Datatilsynet (Norway) - 20/02136: Difference between revisions
No edit summary |
No edit summary |
||
| Line 65: | Line 65: | ||
=== Holding === | === Holding === | ||
==== | ==== 1. Application of the GDPR ==== | ||
===== | ===== 1.1 Territorial scope of the GDPR ===== | ||
Grindr is etsablished in thre US. The NO DPA holds that the GDPR is applicable since | Grindr is etsablished in thre US. The NO DPA holds that the GDPR is applicable since | ||
| Line 76: | Line 76: | ||
Since there is no establishment of Grindr in the EU, the one stop shop mechanism is not applicable. | Since there is no establishment of Grindr in the EU, the one stop shop mechanism is not applicable. | ||
===== | ===== 1.2. Processing of personal data ===== | ||
The NO DPA considered that since the data shared were associated with/included advertising ID provided by the mobile devices, the data at stake are personal data. | The NO DPA considered that since the data shared were associated with/included advertising ID provided by the mobile devices, the data at stake are personal data. | ||
==== | ==== 2. Validity of consent ==== | ||
===== | ===== 2.1 Value of the EDPB Guidelines ===== | ||
The NO DPA refers to EDPB Guidelines on consent. It considers that even if not binding, EDPB guidelines cannot be regarded as having no legal effect and DPAs are expected to follow them when enforcing the GDPR in concrete cases. | The NO DPA refers to EDPB Guidelines on consent. It considers that even if not binding, EDPB guidelines cannot be regarded as having no legal effect and DPAs are expected to follow them when enforcing the GDPR in concrete cases. | ||
===== | ===== 2.2. Consent is not free ===== | ||
====== ''2.2.a) Conditions for free consent'' ====== | ====== ''2.2.a) Conditions for free consent'' ====== | ||
| Line 116: | Line 116: | ||
- Data subjects could not refuse or withdraw consent without detriment. | - Data subjects could not refuse or withdraw consent without detriment. | ||
===== | ===== ''2.2. Consent is not specific'' ===== | ||
SInce Grindr did not provide a separate opt-in for each purpose, to allow users to give specific consent for specific purposes, the NO DPA conclude that Grindr does not provide separate opt-in for each purpose. | SInce Grindr did not provide a separate opt-in for each purpose, to allow users to give specific consent for specific purposes, the NO DPA conclude that Grindr does not provide separate opt-in for each purpose. | ||
===== | ===== 2.3. Consent is not informed ===== | ||
- The information Grindr provided on the processing in question was not distinguishable from other matters. The NO DPA's view is that the way Grindr bundled consent with the whole privacy policy does not differ significantly from bundling consent with terms of use in the context of enabling data subjects to make informed decisions and understand what they are agreeing to. | - The information Grindr provided on the processing in question was not distinguishable from other matters. The NO DPA's view is that the way Grindr bundled consent with the whole privacy policy does not differ significantly from bundling consent with terms of use in the context of enabling data subjects to make informed decisions and understand what they are agreeing to. | ||
| Line 126: | Line 126: | ||
- Except for the example of Twitter’s MoPub, there was no information available for the data subject on which recipients or the number of recipients the personal data was disclosed to for the purpose of targeted advertisement. As a result, consent is not informed. | - Except for the example of Twitter’s MoPub, there was no information available for the data subject on which recipients or the number of recipients the personal data was disclosed to for the purpose of targeted advertisement. As a result, consent is not informed. | ||
===== | ===== 2.4. Consent is not unamiguous ===== | ||
Clicking "accept" the privacy policy may entail that the user acknowledged the fact that infiormation has been provided. It is therefore not obvious that the users consented to the data processing. | Clicking "accept" the privacy policy may entail that the user acknowledged the fact that infiormation has been provided. It is therefore not obvious that the users consented to the data processing. | ||
===== | ===== 2.5. Withdrawal of consent is not as easy as to give consent ===== | ||
