Datatilsynet (Norway) - 20/02136

From GDPRhub
(Redirected from Datatilsynet - DT-20/02136)
Datatilsynet (Norway) - 20/02136-18
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 3(2) GDPR
Article 6(1) GDPR
Article 9 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 13.12.2021
Published: 15.12.2021
Fine: 65000000 NOK
Parties: n/a
National Case Number/Name: 20/02136-18
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): English
Original Source: Datatilsynet (in EN)
Initial Contributor: n/a

The Norwegian Data Protection Authority fined Grindr about €6,4 million (NOK 65 million) for not collecting users' valid consent for sharing data with third parties for profiling and advertising purposes from the Grindr App.

English Summary

Facts

In January 2020, the Norwegian DPA received 3 complaints against Grindr from the Norwegian Consumer Council (NCC) in collaboration with noyb regarding the sharing of data between the Grindr app and advertising partners MoPub, Xandr, OpenX Software, Ad Colony and Smaato. The complaint was based on the report 'out of control' prepared by the company mnemonic, and commissioned by the NCC.

The NCC's inquiry showed that Grindr shared certain categories of personal data to several advertising partners, including advertising ID, IP address, GPS, location, gender, age, device information and app name.

The data was shared through software development kits (SDKs).

Holding

Application of the GDPR

Territorial scope of the GDPR

Grindr is established in the US. The Norwegian DPA held that the GDPR was applicable since:

  • the service is provided to users in the EU and
  • Grindr is monitoring its user's behaviour, including movement and location within Norway and the EEA (Article 3(2)(a) and (b) GDPR respectively).

Since there was no establishment of Grindr in the EU, the one stop shop mechanism was not applicable.

Processing of personal data

The NO DPA considered that since the data shared were associated with/included advertising ID provided by the mobile devices, the data at stake are personal data.

Validity of consent

Value of the EDPB Guidelines

The NO DPA referred to the EDPB Guidelines on consent. It considered that even if not binding, EDPB guidelines cannot be regarded as having no legal effect and DPAs are expected to follow them when enforcing the GDPR in concrete cases.

Consent is not free
Conditions for free consent
  • Consent can only be regarded as freely given is users are given a genuine choice.
  • In a 'Take it or leave it' situation, consent cannot be seen as freely given.
  • Consent must be granular and cover each specific processing operations, and not a set of them.
  • The users were forced to accept the privacy policy to use the app and therefore, consent requests for sharing personal data with advertising partners were bundled with requests for consent for other processing operations and other purposes, despite separate consents being appropriate and practical. This did not give the users a free choice. In this case, accepting the privacy policy is regarded as the same as bundling the consent with terms and conditions.
Consent as a condition to access the service

Sharing Grindr's users personal data with advertising partners for online behavioural advertising purposes was not necessary for the performance of the Grindr's services.

Consequently, gaining access to the Grindr services within the free version of the app was made conditional on “consenting” to sharing personal data with advertising partners for advertising purposes which was not necessary for the performance of Grindr’s services. This indicates that consent was not “freely given”.

  • By making it more difficult and time-consuming to refuse consent than to give consent, the controller “nudges” the data subject to consent to the processing operation even if they may not wish to, and it thus deprives the data subject of genuine freedom of choice.
  • Consenting to personal data sharing for advertising purposes was two clicks away, while declining required the data subject to take the time to read a lengthy privacy policy. Thus, refusal of consent was a lot more difficult and time consuming compared to accepting.

An “opt-out” solution would not meet the requirements for a valid consent, as it would not be an “unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action".

The fact that a paid version is offered without sharing of data does not change this conclusion. Among other things, the Norwegian DPA stressed that the paid version was not advertised as a way to op-out of sharing data.

It referred to the views of the EDPS and EDPB, according to which data is not a commodity.

Conclusion on free consent

Consent could not be seen as free since:

  • Grindr did not allow separate consents to different personal data processing operations despite it being appropriate;
  • Access to services in the free version of the app was made conditional on consenting to Grindr sharing personal data with advertising partners despite this not being necessary for the performance of the service; and
  • Data subjects could not refuse or withdraw consent without detriment.
Consent is not specific

Since Grindr did not provide a separate opt-in for each purpose, to allow users to give specific consent for specific purposes, the NO DPA conclude that Grindr does not provide separate opt-in for each purpose.

