Datatilsynet (Norway) - 20/01801
|Datatilsynet (Norway) - 20/01801|
|Relevant Law:||Article 5(1)(a) GDPR|
Article 5(2) GDPR
Article 5(2) GDPR
Article 6(1) GDPR
Article 12(1) GDPR
Article 13 GDPR
|National Case Number/Name:||20/01801|
|European Case Law Identifier:||n/a|
|Original Source:||Datatilsynet (in NO)|
The Norwegian DPA (Datatilsynet) notified Disqus that they will be fined NOK 25 000 000 (approx. 2 500 000 euro) for unlawfully processing personal data for programmatic advertising. In addition, the DPA found that Disqus breached transparency and information requirements by not providing data subjects with adequate information about the company's tracking, profiling and disclosure of personal data.
Disqus is an American company owned by Zeta Global. The company offers an online public comment sharing platform, which was previously used by a number of Norwegian online newspapers, and it also engages in programmatic advertising.
The Norwegian DPA was made aware of the matter through news articles by the Norwegian National Broadcaster (NRK). According to the NRK, Disqus conducted unlawful tracking of visitors to Norwegian websites using the Disqus plugin. Their data were then disclosed to third party advertising partners. The NRK further wrote that this happened because Disqus was unaware that the GDPR applied in Norway, which Disqus’ parent company Zeta Global confirmed in an interview.
The decision covers a range of topics, but primarily concerns: Does the GDPR apply (material scope)? Can the Norwegian DPA handle the case (territorial scope)? Did the processing have a legal basis pursuant to Article 6 GDPR? Did Disqus provide adequate information concerning their processing of personal data?
Datatilsynet found that both the material and territorial scope applied to the processing of personal data, with the DPA having competence to decide the case.
Datatilsynet highlighted that Disqus tracked, profiled and shared the personal data of all visitors to the websites implementing the Disqus widget without the users' knowledge, finding a breach of Article 12(1), 13 and 5(1)(a) GDPR.
Datatilsynet found that the processing could have been carried out with less invasive means, and did not pass the necessity condition pursuant to Article 6(1)(f) GDPR. In addition, the processing did not pass the balancing test. Datatilsynet highlighted the negative impact of wide-scale profiling, and that Disqus' interest in providing behavioral online marketing are less important compared to the adverse negative effects on the data subjects, and "must weigh significantly less in the balancing of interests" (p. 38).
In addition, Datatilsynet found that Disqus' failure to identify GDPR as applicable data protection law and failing to implement data protection safeguards in accordance to the GDPR was a breach of Article 5(2) GDPR.
Share your comments here!
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.