Datatilsynet (Norway) - 20/02136 (notification)
|Datatilsynet - 20/02136|
|Relevant Law:||Article 6(1) GDPR|
Article 9(1) GDPR
Article 51(1) GDPR
Article 58(2)(i) GDPR
|National Case Number/Name:||20/02136|
|European Case Law Identifier:||n/a|
|Original Source:||The Norwegian DPA (in EN)|
|Initial Contributor:||Rie Aleksandra Walle|
The Norwegian DPA (Datatilsynet) notified Grindr that they will be fined €9,610,000 for disclosing both personal data to third party advertisers without a legal basis under Article 6(1) GDPR, and special category personal data without a valid exemption from the prohibition in Article 9(1) GDPR. Grindr has until February 15 2021 to contest the fine.
English Summary[edit | edit source]
Facts[edit | edit source]
In January 2020, the Norwegian Consumer Council (Forbrukerrådet) and NOYB filed three complaints against the gay/bi dating app Grindr and five adtech companies for personal data Grindr were disclosing through their app with the aforementioned third party advertisers (Twitter`s MoPub, AT&T’s AppNexus (now Xandr), OpenX, AdColony, and Smaato). In particular, they highlighted the amount of sensitive personal data shared by such tech and adtech companies, including exact location, which is highly problematic in several countries and poses a real threat to the fundamental rights and freedoms of individuals.
Grindr alleged that they had valid consent for their processing of personal data and special category personal data, including disclosure to third parties. The company further held that they had legal grounds for processing special category personal data as per Article 9(2)(e), as Grindr users "manifestly" had made their use of the app public, simply by using it.
The DPA conducted a thorough analysis on the matter, specifically concerning the fundamental requirements for valid consent, i.e. a consent must be freely given, specific, informed and unambiguous. Their analysis demonstrated that Grindr, in fact, were in breach of all consent requirements as per the GDPR.
Dispute[edit | edit source]
Did Grindr have legal grounds for disclosing personal data to third party advertisers? Did their alleged consents meet the standards of the GDPR?
Holding[edit | edit source]
The DPA held that Grindr's alleged legal grounds, namely consent as per Article 6(1)(a) and explicit consent as per Article 9(2)(a), did not meet the requirements as per the GDPR. Further, they found that Article 9(2)(e) was not a relevant legal ground, as it couldn't be demonstrated that Grindr users "manifestly" made their use of the app public. Thus, Grindr did not fulfill one of the exceptions in Article 9(2)(e).
Consequently, the DPA held that Grindr did not have a legal basis under Article 6(1) for disclosing personal data to third party advertiserts, and that they did not have a valid exemption from the prohibition in Article 9(1) for processing and disclosing special category personal data. The DPA notified Grindr that they will be fined €9,610,000. The company has until February 15, 2021 to contest the fine.
Comment[edit | edit source]
The DPA decision provides an in-depth analysis of the consent requirements as per the GDPR, cf. Articles 6(1)(a), 7, 9(2)(a), Recitals 32, 33, 42 and 43, as well as EDPB's Guidelines 05/2020 on consent, cf. WP29's Guidelines on consent (revised version, 2018).
Further Resources[edit | edit source]
- Press release about the report "Out of control" revealing comprehensive illegal collection and indiscriminate use of personal data, research from the Norwegian Consumer Council (NCC): https://www.forbrukerradet.no/side/new-study-the-advertising-industry-is-systematically-breaking-the-law/ and the report itself: https://www.forbrukerradet.no/undersokelse/no-undersokelsekategori/report-out-of-control/
- The original complaint press release by NOYB: https://noyb.eu/en/three-gdpr-complaints-filed-against-grindr-twitter-and-adtech-companies-smaato-openx-adcolony-and and the NCC: https://www.forbrukerradet.no/side/filing-complaint-against-grindrs-sharing-users-hiv-status-and-sexual-preferences/
- Press releases on the decision to fine Grindr from the DPA (in Norwegian): https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2021/varsel-om-overtredelsesgebyr/ from the NCC: https://www.forbrukerradet.no/news-in-english/historic-victory-for-privacy-as-dating-app-receives-gigantic-fine/ and NOYB: https://noyb.eu/en/gay-dating-app-grindr-be-fined-almost-eu-10-mio
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the English original. Please refer to the English original for more details.