Oslo tingrett - 23-160384TVI-TOSL/04
Oslo tingrett - 23-160384TVI-TOSL/04 | |
---|---|
Court: | Oslo tingrett (Norway) |
Jurisdiction: | Norway |
Relevant Law: | Article 4(11) GDPR |
Decided: | 01.07.2024 |
Published: | |
Parties: | Grindr |
National Case Number/Name: | 23-160384TVI-TOSL/04 |
European Case Law Identifier: | |
Appeal from: | Personvernnemnda (Norway) PVN-2022-22 |
Appeal to: | |
Original Language(s): | Norwegian |
Original Source: | Datatilsynet (in Norwegian) |
Initial Contributor: | ec |
A court upheld the DPA's fine of €6,4 million (NOK 65 million) against Grindr for not having a valid legal basis under Article 6(1) GDPR and disclosing special categories of personal data to advertising partners in violation of Article 9(1) GDPR.
English Summary
Facts
Grindr (the controller) is a location-based social networking app marketed towards the LGBTQ community. The app has an ad-based free version, but users can upgrade to paid subscription versions which include more features and are without ads.
In January 2020, the Norwegian Consumer Council together with noyb lodged a complaint with the Norwegian DPA (“Datatilsynet”) against the controller for unlawful sharing of personal data with third parties for marketing purposes. This included GPS location, IP address, Advertising ID, age, gender and the fact that the user in question was on the controller's app. Users could be identified through the data shared, and the recipients could potentially further share the data.
On 13 December 2021, the DPA fined the controller €6,4 million (NOK 65 million) for disclosing personal data to advertising partners without a valid legal basis, violating Article 6(1) GDPR. Furthermore, the controller violated Article 9(1) GDPR for disclosing special categories of personal data to advertising partners.
On 14 February 2022, the controller appealed this decision at the Privacy Appeals Board (“Personvernnemnda”). The Privacy Appeals Board upheld the DPA’s decision.
On 27 October 2023, the controller filed a lawsuit against the Privacy Appeals Board at the Oslo District Court (“Oslo tingrett”). The controller argued that the Appeals Board’s decision should be declared invalid or alternatively that the fine should be reduced.
Holding
Disclosure of special categories of personal data
The court held that by providing the App ID, the controller shared information with their advertising partners that a specific user is a user of their app. The court held that by just being a user of the controller’s app, one can draw the conclusion that the user is not heterosexual and thus is covered by sexual relationships and orientation under Article 9(1) GDPR. Thus, the court concluded that the controller disclosed personal data of special categories of personal data under Article 9(1) GDPR, agreeing with the DPA and the Privacy Appeals Board.
The court dismissed the controller’s argument that this interpretation of Article 9(1) GDPR is in conflict with Article 14 ECHR and the controller is therefore being discriminated against. The court held that Article 9 GDPR is precisely intended to prevent discrimination by ensuring that sensitive personal information is not shared outside the person's control. Therefore, there is no contradiction between Article 9 GDPR and Article 8 and 14 ECHR. To have a claim to protection under Articles 8 and 14 ECHR, a natural or legal person has to have for example a “family life”, “a home” or “a sexual orientation”. The court held that the controller had no sexual orientation and therefore cannot have a claim for protection against discrimination.
Valid consent
The court held that consent was not freely given as there was no real freedom of choice. By only being able to accept the privacy policy and handing over personal data for advertising purposes or cancel and not being able to use the app, the user did not have a “real freedom of choice”.
The court dismissed the controller’s argument that users had a real choice by choosing the paid version. The court noted that the paid version was only available after the user had registered a profile, and thus already clicked accept on the privacy policy and shared their personal data with advertising partners. As there was no simultaneous choice to choose a paid version when accepting the privacy policy and thus consenting to the disclosure of personal data to advertising partners, there was no alternative choice and thus no freely given consent.
The court also dismissed the controller’s argument that the privacy statement contained information about how the user could opt out of behaviour-based marketing by changing the settings on the phone, and that if the user did not do this, it must be seen as consenting to the sharing of personal data. The court did not find this option meeting the requirement for freely given consent as consent requires an active action and not a passive by failing to change the settings on the phone. Moreover, by changing the settings on the phone, it would apply to all the apps the users had on the phone, which is not a fully acceptable option for users.
Thus, the court held that the controller did not meet the requirement for freely given consent under Article 4(11) GDPR, agreeing with the DPA and the Privacy Appeals Board.
The court further held that the controller did not meet the requirements for specific and informed consent under Article 4(11) GDPR. The controller failed to use clear language, making it difficult for users to understand what they were consenting to and what the consequences were of consent.
Fine amount
The court found that the controller was aware that their way of obtaining consent was not good but used it anyways as the other alternatives were more expensive or too complicated. It was therefore a conscious choice to breach the GDPR. Moreover, even if the controller did not have any other choice but to use this way of obtaining consent, it still had controller over what information was given to users. However, the controller still did not fulfil the requirement for information for there to be valid consent. The court thus concluded that the controller had intentionally violated the GDPR.
The court found the breach is of a serious nature as the controller violated the requirement for consent and shared personal data of a special category which requires extra protection. Moreover, it affected a large number of users. The court further found that the controller’s sharing of personal data led to an extensive and uncontrolled spread of personal data to advertising partners for behaviour-based marketing. Thousands of companies gained access to the users' personal data that was shared as the controller had around 10 advertising partners, who also then had over hundreds of partners. Although this case did not cover the advertising partners’ handling of personal date, the court found that this was still relevant as it showed the consequences it had for users of the controller’s app.
The court held that although the controller has changed the way it obtains consent, imposing a fine is still preventative as it will ensure that the controller complies in the future with the obligations that follow from the GDPR and not only related to obtaining valid consent.
