Datatilsynet (Norway) - 20/01801

From GDPRhub
Revision as of 08:56, 12 May 2021 by RRA (talk | contribs)
Datatilsynet (Norway) - 20/01801
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 5(1)(a) GDPR
Article 5(2) GDPR
Article 5(2) GDPR
Article 6(1) GDPR
Article 12(1) GDPR
Article 13 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 03.05.2021
Published: 03.05.2021
Fine: 25000000 NOK
Parties: Disqus, Inc.
National Case Number/Name: 20/01801
European Case Law Identifier: n/a
Appeal: Pending appeal
Original Language(s): English
Original Source: Datatilsynet (in EN)
Initial Contributor: n/a

The Norwegian DPA (Datatilsynet) published a draft decision notifying Disqus that it will be fined approximately €2.5 million (NOK 25 000 000) for unlawfully processing personal data for programmatic advertising purposes. In addition, the DPA found that Disqus breached transparency and information requirements by not providing data subjects with adequate information about the company's tracking, profiling and disclosure of personal data.

English Summary

Facts

Disqus is an American company owned by Zeta Global. The company offers an online public comment sharing platform, which was previously used by a number of Norwegian online newspapers, and it also engages in programmatic advertising. The Norwegian DPA was made aware of the matter through news articles by the Norwegian National Broadcaster (NRK). According to the NRK, Disqus conducted unlawful tracking of visitors to Norwegian websites using the Disqus plugin. Their data were then disclosed to third party advertising partners. The NRK further wrote that this happened because Disqus was unaware that the GDPR applied in Norway, which Disqus’ parent company Zeta Global confirmed in an interview.[1]

Dispute

The decision covers a range of topics, but primarily concerns: Does the GDPR apply (material scope)? Can the Norwegian DPA handle the case (territorial scope)? Did the processing have a legal basis pursuant to Article 6 GDPR? Did Disqus provide adequate information concerning their processing of personal data?

Holding

Datatilsynet found that both the material and territorial scope applied to the processing of personal data, with the DPA having competence to decide the case.

Datatilsynet highlighted that Disqus tracked, profiled and shared the personal data of all visitors to the websites implementing the Disqus widget without the users' knowledge, finding a breach of Article 12(1), 13 and 5(1)(a) GDPR.

Datatilsynet found that the processing could have been carried out with less invasive means, and did not pass the necessity condition pursuant to Article 6(1)(f) GDPR. In addition, the processing did not pass the balancing test. Datatilsynet highlighted the negative impact of wide-scale profiling, and that Disqus' interest in providing behavioral online marketing are less important compared to the adverse negative effects on the data subjects, and "must weigh significantly less in the balancing of interests" (p. 38).

In addition, Datatilsynet found that Disqus' failure to identify GDPR as applicable data protection law and failing to implement data protection safeguards in accordance to the GDPR was a breach of Article 5(2) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.