While, in the previous version of the CMP, consenting to data sharing was two clicks away, withrawing consent required to read a long privacy policy and going through the required steps of opting out in their device settings. | While, in the previous version of the CMP, consenting to data sharing was two clicks away, withrawing consent required to read a long privacy policy and going through the required steps of opting out in their device settings. | ||
The only other options to effectively withdraw “consent” was limited to the data subject deleting his or her Grindr account, or going through the necessary steps to upgrade to the paid version of the app. Neither of these options could be considered as easy as giving “consent”, which as mentioned was two clicks away. | The only other options to effectively withdraw “consent” was limited to the data subject deleting his or her Grindr account, or going through the necessary steps to upgrade to the paid version of the app. Neither of these options could be considered as easy as giving “consent”, which as mentioned was two clicks away. | ||
==== | ==== 3. Special categories of data under Article 9 GDPR ==== | ||
NO DPA disagreed with Grindr that the data of its users did not reveal their sexual orientation. | NO DPA disagreed with Grindr that the data of its users did not reveal their sexual orientation. | ||
| Line 145: | Line 145: | ||
- The exception under Article 9(2) is not applicable since the users could not be considered as making their data manifestly public just by using the app (which is a closed community) and sharing pictures (when they could not always be recognised). | - The exception under Article 9(2) is not applicable since the users could not be considered as making their data manifestly public just by using the app (which is a closed community) and sharing pictures (when they could not always be recognised). | ||
==== | ==== 4. Fine ==== | ||
== Comment == | == Comment == | ||
Revision as of 12:00, 20 December 2021
| Datatilsynet (Norway) - 20/02136-18 | |
|---|---|
 | |
| Authority: | Datatilsynet (Norway) |
| Jurisdiction: | Norway |
| Relevant Law: | Article 3(2) GDPR Article 6(1) GDPR Article 9 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 13.12.2021 |
| Published: | 15.12.2021 |
| Fine: | 65000000 NOK |
| Parties: | n/a |
| National Case Number/Name: | 20/02136-18 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | English |
| Original Source: | Datatilsynet (in EN) |
| Initial Contributor: | n/a |
The Norwegian Data Protection Authority imposed a fine of € 6.5 million on Grindr for not collecting a valid consent for sharing data with third parties for profiling and advertising purposes from Grindr App.
English Summary
Facts
In January 2020, the NO DPA received 3 complaints against Grindr from the Norwegian Consulmer Council (NCC) in collaboration with noyb regarding the sharing of data between the Grindr app and advertising partners MoPub, Xandr, OpenX Software, Ad Colony and Smaato. The complaint was based on the report 'our of control' prapared by the company mnemonic commissioned by the NCC.
The NCC's inquiry showed that Grindr shared certain categories of personal data to several advertising partners, including advertising ID, IP address, GPS, location, gender, age, device information and app name.
The data was shared through software development kits (SDKs).
Holding
1. Application of the GDPR
1.1 Territorial scope of the GDPR
Grindr is etsablished in thre US. The NO DPA holds that the GDPR is applicable since
- the service is provided to users in the EU and
- Grindr is monitoring its user's behaviour, including movement and location within Norway and the EEA (Article 3(2)(a) and (b) GDPR respectively).
Since there is no establishment of Grindr in the EU, the one stop shop mechanism is not applicable.
1.2. Processing of personal data
The NO DPA considered that since the data shared were associated with/included advertising ID provided by the mobile devices, the data at stake are personal data.
2. Validity of consent
2.1 Value of the EDPB Guidelines
The NO DPA refers to EDPB Guidelines on consent. It considers that even if not binding, EDPB guidelines cannot be regarded as having no legal effect and DPAs are expected to follow them when enforcing the GDPR in concrete cases.
2.2. Consent is not free
2.2.a) Conditions for free consent
- Consent can only be regarded as freely given is users are given a genuine choice.
- In a 'Take it or leave it' situation, consent cannot be seen as freely given.
- Consent mus t be granular and cover each specific processing operations, and not a set of them.