Thus, the court concluded there was no basis for reducing the fine amount imposed by the DPA on the controller and thus upheld both the DPA’s and Privacy Appeals Board decision.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
OSLO DISTRICT COURT No restrictions on public reproduction JUDGMENT Delivered: 01.07.2024 in Oslo District Court Case No.: 23-160384TVI-TOSL/04 Judge: District Court Judge Anne-Lene Åvangen Hødnebø The case concerns: The validity of the Data Protection Authority's decision Grindr LLC Lawyer Eva Ingrid Elisabeth Jarbekk, Lawyer Halvard Helle versus The State represented by the Data Protection Authority Lawyer Thea Westhagen Edell, Lawyer Hanne Inger Bjurstrøm Jahren JUDGMENT The case concerns the validity of the Data Protection Authority's decision. Case Presentation The case concerns judicial review of the Data Protection Authority's decision of September 27, 2023, which upheld the Data Protection Authority's decision of September 13, 2021. Grindr LLC (Grindr) was fined 65 million kroner for violating EU Regulation 2016/679 (General Data Protection Regulation). Grindr is an American company established in 2009. The company operates a location-based social network and a mobile application (app) for online dating. The purpose of the Grindr app is to facilitate the sharing of information between users. The app has an ad-supported version that can be downloaded and used for free (free version). Additionally, the app has paid versions where users can upgrade to paid subscription versions (Grindr Xtra and Grindr Unlimited) which include more features. The paid versions are without ads. The paid versions are not part of the Data Protection Authority's decision. Grindr markets itself to the LGBTQ community. LGBTQ is an abbreviation for Lesbian, Gay, Bisexual, Transgender, and Queer. It is a collective term for sexual minorities and gender minorities. The Data Protection Authority's decision concerns Grindr's disclosure of personal data from July 20, 2018, to April 7, 2020, to advertising partners, including the use of a consent solution. Grindr launched a new consent solution for Grindr's services in the EEA on April 8, 2020. The new consent solution is not part of the case. The background for the Data Protection Authority's handling of the case was that the Data Protection Authority received three complaints against Grindr submitted by the Consumer Council on January 14, 2020. The complaints were based on two reports. One report was titled "Out of Control, How consumers are exploited by the online advertising industry," dated January 14, 2020, prepared by the Consumer Council. The other report was titled "Technical Report, 'Out of Control' – a review of data sharing by popular mobile apps," dated January 14, 2020, prepared by Mnemonic on behalf of the Consumer Council. Among other things, the summary on page 2 of the report states: Summary of findings ... 2. The Grindr app shares detailed user data with a very large number of third parties, including IP address, GPS location, age, and gender. By using MoPub as a mediator, the data sharing is highly opaque as neither the third parties nor the information transmitted are known in advance. We have also seen that MoPub can enrich the data that is shared with other parties dynamically. The Data Protection Authority requested an explanation from Grindr on February 24, 2020. Grindr responded to the Data Protection Authority on May 22, 2020. The Data Protection Authority issued a notice of violation fee on January 24, 2021. Grindr submitted comments on the notice on March 8, 2021. The Consumer Council submitted comments on the notice on March 15, 2021. Thereafter, there was further correspondence between Grindr and the Data Protection Authority until the Data Protection Authority made the following decision on December 13, 2021. Pursuant to Article 58(2)(i) of the General Data Protection Regulation, Grindr is fined 65,000,000 – sixty-five million kroner – for: - disclosing personal data to advertising partners without a valid legal basis, in violation of Article 6(1) of the General Data Protection Regulation, and - disclosing special categories of personal data to advertising partners without meeting any of the exceptions to the prohibition in Article 9(1) of the General Data Protection Regulation. Grindr appealed the decision to the Data Protection Authority on February 14, 2022. The Data Protection Authority upheld the Data Protection Authority's decision on September 27, 2023. Grindr disagrees with the Data Protection Authority's decision and filed a lawsuit against the State represented by the Data Protection Authority in the Oslo District Court on October 27, 2023, claiming that the Data Protection Authority's decision must be declared invalid, alternatively that the violation fee must be reduced. The State represented by the Data Protection Authority submitted a timely response, claiming dismissal. The main hearing was conducted from March 12 to 14, 2024. The evidence presented is recorded in the court record. The Plaintiff – Grindr LLC – has primarily asserted: Grindr's consent solution met the requirements of GDPR Grindr's consent solution was unambiguous, voluntary, informed, and specific. Grindr's consent solution facilitated voluntary user consent in accordance with GDPR Article 4(11). Grindr has never forced users to consent to the disclosure of information to advertising partners. Users chose to download the app after being informed that Grindr disclosed personal data for behavior-based marketing to its advertising partners based on consent. Users were also informed about this during registration, when they were presented with the privacy policy and consented in full, accepting this through active actions by downloading the application and clicking "Proceed" and "Accept". Users could also choose to use other apps instead of Grindr. Users could also withdraw consent by making choices in the operating system or by purchasing the paid version. Grindr's consent solution facilitated specific user consent in accordance with GDPR Article 4. The requirement for consent to be specific means that the data controller must ensure that the consent appears concrete and tangible to the data subject. The specification requirement must also be seen in conjunction with the purpose limitation principle in GDPR Article 5(1)(b), which states that personal data should only be collected for specific, explicit, and legitimate purposes. Grindr clearly specified that it would disclose information to Grindr's advertising partners under the headings "Where We Share" and "Third Party Advertising Companies" in the privacy policy. The description clearly indicated what information Grindr disclosed to its advertising partners for behavior-based marketing and how consent could be withdrawn. These indications were also in line with current industry practice. Grindr's consent solution facilitated informed user consent in accordance with GDPR Article 4(11). Grindr provided users with information about the purposes for which it processed personal data, that Grindr would disclose personal data to advertising partners, and that the disclosure was based on consent. Grindr also indicated how consent could be withdrawn. Grindr's privacy policy was structured in a way that made it easy for the user to navigate the information using titles and subtitles. The language was clear, comprehensive, and precise, with the heading "Your Choices" clarifying and informing the user about the choices they had, while the user could find information about data processing by clicking on the link "Where we share," which linked further to "Third Party Advertisement Companies." The information was available on multiple platforms, both before downloading the application and during registration. Grindr cannot be blamed if users deliberately chose not to read the consent text and then deliberately consented to the content of the text. Grindr did not disclose special categories of personal data Grindr did not disclose special categories of personal data to its advertising partners in violation of GDPR Article 9. The Data Protection Authority's decision is based on a misapplication of the law, and the Authority's interpretation of GDPR Article 9 is discriminatory and contrary to Norway's EEA legal obligations. According to the wording of GDPR Article 9, it is information about a person's sexual orientation that falls under this provision. The Data Protection Authority itself assumed that the information that a person has a Grindr profile does not reveal anything about the person's specific orientation. There is also no basis for the Authority's interpretation in the preamble to the GDPR or other legal sources. Grindr has not shared information that indicates a user's specific sexual orientation or sexual relationships. The Authority's interpretation of GDPR Article 9 is discriminatory and entails a differential treatment of sexual orientation under the EU Charter and TFEU, which constitute fundamental EEA legal principles with effect in Norway. The Authority's interpretation is contrary to Norway's EEA obligations. The state's alternative interpretation constitutes a restriction on Grindr's right to offer services in violation of Article 36 of the EEA Agreement and is therefore not a correct interpretation of GDPR Article 9. The decision implies that GDPR Article 9 only applies to service providers that are claimed to be associated with or preferred by sexual minorities. This creates a significant competitive disadvantage compared to providers of the same services that are associated with or preferred by heterosexuals, who, due to Norway's demographics, do not need to market to these groups. It imposes a limitation on the right to offer services associated with the LGBTQ+ community compared to actors who are not associated with it. This would constitute an unlawful restriction under Article 36 of the EEA Agreement and therefore represents an unlawful interpretative alternative under GDPR Article 9. The fine is disproportionate Grindr has not demonstrated subjective fault in the form of intent or negligence to warrant the imposition of a penalty or fine for violations of the GDPR. Grindr designed the consent solution in accordance with the letter of the law and prevailing industry practices, and therefore, it should be considered to have acted with due diligence. The fine should be reduced regardless. According to GDPR Article 83(1), the supervisory authority must ensure that the fine in each case is effective, proportionate to the violation, and dissuasive. When deciding whether to impose a fine and its amount, several factors listed in GDPR Article 83(2)(a) to (k) must be considered. Grindr believes the fine is disproportionate and therefore in violation of GDPR Article 83. The Data Protection Authority upheld Grindr on several points and expressed "strong doubt" about whether Grindr's consent solution was sufficiently specific. This was not taken into account when determining the amount of the fine. Furthermore, the technical capabilities at the time were limited, and it would have been complicated to re-identify users based on the information Grindr disclosed to advertising partners for behavior-based marketing. The Authority also did not consider that Grindr had initiated the work to implement a new consent solution several months before the Data Protection Authority's notice of the fine and that the new consent solution was already implemented when the Authority made its decision. Moreover, it has not been proven that the alleged infringement actually resulted in any proven harm in Norway, and the Authority also did not consider the lengthy case processing time. The Plaintiff has submitted the following claims: 1. Principal: The Data Protection Authority's decision of September 27, 2023, is invalid. 