Consent is not informed
  • The information Grindr provided on the processing in question was not distinguishable from other matters. The NO DPA's view is that the way Grindr bundled consent with the whole privacy policy does not differ significantly from bundling consent with terms of use in the context of enabling data subjects to make informed decisions and understand what they are agreeing to.
  • Grindr did not present the information in an easily accessible form, and it did not enable the data subject to be able to easily determine the consequences of any consent they might give.
  • Except for the example of Twitter’s MoPub, there was no information available for the data subject on which recipients or the number of recipients the personal data was disclosed to for the purpose of targeted advertisement. As a result, consent is not informed.
Consent is not unambiguous

Clicking "accept" the privacy policy may entail that the user acknowledged the fact that information has been provided. It is therefore not obvious that the users consented to the data processing.

Withdrawal of consent is not as easy as to give consent

While, in the previous version of the CMP, consenting to data sharing was two clicks away, withdrawing consent required to read a long privacy policy and going through the required steps of opting out in their device settings.

The only other options to effectively withdraw “consent” was limited to the data subject deleting his or her Grindr account, or going through the necessary steps to upgrade to the paid version of the app. Neither of these options could be considered as easy as giving “consent”, which as mentioned was two clicks away.

Special categories of data under Article 9 GDPR

NO DPA disagreed with Grindr that the data of its users did not reveal their sexual orientation.

  • It is not necessary to demonstrate that a specific processing has led or is likely to actual harm or damage in order to fall within the scope of Article 9(1)
  • NO DPA disagrees with Grindr that holds that although there are places where sexual minorities are at risk of being discriminated against, this is not a type of discrimination that is evident in the digital world.
  • The NO DPA notes that the sharing of personal data concerning a natural person’s “sexual orientation” to advertising partners is sufficient to trigger Article 9, irrespective of how the data is further processed by the data controllers the data was disclosed to.
  • The exception under Article 9(2) is not applicable since the users could not be considered as making their data manifestly public just by using the app (which is a closed community) and sharing pictures (when they could not always be recognised).

Fine

The culpability requirement for administrative fines

The Supreme Court stated that imposing penalties for enterprises requires that a person acting on behalf of the enterprise, has at least acted negligent. Intent exists even if Grindr, through its board members or executives acting on behalf of it, was unaware that the act is unlawful due to ignorance of legal rules, as long as the ignorance was negligent. Concerning the breaches of the GPDR in this case, the NO DPA therefore finds that a person acting on behalf of Grindr has at least acted negligent, and in its view, intentional.

On the assessment on whether or not imposing a fine
(a) the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them

The NO DPA took into account the invalid consent, enabling to share data with more than 160 partners.

Also, the NO DPA considered that the invalid consent resulted in large-scale sharing of data for the purpose of providing behavioural advertisement, which involves tracking and profiling.

The NO DPA also took into account the large number of people affected and the sensitive data shared (LGBT people), but also the nature of the data (location data via GPS).

According to the argumentation above, the nature, gravity and duration of the infringements indicates several aggravating factors and points to the direction that an administrative fine is appropriate.

(b) the intentional or negligent character of the infringement

The NO DPA considered that Grindr’s infringements of the GDPR were intentional. This is an aggravating factor.

(c) any action taken by the controller or processor to mitigate the damage suffered by data subjects

The NO DPA notes that Grindr still considers that the former CMP is legal and did not inform the recipients of the illegality of the data collected. The NO DPA considered that no mitigating factors could be found.

(d) the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32

Grindr did not integrate appropriate measures through its in-app settings. More granularity and granular information in the consent mechanism would in particular contribute towards adherence to the GDPR requirements.

Grindr would have to rely on the action of others, either the user, the operating system, Grindr’s partners, or a combination of the aforementioned, to halt its sharing of data where so required. In consequence, Grindr failed to control and take responsibility for their own data sharing, and the “opt-out” mechanism was not necessarily effective.

