Datatilsynet - 20/02254-1 (20/00768)/TSM

From GDPRhub
Datatilsynet - 20/02254 (Grindr)
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 57(1)(a) GDPR
Article 57(1)(f) GDPR
Article 58(1) GDPR
Article 5(3) ePrivacy Directive 2002/58/EC
Public Administration Act § 14
The Electronic Communications Act § 2(7)(b)
Type: Complaint
Outcome: Rejected
Decided: 07.09.2020
Published: 07.09.2020
Fine: None
Parties: OpenX Software Ltd., OpenX Ltd. og OpenX Technologies, Inc.
Privacy Appeals Board
Datatilsynet
National Case Number/Name: 20/02254 (Grindr)
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Norwegian
Original Source: Personvernnemda (in NO)
Initial Contributor: Rie Aleksandra Walle

In a case at the intersection of telecommunications law and data protection, the Norwegian Privacy Appeals Board (Personvernrådet) upheld the Norwegian DPA's (Datatilsynet) request for information to OpenX.

English Summary[edit | edit source]

Facts[edit | edit source]

The Norwegian Consumer Council (Forbrukerrådet) filed three complaints against the gay/bi dating app Grindr and five adtech companies that received personal data through the app. Subsequently, Datatilsynet sent a request for more information from one of the adtech companies; OpenX.

OpenX refused to respond on the basis that Datatilsynet don't have legal grounds to impose such a request on them, because, in their opinion, the issue relates to the Electronic Communications Act § 2(7)(b) (cf. Article 5(3) ePrivacy Directive 2002/58/EC), where the Norwegian Communications Authority is the right supervisory authority (and not Datatilsynet), and filed a complaint to the Privacy Appeals Board.

Dispute[edit | edit source]

Does the Datatilsynet have the legal grounds (as a supervisory authority) to impose a request for information on OpenX?

Holding[edit | edit source]

The Privacy Appeals Board rejected OpenX's complaint as they concluded that Datatilsynet has legal grounds to impose such requests for information as per Article 58(1) GDPR.

Comment[edit | edit source]

Note that this decision doesn't revolve around the initial complaints submitted by the Norwegian Consumer Council (Forbrukerrådet) or Datatilsynet view on the matters of the complaints. This matter is solely about Datatilsynet's legal grounds to impose a request for information from a data controller, data processor or their representative.

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

PVN-2020-12 Complaint about the Data Inspectorate's order for a report - the relationship between the Electronic Communications Act and the Personal Data Act
The Data Inspectorate's reference: 
20 / 02254-1 (20/00768) / TSM
Decision of the Privacy Board 7 September 2020 (Mari Bø Haugstad, Bjørnar Borvik, Gisle Hannemyr, Line Coll, Hans Marius Graasvold, Ellen Økland Blinkenberg, Hans Marius Tessem)
The case concerns a complaint from OpenX Software Ltd., OpenX Ltd. and OpenX Technologies, Inc. (hereinafter OpenX) of the Data Inspectorate's order for disclosure pursuant to Article 58 (1) of the Privacy Ordinance.

Background to the case
Grindr is a location-based social network and a mobile phone application for online dating (dating app) for gays, bisexuals and transgender people. In connection with the Consumer Council's launch of the report "Out of Control", the Consumer Council complained to both the Data Protection Authority and both several advertising companies Grindr uses. One of these advertising companies is OpenX, to which this case applies. The Consumer Council believes that the advertising company receives personal information from Grindr, including the users' sexual orientation and location, and that they illegally share the information with others without the consent of the data subjects.

Many of the defendant advertising companies are not established in Norway. On 21 February 2020, the Data Inspectorate sent OpenX a request for an account of various overriding issues concerning processing responsibility, any main establishments in Europe, as well as questions about cross-border processing taking place, cf. the Privacy Ordinance, Article 58, first paragraph, letter a. which supervisory authorities in the EEA are competent to deal with the various cases.

OpenX complained in a timely manner about the requirement for a statement, cf. the Public Administration Act § 14. OpenX states that the Norwegian Data Protection Authority has no authority to order them to give a statement. OpenX has pointed out that the National Communications Authority (Nkom) is the supervisory authority under the Electronic Communications Act, and that the processing of information to which the complaint from the Consumer Council applies is exhaustively regulated by Electronic Communications Act § 2-7 b.

The Norwegian Data Protection Authority assessed the complaint, but found no basis for changing its decision and upheld its request for a statement. The Norwegian Data Protection Authority forwarded the case to the Privacy Board on 24 June 2020. OpenX was informed of the case in a letter from the board on 29 June 2020 and was given the opportunity to comment. In a letter dated 10 August 2020, OpenX provided its comments.