2. Alternative: The fine should be reduced. 3. In both cases: Grindr LLC should be awarded the costs of the case. The Defendant – The State represented by the Data Protection Authority – has primarily asserted: Grindr's consent solution did not meet the requirements of GDPR Grindr has claimed consent as the basis for sharing users' personal data with advertising partners for targeted marketing, cf. GDPR Article 44(11). This provision implies that consent requires an active action. The only active action from Grindr's users related to the sharing of personal data was the acceptance of the entire privacy policy during registration. This action did not meet the requirements for consent under the GDPR. Users did not have a real choice. They had to accept the privacy policy, and thereby the sharing of personal data, to register on Grindr. Users were not given an alternative option to not share personal data with Grindr's advertising partners. Additionally, the information provided was insufficient and not easily accessible. Grindr has argued that users could make changes in the device's operating system or upgrade to a premium version to opt out of sharing. Users' personal data was shared immediately after registration, so users had no real opportunity to opt out of sharing. A subsequent failure to opt out of sharing personal data cannot be considered a "declaration" or "clear affirmation" of consent, cf. GDPR Article 4(11). There were also several weaknesses in the stated opt-out solutions. The ability to make changes in the operating system was a general feature on the device, not a solution from Grindr to ensure users a real choice regarding the sharing of personal data. The change affected all apps on the mobile phone. Furthermore, some personal data was still shared even if the user made the mentioned change in the operating system. Regarding the premium version, it was marketed as a service where users paid for additional features, not just to opt out of sharing personal data. It was only stated that the paid solution was ad-free, not that users could upgrade to the premium version to avoid sharing personal data with advertising partners. Grindr disclosed special categories of personal data Information indicating that someone is part of the LGBTQ+ community is considered information about someone's "sexual relationships or sexual orientation," cf. GDPR Article 9(1). Even if the information does not reveal the user's specific orientation, it indicates something about the user's sexual preferences and that they have a different sexual orientation than heterosexual. This classification as information covered by GDPR Article 9(1) is supported by the wording, purpose, and practice from the EU Court of Justice. The state alternatively argues that information suggesting someone is a Grindr user implies, with a high degree of probability, that the person has a sexual orientation consistent with Grindr's marketing and design—namely, men seeking men. For the same reasons as mentioned regarding consent, it is clear that users did not give explicit consent to share such special categories of personal data, cf. GDPR Article 9(2). Grindr is not being discriminated against. Grindr is a company that does not have a sexual orientation and therefore cannot claim protection against discrimination on this basis, cf. ECHR Article 8 in conjunction with ECHR Article 14. Grindr also cannot claim to represent the interests of its users. The primary purpose of the GDPR is to protect users and safeguard their fundamental rights. The Data Protection Authority's decision does not constitute an unlawful restriction under EEA Agreement Article 36. GDPR is fully harmonized, and therefore, there is no room for a separate assessment of whether the decision constitutes a restriction under primary law. Nonetheless, primary law influences the interpretation of secondary law. The state cannot see how EEA Agreement Article 36 would lead to the conclusion that the data controller's freedom to provide services outweighs the importance of individuals' rights to special protection of sensitive personal data. The fine is in accordance with GDPR Article 83 The fine must, according to GDPR Article 83, be effective, proportionate to the violation, and dissuasive. Grindr has intentionally violated fundamental principles for the processing of personal data. The number of individuals affected by the violation, the category of personal data, and the duration of the violation, which lasted nearly two years, indicate that the assessment is correct, cf. points (a) to (k). The fine represents only about 30 percent of the amount permitted by the regulation in a case like this, cf. GDPR Article 85(5). The Defendant has submitted the following claims: 1. The State represented by the Data Protection Authority is acquitted. 2. The State represented by the Data Protection Authority is awarded legal costs. Court's Assessment Introduction Judicial Review of the Data Protection Authority's Decision The court can review all aspects of the case, cf. the Personal Data Act § 27 second paragraph and the Public Administration Act § 50. This means the court can review both the facts, procedural issues, application of law, and the administrative discretion upon which the Data Protection Authority's decision is based. The competence to review all aspects of the case includes both the conditions for imposing a fine, the calculation of the fine, and the discretionary assessment of whether a fine should be imposed if the conditions are met ("may" discretion). The court has the same competence as the appellate body in administrative cases and has the competence, but not the obligation, to issue a judgment on the underlying substantive claim (judgment on the merits). The court can also uphold the decision with a different legal reasoning, cf. Rt-2010-999 paragraph 46. What the Case Concerns and Legal Starting Points The court will assess whether Grindr's processing of personal data was lawful. The legal starting point is that all processing of personal data must have a legal basis for processing to be lawful, cf. GDPR Article 5(1) cf. Article 6(1). In this case, letter a on consent is claimed as the basis for processing. The case raises three main issues. The first issue is whether Grindr disclosed personal data of special categories, cf. GDPR Article 9(1). The second issue is whether Grindr obtained valid consent for the disclosure of personal data, cf. GDPR Article 6(1)(a) cf. Article 4(11), and whether the consent included the disclosure of special categories of personal data, cf. GDPR Article 9(2)(a). The third issue is whether the calculation of the fine is correct, should the court find in favor of the State represented by the Data Protection Authority on the first and second main issues, or just the second main issue. Interpretation of the GDPR The General Data Protection Regulation (GDPR), Regulation (EU) 2016/679 of the European Parliament and of the Council, concerning the protection of natural persons with regard to the processing of personal data and on the free movement of such data, was adopted in the EU on April 27, 2016. The GDPR became applicable in EU member states from May 2018 and came into force in Norway on July 20, 2018. The GDPR has been translated into Norwegian, but since all language versions are equally authoritative, the court may also refer to other language versions in interpreting the regulation. The GDPR consists of a preamble and articles. The preamble is intended as an interpretive aid to complement the articles. Through the preamble, the EU institutions fulfill the requirement in Article 296(2) of the Treaty on the Functioning of the European Union that all legislative acts must be justified. The purposes of the GDPR are also central interpretive factors in interpreting the regulation's other provisions. The other provisions must be interpreted to achieve the purposes as fully as possible. The purposes of the GDPR are stated in Article 1(2) and (3) as follows: (2) This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data. (3) The free movement of personal data within the Union shall neither be restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data. The purposes of the GDPR are further elaborated in the preamble, and the court particularly refers to recitals 6 and 7: The rapid technological developments and globalization have brought new challenges for the protection of personal data. The scale of the collection and sharing of personal data has increased significantly. Technology allows both private companies and public authorities to make use of personal data to an unprecedented extent. Natural persons increasingly make personal information available publicly and globally. Technology has transformed both the economy and social life, and