- The users were forced to accept the privacy policy to use the app and therefore, consent requests for sharing personal data with advertising partners were bundled with requests for consent for other processing operations and other purposes, despite separate consents being appropriate and practical. This did not give the users a free choice. In this case, accepting the privacy policy is regarded as the same as bundling the consent with terms and conditions, since the
2.2.b) Consent as a condition to access the service
Sharing Grindr's users personal data with advertising partners for online behavioural advertising purposes was not necessary for the performance of the Grindr's services.
Consequently, gaining access to the Grindr services within the free version of the app was made conditional on “consenting” to sharing personal data with advertising partners for advertising purposes which was not necessary for the performance of Grindr’s services. This indicates that consent was not “freely given”. - By making it more difficult and time-consuming to refuse consent than to give consent, the controller “nudges” the data subject to consent to the processing operation even if they may not wish to, and it thus deprives the data subject of genuine freedom of choice. - Consenting to personal data sharing for advertising purposes was two clicks away, while declining required the data subject to take the time to read a lengthy privacy policy. Thus, refusal of consent was a lot more difficult and time consuming compared to accepting.
An “opt-out” solution would not meet the requirements for a valid consent, as it would not be an “unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action
The fact that a paid version is offered without sharing of data does not change this conclusion. Among other things, the NO DPA stresses that the paid version was not advertised as a way to op-out of sharing data.
The NO DPA refers to the views of the EDPS and EDPB, according to which data is not a commodity.
2.2.c) Conclusion on free consent
Consent cannot be seen as free since:
- Grindr did not allow separate consents to different personal data processing operations despite it being appropriate; - Access to services in the free version of the app was made conditional on consenting to Grindr sharing personal data with advertising partners despite this not being necessary for the performance of the service; and - Data subjects could not refuse or withdraw consent without detriment.
2.2. Consent is not specific
SInce Grindr did not provide a separate opt-in for each purpose, to allow users to give specific consent for specific purposes, the NO DPA conclude that Grindr does not provide separate opt-in for each purpose.
2.3. Consent is not informed
- The information Grindr provided on the processing in question was not distinguishable from other matters. The NO DPA's view is that the way Grindr bundled consent with the whole privacy policy does not differ significantly from bundling consent with terms of use in the context of enabling data subjects to make informed decisions and understand what they are agreeing to.
-Grindr did not present the information in an easily accessible form, and it did not enable the data subject to be able to easily determine the consequences of any consent they might give.
- Except for the example of Twitter’s MoPub, there was no information available for the data subject on which recipients or the number of recipients the personal data was disclosed to for the purpose of targeted advertisement. As a result, consent is not informed.
2.4. Consent is not unamiguous
Clicking "accept" the privacy policy may entail that the user acknowledged the fact that infiormation has been provided. It is therefore not obvious that the users consented to the data processing.
2.5. Withdrawal of consent is not as easy as to give consent
While, in the previous version of the CMP, consenting to data sharing was two clicks away, withrawing consent required to read a long privacy policy and going through the required steps of opting out in their device settings.
The only other options to effectively withdraw “consent” was limited to the data subject deleting his or her Grindr account, or going through the necessary steps to upgrade to the paid version of the app. Neither of these options could be considered as easy as giving “consent”, which as mentioned was two clicks away.
3. Special categories of data under Article 9 GDPR
NO DPA disagreed with Grindr that the data of its users did not reveal their sexual orientation.
- It is not necessary to demonstrate that a specific processing has led or is likely to actual harm or damage in order to fall within the scope of Article 9(1)
- NO DPA disagrees with Grindr that holds that although there are places where sexual minorities are at risk of being discriminated against, this is not a type of discrimination that is evident in the digital world.
- The NO DPA notes that the sharing of personal data concerning a natural person’s “sexual orientation” to advertising partners is sufficient to trigger Article 9, irrespective of how the data is further processed by the data controllers the data was disclosed to.
- The exception under Article 9(2) is not applicable since the users could not be considered as making their data manifestly public just by using the app (which is a closed community) and sharing pictures (when they could not always be recognised).
4. Fine
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
