in the assessment of whether a fee should be imposed and in the assessment of the fee, it shall as pointed out above, account is taken of the points in the Personal Data Protection Ordinance, Article 83 No. 2 letters a to k. The tribunal therefore refers to its assessment above. It follows from the personal protection regulation article 83 no. 5 that violation of articles 5, 6, 7 and 9 of accordance with article 83 no. 2 shall be imposed an infringement fee of up to 20,000,000 euros or, if it concerns an enterprise, of up to 4% of the total global annual turnover i previous financial year, where the highest amount is used. Grindr has in its notes to notice of decision stated that the global turnover in 2020 was USD Det thus becomes 20,000,000 euros, which constitutes the upper ceiling in this case. The Danish Data Protection Authority originally notified NOK 100,000,000 in infringement fees, but reduced this to NOK 65,000,000 in its final decision. The reduction from original notice of NOK 100,000,000 to NOK 65,000,000 was justified in the decision by the fact that Grindr's turnover was in the lower tier of what the inspectorate based on the notice, as well as that Grindrs implemented measures to improve the shortcomings of their previous consent mechanism was emphasized in a mitigating direction. The Privacy Board has found no reason to change the amount of the fixed fee. In its decision, the Norwegian Data Protection Authority has discussed the objections Grindr has had to the assessed fee and given his explanation of why the fee is set higher in this case than in other cases pointed out on by Grindr. The tribunal agrees with the assessments expressed by the supervisory authority. It measured out the fee is less than 30% of the maximum amount permitted by the Personal Data Protection Ordinance i this case. The seriousness of the infringement, in particular the number of registered persons affected, the category of relevant information, that the infringement has been going on for almost two years, and that it concerns refers to an intentional act where one has deliberately chosen a technical solution that does not do so possible to register without simultaneously "approving" the release of information for use in behaviour-based marketing, indicates that the infringement fee is not considered disproportionate. That the technical solution allows for opt-out after registration, does not change the tribunal's assessment of this. A fee of NOK 65,000,000 is considered necessary to have a sufficient deterrent effect. The tribunal notes that, in the assessment, it has not emphasized that the consent mechanism is changed, as the new technical solution has not been assessed by the Norwegian Data Protection Authority and the tribunal. The tribunal assumes that Grindr aligns itself with the requirements of the privacy regulation poses and which the tribunal has explained in this case. Grindr does not succeed in the complaint. Conclusion The Norwegian Data Protection Authority's decision is upheld. PVN PVN-2022-22 Page 24 of 24 The decision is unanimous. Oslo, 27 September 2023 Mari Bø Haugstad Manager