should further facilitate the free flow of personal data within the Union and the transfer to third countries and international organizations, while ensuring a high level of protection of personal data. These developments require a strong and more coherent data protection framework in the Union, backed by strong enforcement of the rules, as it is crucial to build the trust necessary for the digital economy to develop across the internal market. Natural persons should have control over their own personal data. Legal and practical certainty for natural persons, economic operators, and public authorities should be enhanced. The GDPR in relation to the EEA Agreement The GDPR is a fully harmonized directive, which implies the total harmonization of the legal situation in the field of data protection. This means that the GDPR is in line with the EEA Agreement and that EEA states cannot introduce or maintain regulations that deviate from the GDPR unless the regulation itself provides for it. When adopting the GDPR, the legislator has precisely considered the right to privacy against the four freedoms in the EU and EU law in general. Here, the court refers to recital 4, fourth line. Since the GDPR is fully harmonized, there is neither a need nor an opportunity for direct review of the GDPR against EEA Agreement Article 36 regarding unlawful restrictions, as the legislator has already made this assessment, cf. recital 4. The court also refers to Haukeland, Fredriksen, and Mathisen, EEA Law, 4th edition 2022, page 161. The Supreme Court endorsed the authors' approach in HR-2023-301-A, paragraph 68. Similarly, this has also been stated in several cases before the EU Court of Justice and the EFTA Court. The court refers here to Case E-9/11 ESA v. Norway from 2012, paragraph 72. If the GDPR were not fully harmonized, the issue of restriction might have been different, as was the case in E-8/20 where the Supreme Court requested an interpretative statement from the EFTA Court. The Supreme Court's request concerned the Social Security Regulation (Regulation EC No 883/2004). The Social Security Regulation sets certain requirements for the design of national social security schemes, but the national social security schemes in the EEA states are not harmonized in a common framework as the GDPR is. Therefore, there is no basis for a separate review of an interpretation of the GDPR against EEA Agreement Article 36, as Grindr has argued. Summary of the Court's Assessment The court, like the Data Protection Authority and the Data Protection Board, has concluded that Grindr has not met the requirements of GDPR Articles 6 and 9. The court does not see that Grindr is discriminated against as a result of this, nor that there is an unlawful restriction in the assessment of Articles 6 and 9. There is no basis for reducing the fine. The Data Protection Board's decision is valid and the State represented by the Data Protection Board is acquitted. Question of Whether Grindr Disclosed Information About Special Categories of Personal Data It is clear that Grindr disclosed personal data to advertising partners, as defined in GDPR Article 4(1). The data shared included: - Advertising Identifier (Ad-ID): A unique identifier used by advertising platforms to track user interactions with ads - IP Address - Technical information about the user's device and operating system, such as the version of the operating system, device model, and screen resolution - Self-reported age - Self-reported gender, provided the user had reported either male or female - Geographical location based on GPS coordinates - App-ID identifying the origin of this data from Grindr If the advertising companies combined the above information, they could track individual users' interactions with ads, determine which ads a user had clicked on, whether the user had visited other websites or ads with the same advertising company, and know that the user was a registered Grindr user. The court must determine whether the personal data disclosed by Grindr falls under the processing of special categories of personal data as stated in GDPR Article 9(1), which reads as follows: Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or **data concerning a natural person’s sex life or sexual orientation** shall be prohibited. [Emphasis by the court] The court also refers to the English version of the GDPR where the last part of the provision reads as follows: … data concerning health or data concerning a natural person’s **sex life or sexual orientation** shall be prohibited. [Emphasis by the court] There is a nuance difference between the Norwegian and English versions, as the Norwegian version states "en fysisk persons seksuelle forhold" (a natural person’s sexual relationships), while the English version states "a natural person’s sex life." The term "sex life" indicates something more than just sexual relationships in the sense of sexual relations. The court will return to this point. There is no doubt that information about a person's sexual relationships or sexual orientation is personal data that is inherently particularly sensitive regarding fundamental rights and freedoms. Individuals have a particular need for control over such sensitive information. What is covered by the definition of "a natural person’s sexual relationships or sexual orientation" depends on an interpretation of the provision. The wording suggests a fairly broad scope of the definition, so any information that says something about a person's sexual preferences, sex life, feelings, behavior, orientation, or similar is covered. It is particularly the term "sexual relationships/sex life" that has a wide scope and encompasses more than a person's specific sexual orientation. The term "sexual relationships" means that the article does not require the disclosure of information about the user's specific sexual orientation or reveal the user's specific orientation (who they are attracted to), or that this alone is decisive. There must be a broader understanding; otherwise, it would have been sufficient to use only "sexual orientation" in the provision. "Sexual relationships" here could mean sexual activities, beyond just sex life – for example, watching pornography, as well as sexual activities that deviate from one's sexual orientation. For example, a heterosexual man wanting to experiment with sexual activity with a homosexual man. This understanding of the wording is also supported by how "sex life" is defined in the Cambridge Dictionary: Meaning of sex life in English: a person’s sexual activities and relationships. A Broad Interpretation Supported by the Purpose of the Provision The purpose of the provision, as stated in GDPR recital 51, supports a broad interpretation: Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms. The court also refers to Kuner et al. (2020) "The EU General Data Protection Regulation (GDPR)" page 375: The two categories 'data concerning a natural person's sex life' and 'sexual orientation' are closely connected but not identical. Sexual orientation refers to information concerning whether, for example, an individual is heterosexual, homosexual, bisexual, or of some other orientation. Data concerning a natural person's sex life is to be broadly construed to include not only this, but also information about sexual practices (for example, the consumption of pornography) as well as details on marital status and intimate personal details (for example, concerning change of gender or the use of contraception). The European Court of Justice has addressed certain cases regarding the understanding of GDPR Article 9. The court first refers to the European Court of Justice's statements in judgment C-252/21 (the Meta case) of July 4, 2023. The case concerned Meta Platforms Ireland's collection and compilation of information about users' visits to other websites and apps, such as gay dating sites, as well as information users themselves had entered on those types of websites and apps. The court considered whether such collection and further compilation constitute special categories of data because the apps process data covered by Article 9(1). The court refers to the European Court of Justice's conclusion in paragraphs 69 and 73, where the following is stated: … that fundamental prohibition, laid down in Article 9(1) of the GDPR, is independent of whether or not the information revealed by the processing operation in question is correct and of whether the controller is acting with that aim of obtaining information that falls within one of the categories referred to in that provision. … In the light of the foregoing, the answer to Question 2(a) is that Article 9(1) of the GDPR must be interpreted as meaning that, where the user of an online social network visits websites or apps to which one or more of the categories referred to in that provision relate and, as the case may be, enters information into them when registering or when placing online orders, the processing of personal data by the operator of that online social network, which entails the collection – by means of integrated interfaces, cookies or similar storage technologies – of data from visits to those sites and apps and of the information entered by the user, the linking of all those data with the user’s social network account and the use of those data by that operator, must be regarded as ‘processing of special categories of personal data’ within the meaning of that provision, which is in principle prohibited, subject to the derogations provided for in Article 9(2), where that data processing allows information falling within one of those categories to be revealed, irrespective of whether that information concerns a user of that network or any other natural person. These statements show that association with an app can be enough to fall under the processing of special categories of personal data if the app handles special categories of personal data. Further, this applies regardless of whether the information revealed is correct and regardless of the purpose of the processing. In Case C-184/20 OT, the European Court of Justice was asked for an interpretative statement by Lithuanian authorities. The question addressed was whether GDPR Article 9 covers information that is capable of indirectly revealing special categories of personal data. The