The case was discussed at the tribunal's meeting on 7 September 2020. The Privacy Board had the following composition: Mari Bø Haugstad (chair), Bjørnar Borvik (deputy chair), Gisle Hannemyr, Line Coll, Hans Marius Graasvold, Ellen Økland Blinkenberg and Hans Marius Tessem. Secretariat leader Anette Klem Funderud was also present.

OpenXs has mainly stated
The Consumer Council's complaint against Grindr and, among other things, OpenX concerns the question of whether the companies have a legal basis for processing personal data about Grindr users through the mobile phone application Grindr.

The question of legal basis in relation to the appeal is regulated by Act no. 83 of 4 July 2003 on electronic communications (Electronic Communications Act) § 2-7 b. In accordance with § 1-4 and § 10-1 of the Electronic Communications Act, it is Nkom - not The Norwegian Data Protection Authority - which has been given competence to control compliance with the Electronic Communications Act.

Electronic Communications Act § 2-7 b sets out the legal requirements for the use of cookies and technology that collect and store information from the user's communication equipment or gain access to such information. The provision, which applies regardless of whether the information is regarded as personal data, requires consent as a legal basis for the processing and is primarily governed by communication protection considerations.

The complaint concerns OpenX's collection of information about the Grindr user through access to the user's device. OpenX delivers technologies that make it possible to offer targeted marketing to the users of the Grindr app, and is a data processor based on the instructions and purposes determined by the data controller. Before user information can be processed, OpenX must obtain user information from the user's device. OpenX collects information from the user's device through technologies - known as SDKs (software development kits) that are incorporated into the Grindr application. Such technologies enable OpenX to collect mobile marketing IDs, IP addresses, and other device information such as screen size and resolution. The technologies used are similar and work in the same way as cookies and undoubtedly fall within the scope of Electronic Communications Act § 2-7 b.

Only one supervisory authority has competence with regard to OpenX 'treatment activities. The legislature has divided the authority to control data processing between the Norwegian Data Protection Authority and Nkom. While the Data Inspectorate is the competent supervisory authority for the general rules on the processing of personal data under the Privacy Ordinance, some special, limited processing activities are specifically regulated in Electronic Communications Act § 2-7 b, where only Nkom is the competent authority to monitor compliance with this. The Norwegian Data Protection Authority is not competent to order OpenX to provide information regarding the complaint from the Consumer Council about the legal basis for the processing.

Nkom and the Norwegian Data Protection Authority interpret the legal requirements for using cookies and similar technologies and how consent to cookies can be obtained differently. It is not in accordance with the legislator's intentions in either the EU or Norway that two supervisory authorities intend to provide authoritative guidance on the same legislative matter, at the same time as they provide conflicting guidance.

In a statement from the European Data Protection Board, Opinion 5/2019 12 March 2019, the following is noted on page 22:

«As a general comment, where several authorities are competent for the different legal instruments, they should ensure that enforcement of both instruments is consistent inter alia to avoid a breach of the non bis in idem principle in case infringements of provisions of the GDPR and ePrivacy Directive which took place in the context of one processing activity are strongly linked.»

The Norwegian Data Protection Authority must have a clear idea of ​​the scope and limitations of its competence. The public should not bear the risk of the unclear and inconsistent legal situation.

Based on the legislator's intentions, the statements from the Privacy Council and the basic principles of legal clarity and predictability, only Nkom is the competent supervisory authority for OpenX 'processing activities under the Electronic Communications Act § 2-7 b as lex specialis.

The Communication Protection Directive (EU Directive 2002/58 / EC, ePrivacy Directive) and Electronic Communications Act § 2-7 b, which implement Article 5 (3) of the Communication Protection Directive, are lex specialis for the Privacy Regulation. Article 95 of the Privacy Regulation also states that the Regulation shall not introduce additional obligations when there are special obligations with the same purpose as those laid down in the Communication Protection Directive. Such special obligations under the Electronic Communications Act will therefore apply instead of, and not in addition to, obligations under the Privacy Ordinance. The complaint concerns the Grindr app and information obtained from SDK that is alleged to be shared through the app's SDK integrations. Consequently, it is the special obligations under the Electronic Communications Act that are central to the appeal in the present case.

According to the Norwegian Data Protection Authority, the Communications Protection Directive and the Electronic Communications Act do not regulate subsequent processing activities. OpenX 'processing activities are subject to Electronic Communications Act § 2-7 b before the company performs any processing where the Data Inspectorate is the supervisory authority under the Privacy Ordinance. OpenX does not perform any subsequent processing for its own purposes.

The Data Inspectorate's assessment
The Data Inspectorate's requirement for a report was based on a need to clarify which supervisory authority is possibly the leading supervisory authority under the Privacy Ordinance in the various cases, not to process the substantive allegations in the complaints.