Grindr shared the data in question to advertising partners. Even if some advertising partners or other participants in the ad tech ecosystem would “blind” themselves or only receive an obfuscated app ID, this is not in line with the principle of accountability in Article 5(2) GDPR. Grindr would have to rely on the action of advertising partners or other participants in the ad tech ecosystem, to halt its sharing of the data in question.

(e) any relevant previous infringements by the controller or processor

This criteria was not assessed by the NO DPA since it was not relevant: the NO DPA did not have the competence to impose a measure against a US based company due to the territorial scope of the GDPR.

(f) the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement

Grindr has cooperated with the NO DPA by providing information to and answering its questions. Therefore, this factor is neither an aggravating nor a mitigating circumstance in the present case.

(g) the categories of personal data affected by the infringement

Data concerning sexual orientation merit special protection under the GDPR, as disclosure of such data could put the data subject’s rights and freedoms at risk, such as the right to privacy and non-discrimination. Data concerning sexual orientation merit special protection under the GDPR, as disclosure of such data could put the data subject’s rights and freedoms at risk, such as the right to privacy and non-discrimination. Combined with exact location data, Grindr puts the data subject at even greater risk. This adds to the gravity of the infringement.

(h) the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement

The NO DPA considers that this factor is not relevant in the present case.

(i) where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures

THE NO DPA is not aware of previously corrective measures against Grindr with regard to the same subject matter.

(j) adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42

This factor is not relevant in the present case.

(k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement

The NO DPA rejects Grindr's argument according to which the interpretation of the article violated was not clear. The NO DPA confirms that the decision is not based on the EDPB guidelines, but on the GDPR.

The reference to the grace period given by the Irish DPC is rejected by the NO DPA: first, there is no place for a grace period in the Norwegian legal system, second, the DPC statement dates of July 2020, which could therefore not have given any legitimate expectation.

The fact that Grindr was making a profit out of the NO users using the app was also taken into account. Besides, the turnover of Grindr is also relevant in this case.

The argumentation above shows that an administrative fine is proportionate in the present case.

On the amount of the fine

The NO DPA assessed the relevant factors here above to assess the amount of the fine. The NO DPA did not find Article 83(c), (e), (f), (h), (i), and (j) relevant for the assessment of the amount of the administrative fine in the present case, as it has not established mitigating or aggravating factors in regard to these elements.

Infringement of Article 6 and 9 GDPR qualifies for the maximum amount for administrative fines as set out in Article 83(5) GDPR: 20,000,000 € or 4% of the total worldwide turnover of the precedent financial year.

The NO DPA rejected Grindr's argument that the EBITDA was the relevant factor when determining the fine since the GDPR explicitly refers to the turnover.

The potential negative consequences of the COVID on the fine was not taken as a mitigating factor by the NO DPA, since Grindr did not provide any reasons why the COVID had a negative financial impact on Grindr.

The NO DPA also rejected the reference made to the French and Danish DPAs' practice on fines, since the NO DPA is not bound by other administrative authorities.

Also, the NO DPA considered that the reference to the fine imposed by the NO DPA on the city of Bergen was not comparable, since Bergen is a public body that receives its funding from public taxes, whereas Grindr enjoys commercial benefit from the infringement.

The NO DPA reviewed the fine announced in its draft decision (10,000,000 €) on the basis that the revenue of Grindr (seems to-this part is redacted) seems different and that Grindr has made with the aim to remedy the deficiencies in their previous CMP.

As such, it considered that a fine of €6,500,000 (NOK 65,000,000) was appropriate and dissuasive.

Comment

We can see here a clear link with the reasoned objection raised by the NO DPA against the Irish DPC draft decision on the Facebook case regarding the use of terms and conditions as a legal basis under Article 6(1)(b) GDPR where only consent should be the relevant legal basis.

The NO DPA also considers that data cannot be a commodity and it should not be possible to pay with it: access to a service should not be made conditional to consent to process personal data.

It is also amusing to note that the NO DPA explains in 12 pages why it should be considered that GRINDR processes personal data relating to the sexual orientation of its users.

Also note the Spanish DPA's decision for Grindr, which contradicts several of the Norwegian DPA's findings.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.