court stated that GDPR Article 9 should be interpreted broadly and that information that can indirectly reveal a person's sexual orientation is covered. The court refers to paragraphs 125 and 128, where the following is stated: Furthermore, a wide interpretation of the terms “special categories of personal data” and “sensitive data” is confirmed by the objective of Directive 95/46 and the GDPR, noted in paragraph 61 of the present judgement, which is to ensure a high level of protection of the fundamental rights and freedoms of natural persons, in particular of their private life with respect to the processing of personal data concerning them. … In the light of all the foregoing considerations, the answer to the second question is that Article 8(1) of Directive 95/46 and Article 9(1) of the GDPR must be interpreted as meaning that the publication, on the website of the public authority responsible for collecting and checking the content of declarations of private interests, of personal data that are liable to disclose indirectly the sexual orientation of a natural person constitutes processing of special categories of personal data, for the purpose of those provisions. In the Advocate General's opinion of September 14, 2023, in the EU Court of Justice's Case C-115/22 NADA and Others, the Advocate General stated that the fact that a person is caught for violating doping regulations does not say anything about the person's health. There was no link between the information. Thus, information about doping violations is not a special category of personal data, cf. Article 9. The court refers to the Advocate General's statement in paragraph 97, where the following is stated: All the parties, with the exception of the applicant, rightly note that that definition is composed of two elements. The first is the requirement that the personal data at issue be related to the physical or mental health of a natural person. The second is that those data reveal information about the natural person’s health status. In other words, the personal data at issue must not only be somehow linked to the data subject’s health (thus implying a loose connection), but must also allow inferences to be drawn from that information as to the data subject’s health status (thus implying a personalized aspect of the information concerned). The court must then determine whether Grindr disclosed information about "a natural person’s sexual relationships or sexual orientation" when Grindr disclosed the App-ID to advertisers. By disclosing the App-ID, Grindr informed advertisers that the origin of the data came from Grindr – i.e., that the data came from a registered user of Grindr. The question is whether sharing information that a person is a Grindr user means that Grindr simultaneously shares information about "a natural person’s sexual relationships or sexual orientation." It is clear that the App-ID shared by Grindr, in and of itself, does not reveal any information about a person's sexual relationships or sexual orientation, as the App-ID consists of a sequence of numbers. The key point is that an App-ID can be traced back to a specific user. By sharing the App-ID, Grindr effectively discloses that a particular user is a Grindr user. To determine whether sharing information that a person is a Grindr user constitutes disclosing information about a person's sexual relationships or sexual orientation, the court must first assess what kind of app Grindr is. Grindr operates a location-based social network and a mobile application for online dating. Grindr markets itself to the LGBTQ+ community. In the App Store, the app is named: Grindr – Gay Dating & Chat Meet & Date Local LGBTQ People Further down the page in the App Store, the app is described as follows: Grindr is the world’s #1 free dating app serving the LGBTQ community. If you’re gay, bi, trans, queer, or even just curious, Grindr is the best and easiest way to meet new people for friendships, hookups, dates, and whatever else you’re looking for. In Google Play, Grindr was described as follows in January 2020: Grindr – Gay Chat Grindr – exclusively for gay, bi and curious men. The above shows that Grindr markets itself directly to individuals based on their sexual preferences and orientation. Grindr's marketing targets the LGBTQ+ community, but the app is designed particularly for men seeking men. Initially, the court refers to an article on Grindr's website discussing how the name Grindr originated. In the article from November 2010, it is stated that the name comes from a combination of the words "Guy" and "Finder": Since we launched nearly two years ago, over a million of you have downloaded Grindr and in the process helped us become the world’s largest, all-male, mobile, social networking utility. … The name 'Grindr' was chosen because it embodies the idea of “grinding” people together in the same way that a coffee grinder grinds coffee beans. Our app helps introduce like-minded users to each other in 180 countries around the world and helps them form new relationships of all kinds. The name is also partly a combination of the words “Guy” and “Finder”. Put the two explanations together and you’ve got the history behind the name Grindr and the social networking revolution you’ve helped make happen. It is undisputed between the parties that Grindr was originally an app aimed at men seeking men. This was confirmed by Grindr's representative, Chief Privacy Officer Kelly Miranda, in court. Miranda further explained that the app has since evolved to include a broader user group – the LGBTQ+ community – so that today (and during the period covered by the decision), Grindr is not solely aimed at gay men. The court understands that Grindr has developed its business concept since its inception, but even if this was and is Grindr's intention, the app remains a dating app primarily associated with gay men and trans women. The reason for this, in the court's view, is how the app is marketed and designed. It is not decisive whether the app targets men seeking men or the LGBTQ+ community. In the court's view, the crucial point is that Grindr is an app marketed as a social network specifically targeting sexual orientation and relationships. Moreover, the court finds it most appropriate to describe Grindr as a "dating/hookup app" rather than an app that also targets users looking for "new friendships" or "maintaining old friendships." This conclusion is based on how the app is designed for users. During profile registration, users are presented with several choices before entering the so-called "cascade." The cascade is the part of the app where users see and can contact other users after registration. The various choices during registration help sort users based on preferences before they enter the cascade. Given the above context, sharing an App-ID that can be traced back to a Grindr user effectively discloses that the individual is using an app primarily associated with the LGBTQ+ community and specifically designed for dating purposes, thus implying information about their sexual orientation or relationships. User Options and App Targeting Users can select various options, including their physical appearance, sexual preferences, and desires for a potential partner. For example, users can choose preferred sexual positions: "Top," "Vers Top," "Versatile," "Vers Bottom," "Bottom," "Side," or "Not Specified." Users can also select their body type: "Toned," "Large," "Slim," "Average," "Muscular," "Stocky," and "Not Specified." Additionally, users can choose preferred types of people, known as "Tribes," and describe their type: "Bear," "Daddy," "Geek," "Leather," "Poz," "Trans," "Sober," "Clean-Cut," "Discreet," "Jack," "Otter," "Rugged," "Twink," or "Not specified." While some options might be gender-neutral in isolation, the combined information clearly indicates that these descriptions are geared towards men seeking men. This does not exclude female users but shows that the app does not primarily target them. If the app were truly gender-neutral, the options would need to include more choices tailored to female body or personality types, even though the options mentioned above are gender-neutral in isolation. Users can also input HIV status and the date of their last check-up. The court also notes that Grindr's marketing images in the App Store exclusively feature men and trans women. The court clarifies that Grindr has not shared the above user choices about body types and sexual preferences. The court focuses on this to show the app's target demographic and its intended use. The app is primarily a "dating/hookup app," with the associated contexts and activities. More precisely, it targets people seeking sexual contact based on sexual orientation and preferences. The court views this as information about a person's sexual relationships. Disclosure of Grindr Usage as Disclosure of Sexual Relationships or Orientation The court concludes that information indicating a person is a Grindr user is information about their sexual relationships or orientation. This interpretation is supported by the Meta judgment referenced above. Although the European Court of Justice's statements in the Meta case were related to the collection and compilation of information – not disclosure – they are still relevant. The underlying concern of protecting sensitive information remains the same regardless of the direction in which the information flows. When the European Court of Justice in the Meta case concluded that the collection and compilation of information about visitors to, for example, gay dating sites constitutes the processing of special categories of personal data, the same applies to the disclosure of such information for similar purposes. The crucial factor is whether the app handles special categories of personal data. Grindr undoubtedly processes special categories of personal data. Information that a person is a Grindr user is capable of revealing something about the user's sexual relationships or orientation. The conclusion drawn about the user's sexual relationships or orientation does not need to be correct for it to be covered. There is also a clear link between being a Grindr user and the user's sexual relationships or orientation. Just being a Grindr user leads to the conclusion that the user is not heterosexual, which