Datatilsynet (Norway) - 20/01801
Datatilsynet (Norway) - 20/01801 | |
---|---|
Authority: | Datatilsynet (Norway) |
Jurisdiction: | Norway |
Relevant Law: | Article 5(1)(a) GDPR Article 5(2) GDPR Article 5(2) GDPR Article 6(1) GDPR Article 12(1) GDPR Article 13 GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 03.05.2021 |
Published: | 03.05.2021 |
Fine: | 25000000 NOK |
Parties: | Disqus, Inc. |
National Case Number/Name: | 20/01801 |
European Case Law Identifier: | n/a |
Appeal: | Pending appeal |
Original Language(s): | English |
Original Source: | Datatilsynet (in EN) |
Initial Contributor: | n/a |
The Norwegian DPA (Datatilsynet) published a draft decision notifying Disqus that it will be fined approximately €2.5 million (NOK 25 000 000) for unlawfully processing personal data for programmatic advertising purposes. In addition, the DPA found that Disqus breached transparency and information requirements by not providing data subjects with adequate information about the company's tracking, profiling and disclosure of personal data.
English Summary
Facts
Disqus is an American company owned by Zeta Global. The company offers an online public comment sharing platform, which was previously used by a number of Norwegian online newspapers, and it also engages in programmatic advertising. The Norwegian DPA was made aware of the matter through news articles by the Norwegian National Broadcaster (NRK). According to the NRK, Disqus conducted unlawful tracking of visitors to Norwegian websites using the Disqus plugin. Their data were then disclosed to third party advertising partners. The NRK further wrote that this happened because Disqus was unaware that the GDPR applied in Norway, which Disqus’ parent company Zeta Global confirmed in an interview.[1]
Dispute
The decision covers a range of topics, but primarily concerns: Does the GDPR apply (material scope)? Can the Norwegian DPA handle the case (territorial scope)? Did the processing have a legal basis pursuant to Article 6 GDPR? Did Disqus provide adequate information concerning their processing of personal data?
Holding
Datatilsynet found that both the material and territorial scope applied to the processing of personal data, with the DPA having competence to decide the case.
Datatilsynet highlighted that Disqus tracked, profiled and shared the personal data of all visitors to the websites implementing the Disqus widget without the users' knowledge, finding a breach of Article 12(1), 13 and 5(1)(a) GDPR.
Datatilsynet found that the processing could have been carried out with less invasive means, and did not pass the necessity condition pursuant to Article 6(1)(f) GDPR. In addition, the processing did not pass the balancing test. Datatilsynet highlighted the negative impact of wide-scale profiling, and that Disqus' interest in providing behavioral online marketing are less important compared to the adverse negative effects on the data subjects, and "must weigh significantly less in the balancing of interests" (p. 38).
In addition, Datatilsynet found that Disqus' failure to identify GDPR as applicable data protection law and failing to implement data protection safeguards in accordance to the GDPR was a breach of Article 5(2) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.