Electronic Communications Act § 2-7 b regulates consent to, and information about, cookies and Nkom is the competent supervisory authority with regard to compliance and enforcement of the Electronic Communications Act. The Personal Data Act and the Privacy Ordinance also apply to the processing of personal data.

Information that can be collected through cookies and similar technologies will often identify an individual via its entity (s), and then they constitute personal data in accordance with the Privacy Ordinance Article 4 No. 1. The Data Inspectorate is competent to monitor compliance with the Privacy Ordinance in line with Articles 57 and 58 of the Regulation.

When it comes to accessing information through cookies and similar technologies, the communications protection directive is lex specialis. This follows from Article 95 of the Privacy Ordinance, which states that the Privacy Ordinance shall not introduce additional obligations where there are special obligations with the same purpose under the Communications Protection Directive. Article 5 (3) of the Communication Protection Directive and Electronic Communications Act § 2-7 b contain special obligations when storing and accessing information already stored on the user's communication equipment. The purpose of the provision is to set a certain threshold for the right to perform these specific processing activities because the user's communication equipment is part of private life, cf. the Communication Protection Directive, paragraph 24.

However, Article 5 (3) of the Communication Protection Directive and Electronic Communications Act § 2-7 b do not regulate other or subsequent processing activities, such as further storage on a server, sharing, sale, compilation, analysis or profiling. The purpose of the provisions is not to regulate the use of information once it has been collected, or other aspects of personal data protection. The Privacy Ordinance applies as a lex generalis, cf. the Ordinance's Proposition 173. The Ordinance's rules on principles, basis for processing, information, the data subject's rights, the data controllers' duties and transfer to third countries apply, and the Data Inspectorate and the Privacy Board are competent authorities to assess subsequent processing. . This is in line with the Communication Protection Directive, paragraph 10,

In March 2019, the Privacy Council issued a formal statement on the interaction between the ePrivacy Directive and the Privacy Ordinance as well as the data protection authorities' competence under the consistency mechanism in the Privacy Ordinance Article 64 no. 2, cf. opinion 5-2019. According to the Privacy Council, the Privacy Ordinance applies in addition to the Communication Protection Directive and the Privacy Council states the following in sections 68-69:

«When the processing of personal data triggers the material scope of both the GDPR and the ePrivacy Directive, data protection authorities are competent to scrutinize subsets of the processing which are governed by national rules transposing the ePrivacy Directive only if national law confers this competence on them. However, the competence of data protection authorities under the GDPR in any event remains unabridged as regards processing operations which are not subject to special rules contained in the ePrivacy Directive. (…) Data protection authorities are competent to enforce the GDPR. The mere fact that a subset of the processing falls within the scope of the ePrivacy directive, does not limit the competence of data protection authorities under the GDPR».

The Privacy Council's statement is a relevant source of law because it was issued by an independent EU body pursuant to Article 64 of the Privacy Regulation, and expresses the supervisory authorities' harmonized views across the EEA.

On Nkom's website, Nkom acknowledges in its guide to consent to cookies that the processing may also be subject to the Privacy Ordinance.

A large part of the processing of personal data that takes place today takes place through the storage and reading of information on the user's communication equipment, such as when visiting websites and using mobile apps. If OpenX's appeal is upheld, it will mean that the Data Inspectorate will not be able to control such processing of personal data, and that this authority lies exclusively with Nkom. There is a lack of support in legal sources and is clearly contrary to the legislator's intentions in both Norway and the EU.

The Data Inspectorate is competent under Articles 57 and 58 of the Privacy Ordinance to supervise OpenX 'compliance with the Privacy Ordinance for those parts of the processing that are not specifically regulated by the Electronic Communications Act. OpenX has a duty to respond to the Data Inspectorate's requirements for a report on 21 February 2020, as the requested information is necessary for the performance of the Data Inspectorate's tasks.

OpenX's allegation of legal ambiguity and the supervisory authorities' different views on the use of cookies and consent are not relevant to the subject matter of the complaint.

The Privacy Board's assessment
The Norwegian Data Protection Authority has required OpenX to provide an account of its processing of personal data related to Grindr, cf. the Privacy Ordinance Article 58 no. 1. Pursuant to section 14 of the Public Administration Act, legal access to provide the information. In other words, the right of appeal is limited to the legality of the order. The provision in § 14 thus gives a narrower right to appeal than under the Public Administration Act § 28. The grounds for appeal are exhaustively stated in § 14 and appeals thus do not have a legal claim to have the appropriateness or reasonableness of the decision reviewed, even if the appeal body has access to try also that side of the case, cf. the Public Administration Act §§ 34 and 35 (cf. § 14 in finewhich states that the provisions of Chapter VI apply correspondingly as far as they are appropriate). The tribunal assumes that OpenX has submitted the complaint within the deadline in the Public Administration Act § 14.