falls under sexual relationships. The court, like the Data Protection Authority, has concluded that Grindr disclosed personal data about people's sexual relationships or orientation, cf. GDPR Article 9(1). Grindr has argued that the Data Protection Authority's interpretation of GDPR Article 9 is contrary to ECHR Article 14 and that Grindr is discriminated against by such an interpretation. ECHR Article 14 prohibits discrimination, and it follows from the European Court of Human Rights' judgment in the case of Fretté v. France from 2002, paragraph 32, that Article 14 also applies to discrimination based on sexual orientation. GDPR Article 1(2) states that the regulation aims to protect the fundamental rights and freedoms of natural persons, particularly their right to the protection of personal data. Personal data that is particularly sensitive requires special protection, cf. recital 51. Article 9 is intended to prevent discrimination by ensuring that sensitive personal data is not shared outside the individual's control. Therefore, there is no conflict between GDPR Article 9 and ECHR Articles 8 and 14. For discrimination to fall under ECHR Article 14, it must involve one of the specified grounds. In this case, the relevant ground is differential treatment based on sexual orientation. Both physical and legal persons can, in principle, claim protection under ECHR Articles 8 and 14, as indicated by the term "everyone." However, only those who have "family life" or "home" are protected under Article 8, and only those with a sexual orientation are protected under Article 14. Grindr does not have a sexual orientation and therefore cannot claim protection against discrimination under ECHR Article 8 in conjunction with Article 14. Grindr has further referred to the general prohibition of discrimination based on sexual orientation enshrined in TEU Article 10 and Article 21 of the Charter. Grindr has argued that it would be against the Charter if an actor is treated less favorably than another. In the court's view, there is no discrimination in this case based on sexual orientation. All individuals have the right to privacy and specific control over information about their sexual relationships or sexual orientation under Article 9. This applies regardless of whether one belongs to a sexual minority or majority. The prohibition against sharing information under Article 9 without consent also applies if a dating app specifically targets individuals with a heterosexual orientation. The same applies to dating apps targeting sexual preferences. The court has determined that Grindr disclosed personal data about individuals' sexual relationships or orientation in violation of GDPR Article 9(1). Grindr's argument that the Data Protection Authority's interpretation of GDPR Article 9 is contrary to ECHR Article 14, and that Grindr is discriminated against by such an interpretation, is not upheld. GDPR aims to protect fundamental rights and freedoms, particularly the right to protection of personal data. Article 9 is intended to prevent discrimination by ensuring that sensitive personal data is not shared outside the individual's control. Therefore, there is no conflict between GDPR Article 9 and ECHR Articles 8 and 14. Question of Whether Grindr Obtained Valid Consent for the Disclosure of Personal Data, Including Special Categories of Personal Data Legal Basis The next question is whether Grindr obtained valid consent from users for the processing of personal data in accordance with GDPR Articles 6 and 9. The definition of consent is provided in GDPR Article 4(11): “‘Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” The above definition shows that strict requirements are set for consent, as it lists four cumulative conditions for consent to be considered given. The consent requirements under the GDPR are therefore stricter than general consent requirements under Norwegian law in other areas. It is a fundamental requirement that EEA legal rules must be interpreted uniformly across the EEA area. Therefore, it is not relevant for the court to refer to the consent requirements previously established by the Supreme Court for, for example, consent to the use of narcotics, as cited by Grindr, when interpreting the consent requirements in the GDPR. In light of the strict requirements for valid consent under the GDPR, the court must evaluate whether Grindr’s consent mechanism met the criteria of being freely given, specific, informed, and unambiguous. The parties agree on the facts as described by the Data Protection Authority regarding the consent solution. The court refers to the Data Protection Authority's description on page four of the decision and bases the following on this description in its further assessment: In the consent mechanism applicable during the relevant period, the terms of service ("GRINDR TERMS AND CONDITIONS OF SERVICE") were first displayed in their entirety. When the user clicked on "Proceed," a window appeared with the text "I accept the Terms of Service," and with clickable response options "Cancel" and "Accept." The user was then presented with the privacy policy ("GRINDR PRIVACY AND COOKIE POLICY"). It is in this policy that the relevant formulations About the disclosure of personal data to advertising partners for the purpose of exposing users to behavior-based marketing are found. When the user clicked "Proceed" here, a new window appeared with the text "I accept the Privacy Policy," and with the clickable response options "Cancel" and "Accept." ... If the user did not accept the terms of service and the privacy policy, further registration was not possible, and the user would not be able to use the app. The first question is whether the consent was given voluntarily, cf. Article 4(11). In assessing whether consent is given voluntarily, the greatest possible consideration must be given to whether the provision of the service is made conditional on consent to the processing of personal data that is not necessary for the provision of the service, cf. Article 7(4) and recital 43. Voluntariness also means that the user must have a real choice in how their personal data is processed. Here, the court refers to the final sentence of recital 42 of the GDPR, which states: "Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment." The user had two options after the privacy policy was presented in Grindr: "Cancel" or "Accept." If the user clicked "Cancel," they could not create a profile in the Grindr app, even if they had accepted Grindr's general terms of service. There was no simultaneous option not to disclose personal data to advertising partners. Since the user had the option to click "Cancel," it can be argued that the user had a choice – the user could choose not to create a user in the Grindr app. The user could instead go to a competitor. The court is of the opinion that this is not the type of choice the GDPR had in mind when the term "genuine choice" was written. The user did not have a choice regarding whether they wanted Grindr to disclose their personal data to advertising partners while using the Grindr app. The user should be able to choose whether personal data is disclosed, cf. the purpose of the GDPR. The choice relates not to whether to use the service or not. Such an interpretation is also supported by Guidelines 05/2020 on Consent under Regulation 2016/678 version 1.1 page 7 point 3.1 number 13: "If consent is bundled up as a non-negotiable part of terms and conditions it is presumed not to have been freely given. Accordingly, consent will not be considered to be free if the data subject is unable to refuse or withdraw his or her consent without detriment." The court also refers to Jarbekk et al., "The Personal Data Act and the GDPR with comments" (2019) page 174: "WP29 writes in the same guide on page 9 that a data controller cannot argue that the data subject has a choice by pointing out that another data controller offers an alternative. Freedom is then dependent on a market situation and whether the data subject finds that the other data controller's offer is actually equivalent. Besides, it would entail an obligation for the data controller to monitor the market to see that the alternative still exists." It was also not necessary for Grindr to be able to offer the service to users that they consented to the sharing of personal data with advertising partners. The court refers here to Article 7(4) and recital 43, as well as Guidelines 05/2020 on Consent under Regulation 2016/678 version 1.1 page 7 point 3.1 numbers 14 and 15: "When assessing whether consent is freely given, one should also take into account the specific situation of tying consent contracts or the provision of a service as described in Article 7(4). Article 7(4) has been drafted in a non-exhaustive fashion by the words “inter alia”, meaning that there may be a range of other situations, which are caught by this provision. In general terms, any elements of inappropriate pressure or influence upon the data subject (which may be manifested in many different ways) which prevents the data subject from exercising their free will, shall render the consent invalid." Example 1: A mobile app for photo editing asks its users to have their GPS location activated for the use of its services. The app also tells its users it will use the collected data for behavioral advertising purposes. Neither geolocation nor online behavioral advertising are necessary for the provision of the photo editing services and go beyond the delivery of the core service provided. Since users cannot use the app without consenting to these purposes, the consent cannot be considered as being freely given. The consent that users gave Grindr cannot be considered voluntary since users could not access Grindr without consenting to the sharing of personal data with advertising partners. There was no option to accept the service without disclosing personal data for advertising purposes. The sharing of personal data with advertising partners was also not necessary for the provision of the service. Not consenting had negative consequences for the user in that the user could not access the service. Such consent as used by Grindr is contrary to the GDPR’s objective of the right to have control over one’s own personal data. The consent was not voluntary. The