Datatilsynet (Norway) - 21/02455

From GDPRhub
Datatilsynet - 21/02455
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 3(2)(b) GDPR
Article 6(1) GDPR
Article 6(1)(f) GDPR
Article 12(2) GDPR
Article 14 GDPR
Type: Investigation
Outcome: Violation Found
Started: 28.06.2021
Decided: 14.06.2022
Published: 15.06.2022
Fine: n/a
Parties: Shinigami Eyes
National Case Number/Name: 21/02455
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Norwegian
English
Original Source: Datatilsynet (in NO)
Datatilsynet (in EN)
Initial Contributor: Rie Aleksandra Walle

The Norwegian DPA has banned the use of "Shinigami Eyes" on Norwegian territory after determining violations of Article 6(1), Article 12(2) and Article 14 GDPR. The controversial browser addon allows users to highlight trans-friendly or transphobic social network pages and users.

English Summary

Facts

In 2021, a data subject lodged a complaint with the Norwegian DPA (Datatilsynet) against "Shinigami Eyes" after they had been marked through the application. Shinigami Eyes is a browser addon that highlights transphobic and trans-friendly social network pages and users with different colors.

Consequently, the DPA launched an investigation and sent a request for information to the developer of the extension, who failed to reply. The DPA sent several requests and reminders and, finally, an advance notification of a decision, but the developer never replied back. The data subject, however, provided further comments to the complaint and, following this, the DPA found that they had enough information to be able to issue a final decision.

Holding

First, the DPA assessed the territorial scope of the GDPR. They were not able to identify an “establishment” of Shinigami Eyes within the EEA as per Article 3(1) GDPR, but found that the GDPR is applicable to their processing activities as per Article 3(2)(b) GDPR - monitoring data subjects' activities.

Second, the DPA assessed the material scope and found that Shinigami Eyes processes several types of personal data as per Article 4(1) GDPR, including the name or online identifier of social network users, their posts/behaviour and the color indicating whether they are transphobic or trans-friendly.

Third, the DPA found that Shinigami Eyes is the controller for this processing as they determine the purpose of the extension, as well as the means to be utilised and implemented.

Next, the DPA assessed the lawful basis of the processing. As they never got a reply from the controller, the DPA considered this themselves and found legitimate interest as per Article 6(1)(f) to be the most prospective legal basis.

The legitimate interest assessment

First, the DPA assessed the condition of “legitimate interest” and concluded that the controller indeed has such an interest, as they claim to want to protect people from harm, like discrimination.

Second, the DPA assessed whether the processing was necessary for the purposes of the legitimate interests pursued. Although this was more difficult because of the lack of information from the controller, the DPA concluded that this criteria was also fulfilled.

Third, the DPA conducted the balancing test to determine whether the data subjects’ fundamental rights and freedoms precedes the controller’s legitimate interest. The DPA found, amongst other things, that data subjects have no knowledge about the processing taking place, no relationship with the controller and, thus, have no way of expecting such processing to take place. The DPA also mentions several potential negative consequences for the data subjects, including losing their job, friendships and being a target of hate and mistreatment - regardless of what they are categorised as (trans-friendly or transphobic). Finally, the DPA mentions the chilling effect such applications can have on the public discourse. In conclusion, the DPA found that the data subjects’ interests, rights and freedoms outweigh the controller's interest in providing their application. The processing of personal data does not meet the third condition in Article 6(1)(f) GDPR and, consequently, the controller lacks a legal basis for the processing.

Following from the above, the DPA has banned the use of Shinigami Eyes on Norwegian territory after determining violations of Article 6(1) GDPR, Article 12(2) GDPR and Article 14 GDPR.

Comment

After the advance notification to Shinigami Eyes (which was made public), the DPA received feedback from the data subject who made the initial complaint. The data subject criticised the DPA's finding of a legitimate interest for the use of the browser extension and argued that the DPA agreed with the claims made by Shinigami Eyes that the use of the browser extension was harm-reducing. The data subject further claimed that the DPA put them and other users targeted by Shinigami Eyes in harms way because the DPA "depicts what in practice is a targeted harassment campaign against women, including death threats and active attempts at character assassination, as a legitimate activity". The DPA disagrees with the data subject’s characterisation of their findings.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

Decision to ban "Shinigami Eyes" in Norway
The Norwegian Data Protection Authority has decided to ban the processing of personal data in the browser tool «Shinigami Eyes». The background for the decision is a violation of the requirement for a legal basis and lack of information to users.

Decision to ban "Shinigami Eyes" in Norway

As "Shinigami Eyes" has no legal basis for the processing of personal data, the Data Inspectorate imposes a ban on the browser tool in Norway.

 - This case is a matter of principle. Subjective assessments and marking of identified individuals pose a threat to the free exchange of opinions on the Internet. The person who is marked will not receive information about it himself, and will not have the opportunity to respond, says Acting Director Janne Stang Dahl.

The Data Inspectorate received several complaints about the browser extension "Shinigami Eyes", which is available for Chrome and Firefox. The purpose of the browser extension is to identify and mark people on the internet and social media so that it becomes clear to users of the browser extension whether the person who has been marked is to be regarded as pro- or anti-trans people.
Negative impact on the public conversation

The Norwegian Data Protection Authority has assessed whether the use of the tool could be based on a balance of interests as the legal basis. We have concluded that "Shinigami Eyes" has no legal basis for the processing of personal data.

The Norwegian Data Protection Authority has previously announced that we would make a decision against the browser extension, and we have maintained our previous assessments in this decision.

- Privacy must take care of a room where it is possible to express oneself. The assessment of the quality of the statement should not depend on which unknown labels follow the person all over the internet, Dahl says.
Mozilla and Google are informed of the final decision

Despite repeated inquiries, the Data Inspectorate did not get in touch with the developer behind the expansion during the processing of the appeal.

The Norwegian Data Protection Authority will communicate our decision to Google and Mozilla, who are the ones making the expansion available on their platforms.

The developers behind the browser extension have a three-week appeal period from the time they receive the decision.