The question for the tribunal is whether Article 58 no. 1 of the Privacy Ordinance gives the Data Inspectorate authority to require OpenX to provide the Authority with a statement or whether OpenX 'processing of information (also in the case of personal data) is exhaustively regulated by the Electronic Communications Act, where it is the National Communications Authority (Nkom) which is the supervisory authority.

The tasks of the Data Inspectorate pursuant to Article 57 (1) (a) and (f) of the Privacy Regulation are to "supervise and enforce the application of this Regulation" and "process complaints lodged by a data subject […] and examine, to the extent appropriate, the complaint. object and inform the complainant of the course and outcome of the investigation within a reasonable time, in particular if there is a need for further investigation or coordination with another supervisory authority ».

Section 20 of the Personal Data Act further stipulates in the third paragraph:

«The Data Inspectorate's authority pursuant to Article 58 of the Privacy Ordinance applies correspondingly to supervision of compliance with

provisions of the Act here and in regulations issued pursuant to the Act here
provisions on the processing of personal data in other laws and regulations, insofar as the processing falls within the scope of the Act and the Privacy Ordinance pursuant to section 2. »
In the preparatory work for the Personal Data Act, Prop. 56 LS (2017–2018), section 26.5, the Ministry states the following about the provision:

"In a number of cases, the regulation opens up for national rules that specify and supplement the rules of the regulation. The Ministry proposes a special provision that makes it clear that the supervisory authority also has competence with regard to compliance with national rules on the processing of personal data in the Personal Data Act and in special legislation, which complements the rules of the regulation. The Data Inspectorate has requested a discussion of the consequences that the Data Inspectorate has the authority to supervise all processing of personal data will have for other authorities and bodies that are currently assigned tasks related to safeguarding privacy. The division of authority between the Norwegian Data Protection Authority and any other authorities will depend on an interpretation of the rules in the Personal Data Act and any rules in the special legislation. "

The Data Inspectorate's investigating authority is stated in the Personal Data Act § 23 and the Privacy Ordinance Article 58 no. 1. Pursuant to Article 58 no. 1 letter a, the Authority has the competence to:

"Instruct the controller and the data controller and, if applicable, their representative, to provide all the information they need to be able to perform their tasks."

According to OpenX, the company collects, via cookies, information about Grindr users such as ID for mobile marketing, IP addresses and other device information such as screen size and resolution. Like the Norwegian Data Protection Authority, the tribunal assumes that this may be information that is suitable for identifying a natural person, and thus falls within the scope of the Personal Data Act, cf. section 2 of the Personal Data Act and Article 4 no. which states that:

«Natural persons can be linked to network identifiers via equipment, programs, tools and protocols, e.g. IP addresses, cookies or other identifiers, e.g. radio frequency identification tags. This can leave traces that, especially in combination with unique identifiers and other information that the servers receive, can be used to create profiles for natural persons and identify them. "

Although the Electronic Communications Act and the Communications Protection Directive regulate "storage" and "access" to information in the user's communications equipment, there is nothing, neither in the Act nor in the drafting of the Act, to indicate that the Privacy Ordinance's rules, such as the data controller's duties and data subjects' rights. use when the information processed is personal information. On the contrary, it follows from the Communication Protection Directive that the Privacy Ordinance applies, cf. the Communication Protection Directive's point 10, which reads:

'In the electronic communications sector, Directive 95/46 / EC shall apply in particular to all matters relating to the protection of fundamental rights and freedoms not specifically covered by the provisions of this Directive, including the obligations of the controller and the rights of natural persons. Directive 95/46 / EC applies to non-public communications services. "

Whether the complaint submitted by the Consumer Council concerns the processing of information that is exhaustively regulated by the Electronic Communications Act, as OpenX states, or not, is, in the tribunal's assessment, irrelevant. In the Privacy Ordinance, Article 58 no. 1, the Data Protection Authority has a general authority to order the data controller, the data processor or their representative to submit all information the Authority needs to perform its tasks, regardless of the complaint that may have made the Data Inspectorate aware of the activity.

The possible legal ambiguity and the two supervisory authorities 'possible different views on the use of cookies and the requirements for a valid consent are irrelevant to the Data Inspectorate's competence under Articles 57 and 58 of the Privacy Ordinance to supervise OpenX' compliance with the Privacy Ordinance for those parts of the processing. is not specifically regulated by the Electronic Communications Act.

OpenX has a duty to provide the Data Inspectorate with the information the Authority has requested in its request for a report on 21 February 2020.

OpenX has not been successful in its complaint.

The decision is unanimous.

Decision
OpenX has a duty to provide the Data Inspectorate with the information the Authority has requested in its request for a report on 21 February 2020.

 

Oslo, 7 September 2020

Mari Bø Haugstad

Manager