court does not further address the possibility of withdrawing consent since it has already concluded that the consent was not voluntary. Grindr has argued that users had a real choice where they could choose to use the paid version of the app and thereby avoid ads. If users chose the paid version, personal data would not be shared with advertising partners. The court notes that the paid version was only available after the user had registered a profile in the Grindr app and then entered the cascade where the user could see other users. Personal data was shared immediately with advertising partners when the user clicked “Accept” on the privacy policy before the paid version became available. At this point, personal data had already been shared, so this does not constitute an alternative choice and consequently does not make the consent voluntary. There was no simultaneous choice to select the paid version. The court also adds that there was no information about the paid version in the privacy policy. The paid version was not highlighted as an alternative to avoid the sharing of personal data. The paid version was marketed as a service with several additional features, such as “more profiles,” “no more ads,” “advanced filters,” “chat in explore,” and “viewed me.” The fact that it stated “no more ads” does not necessarily mean to a user that Grindr would stop sharing personal data with advertising partners. Further, Grindr has argued that the privacy policy provided information on how users could opt out of behavior-based marketing by changing their phone settings, and that if the user did not do this, it should be considered as consent to the sharing of personal data. The court first refers to how this option was presented in the privacy policy. Under the heading "How We Use Your Information" in the privacy policy, users are informed in bullet point 12 ("Third Party Advertising Companies") about which personal data is disclosed to advertising partners. Regarding users' ability to opt out of behavior-based marketing, it states the following in the same point: "See the YOUR CHOICES section of this policy for information on your ability to opt-out of interest-based advertising." The detailed procedure for how users could opt out of behavior-based marketing was presented in the privacy policy as follows under bullet point three under the heading "Your Choices": "Behavioral Advertising Within The Grindr App. If you are using the Grindr Services on an Apple iOS device, you can opt out of behavioral targeting by going into Settings >Privacy > Advertising on your iOS device, or visiting Apple’s website for more information. To opt out on an Android device, open the “Google Settings,” click on “Ads” and enable “Opt out of interest-based ads.”" Even if the user followed this procedure, they could avoid the sharing of personal data. However, this option also does not meet the requirement of voluntariness. If the user failed to take this action, it cannot be considered as voluntary consent. Consent requires an active action. Secondly, such a setting change in the phone's settings would apply to all apps on the user's phone. Grindr cannot rely on a solution that extends beyond all other apps. It is possible that users wanted to share personal data for behavior-based marketing in other apps but not in the Grindr app. Moreover, even if the user actually chose this option, Grindr still shared certain personal data with advertisers, as indicated in Mnemonics Technical Report dated January 14, 2021, page 67. This means that this option was not a fully adequate alternative for users to prevent the sharing of personal data even if they changed the settings on their phone. Failure to make changes in the phone's settings is not voluntary consent to the sharing of personal data according to GDPR Article 4. Consent requires an active action, as stated in "active behavior" in the European Court of Justice's Case C-61/19 Orange Romania (2020) paragraph 52. Grindr has further argued that the user could first go into the phone's settings, opt-out of behavior-based marketing, then create a profile on Grindr, then purchase the paid version, and then go back into the settings and check the box for accepting behavior-based marketing again. Such a solution is too theoretical and not a realistic approach—especially without a clear explanation that the user could understand. Grindr has also argued that users are responsible for reading the terms in the privacy policy, so Grindr cannot be blamed if the terms were not read, where the option to change phone settings was presented. The court agrees that Grindr is not responsible if users failed to read the terms, but Grindr cannot rely on users' failure to change pre-checked boxes in the phone settings to constitute voluntary consent. Here, the court refers to both recital 32 of the GDPR and Case C-61/19 Orange Romania, paragraph 51, where the following is stated: "In any event, as is apparent from the considerations set out in paragraphs 35, 36 and 42 above, it is for Orange România, as the data controller, to establish that its customers have, by active behavior, given their consent to the processing of their personal data, with the result that that company cannot require them actively to express their refusal." Grindr's consent solution did not meet the requirement of voluntariness under GDPR Article 6. It is not initially necessary for the court to assess whether the consent solution was also sufficiently specific and informed, cf. GDPR Article 4(11), but since the conditions are somewhat overlapping, the court also includes a brief assessment of these conditions for completeness. Requirements for Consent to be Specific and Informed A request for consent must be presented in such a way that it can be clearly distinguished from other matters, in an understandable and easily accessible form, and in clear and plain language, cf. GDPR Article 7(2) and recital 42. Grindr has also argued that users are responsible for reading the terms in the privacy policy, so Grindr cannot be blamed if the terms were not read, where the option to change phone settings was presented. The court agrees that Grindr is not responsible if users failed to read the terms, but Grindr cannot rely on users' failure to change pre-checked boxes in the phone settings to constitute voluntary consent. Here, the court refers to both recital 32 of the GDPR and Case C-61/19 Orange Romania, paragraph 51, where the following is stated: "In any event, as is apparent from the considerations set out in paragraphs 35, 36 and 42 above, it is for Orange România, as the data controller, to establish that its customers have, by active behavior, given their consent to the processing of their personal data, with the result that that company cannot require them actively to express their refusal." Grindr's consent solution did not meet the requirement of voluntariness under GDPR Article 6. It is not initially necessary for the court to assess whether the consent solution was also sufficiently specific and informed, cf. GDPR Article 4(11), but since the conditions are somewhat overlapping, the court also includes a brief assessment of these conditions for completeness. Requirements for Consent to be Specific and Informed A request for consent must be presented in such a way that it can be clearly distinguished from other matters, in an understandable and easily accessible form, and in clear and plain language, cf. GDPR Article 7(2) and recital 42. In Case C-61/19 Orange Romania (2020), the European Court of Justice stated the following regarding the requirement for specificity in paragraphs 39, 40, and 52: "... such a declaration must be presented in an ** intelligible and easily accessible form, using clear and plain language**, in particular where it concerns a declaration of consent which is to be pre-formulated by the controller of personal data. ... that the controller is to provide the data subject with information relating to all the circumstances surrounding the data processing, in an intelligible and easily accessible form, using clear and plain language, allowing the data subject to be aware of, inter alia, the type of data to be processed, the identity of the controller, the period and procedures for that processing and the purposes of the processing. Such information must enable the data subject to be able to determine easily the consequences of any consent he or she might give and ensure that the consent given is well informed." ...that it is for the data controller to demonstrate that the data subject has, by active behaviour, given his or her consent to the processing of his or her personal data and that he or she has obtained, beforehand, information relating to all circumstances surrounding that processing in an intelligible and easily accessible form, using clear and plain language, allowing that person easily to understand the consequences of that consent, so that it is given with full knowledge of the facts." [Emphasis added by the court] The court also refers to Case C-673/17 Planet49 (2019), where the European Court of Justice stated that the user must understand the consequences of consent. The court refers to paragraph 74, where the following is stated: "...clear and comprehensive information implies that a user is in a position to be able to determine easily the consequences of any consent he or she might give and ensure that the consent given is well informed. It must be clearly comprehensible and sufficiently detailed so as to enable the user to comprehend the functioning of the cookies employed." Similarly, Guidelines 05/2020 on Consent under Regulation 2016/678 version 1.1, paragraph 67, states: "When seeking consent, controllers should ensure that they use clear and plain language in all cases. This means a message should be easily understandable for the average person and not only for lawyers. Controllers cannot use long privacy policies that are difficult to understand or statements full of legal jargon. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form. This requirement essentially means that information relevant for making informed decisions on whether or not to consent may not be hidden in general terms and conditions." It is also stated in recitals 32 and 43 that consent should cover all processing activities carried out for the same purpose and that consent should be given separately for different purposes. Grindr's consent solution was incorporated into its privacy policies. The privacy policies detailed how Grindr processed personal data and were intended to fulfill Grindr's obligations under GDPR Article 13. A privacy policy is not typically a document to which a user consents. Combining a consent solution as part of a privacy policy requires that it is clear what the data controller is requesting consent for. This was not clear in Grindr's privacy policy. There are several versions of the privacy policy during the period covered by the decision, but the parties agree on the facts as described by the Data Protection Authority regarding the content of the privacy policy. Therefore, the court refers to the Data Protection Authority's description on page 18 of the decision and bases the following on this description in its further assessment: Under the heading "How We Use Your Information" in the privacy policy, users are informed, among other things, about which personal data is disclosed to advertising partners. Bullet point 12 reads as follows: "Third Party Advertising Companies. We share your hashed Device ID, your device's advertising identifier, a portion of your Profile Information, Distance Information, and some of your demographic information with our partners… Note that we do not sell your personal user information to third parties for advertising purposes. Also note that we do not share information about your Tribe, or about your HIV status, with any advertising companies." The privacy policies included technical terms such as "Hashed device ID" and "your device's advertising identifier." Grindr has acknowledged that the privacy policy used technical terms but argued that these are normal terms in a privacy policy that are easy to find out what they mean if desired. Furthermore, explaining the terms with more words would result in an even longer privacy policy. The court briefly notes that using terms that an ordinary user does not understand without an explanation is not in line with the GDPR's requirement for clear language. It was also not possible for a user to understand what information Grindr was asking for consent to share when the privacy policy stated that Grindr shares "a portion of your personal information." In relation to the disclosure of information, the privacy policy also stated that "we do not sell your personal user information to third parties for advertising purposes." It is difficult for the court to understand why this sentence is in the privacy policy when that is exactly what Grindr actually does. Grindr's representative explained in court that Grindr does not sell information but gets paid to display advertisements in exchange for sharing personal data. In the court's view, these are two sides of the same coin. The information was unclear and misleading for a user. Furthermore, users were referred to read the privacy policies of other advertising partners, but Grindr only provided the name of one of its advertising partners. Users therefore did not know which privacy policies they should read. In any case, it is Grindr's responsibility to explain the consequences of consent in an understandable way without requiring a user to read several other privacy policies. The court refers to the Mnemonic report, which shows that Grindr's disclosures resulted in a massive spread of personal data. Grindr was aware of this, but users were not made able to understand the consequences of Grindr's disclosures. Although this case does not concern the advertising partners' handling of personal data, it is still relevant for users to understand the scope in order to comprehend the consequences of their consent. The above review shows that Grindr's request for consent was neither specific nor informed. Clear language was not used, and it was not possible for users to understand what they were consenting to and the consequences of such consent. Regarding the requirement for an unambiguous indication of will, the court notes that the Data Protection Authority interpreted "unambiguous indication of will" narrowly in its decision, concluding that clicking "Accept" in isolation was an unambiguous indication of will. The court agrees that the acceptance itself was an unambiguous indication of will but that the content to which consent was given did not meet the requirements of being unambiguous, specific, or informative. Since the court has concluded that Grindr's consent solution did not meet the requirements of GDPR Article 4, it is unnecessary to assess whether the consent requirement in Article 9(2)(a) imposes a stricter requirement than Article 4. Relevance of Technical Capabilities in Designing a Consent Solution Compliant with GDPR Grindr argued that the technical capabilities at the time of the decision limited the design of the consent solution. Grindr referred to how a mobile application is built and the differences between web apps (apps for PCs) and native apps (apps for mobile phones). Furthermore, Grindr pointed to the differences between Apple's and Android's operating systems for mobile phones. The court does not need to assess the various technical limitations/opportunities Grindr presented. The crucial point is that Grindr is responsible for ensuring that it meets the legal requirements set by the GDPR. Evidence showed that it was not technically impossible to develop other consent solutions. The court refers to the testimonies of Tor E. Bjørstad from Mnemonic and Stephen Samuel from Grindr. The limitations Grindr referred to mainly concern commercial choices. The fact that other alternatives would be more expensive or complicated to implement does not exempt Grindr from violating the GDPR. In Grindr's paid version, personal data was not shared, indicating that it was possible to create a solution within the app itself, but Grindr would have received lower revenues. Such a solution could have been used during the period when Grindr explained that the existing consent solution was inadequate and that they were working on developing a new one in collaboration with OneTrust. Assessment of the Administrative Fine Legal Foundations The Personal Data Act § 26 stipulates that the Data Protection Authority can impose administrative fines on public authorities and bodies for violations of the GDPR. Imposing administrative fines is not considered a penalty under the Penal Code or the Code of Criminal Procedure, but rather an administrative sanction. However, administrative fines are a reaction to a violation and have a punitive purpose. They are considered a penalty under the European Convention on Human Rights (ECHR) Articles 6 and 7. This means that the procedural requirements of ECHR Article 6 must be met, and there must be culpability since the fine is considered a penalty under ECHR Article 7. To meet the culpability requirement, ordinary negligence is sufficient, cf. HR-2021-797-A paragraph 24. The provision for administrative fines in the Personal Data Act § 26 is a "may" rule. The decision to impose an administrative fine, and its amount, is discretionary. Article 83 states that the imposition of administrative fines in each case must be effective, proportionate to the violation, and act as a deterrent. In assessing the amount of the fine, various factors listed in Article 83(2)(a) to (k) must be considered. The provision calls for a broad discretionary assessment. The court will return to the specific assessment below. As explained above, the court can review all aspects of the case, including whether an administrative fine should be imposed and the amount. In the preparatory works for the provisions in Chapter IX of the Public Administration Act on administrative sanctions, which supplement the Personal Data Act § 27, it is stated regarding the court's competence to review decisions on administrative sanctions, cf. Prop.62 L(2015-2016) page 204: "However, it may often be appropriate for the courts to show restraint in overturning the administration's decision on whether a sanction should be imposed even if the conditions for imposition are met. For example, the administration may have a better overview of how both individual and general preventive considerations work in the area. And especially in the case of minor violations, it may be impractical for the courts to engage in a detailed review of the 'may' discretion. The courts should be able to limit themselves to a more superficial control of the 'may' discretion, where a key question is whether the administration has met certain minimum requirements for equal treatment and proportionality. Also, where there is a system that has the character of being a standardized sanction against certain types of violations, the courts should show restraint in overturning the administration's assessments. This applies especially in areas where the administration makes a large number of decisions to impose sanctions, often of minor scope. In these cases, it should primarily be relevant to review the discretion to avoid clearly unreasonable outcomes in special cases. The ministry therefore assumes that the assessment of whether a sanction should be imposed even if the conditions are met ('may' discretion) in practice will not be significantly different from the principle of abuse of authority. The possibility of full review also at this point provides increased flexibility and thus must still be addressed differently than in traditional validity questions." And from page 154: "Although the courts can review all aspects of the case, they should show restraint in overturning the administration's assessment of whether a sanction should be imposed even if the conditions are met, and the determination of the sanction. The degree of restraint may vary depending on the enabling act and the case." The statements in the preparatory works suggest that the courts should show some restraint in overturning the administration's decision to impose administrative fines and the determination of their amount. The Question of Culpability For an administrative fine to be imposed, Grindr or someone acting on its behalf must have acted culpably in violating the GDPR, cf. Public Administration Act § 46 and GDPR Article 83(2)(b) in conjunction with ECHR Article 7. Ordinary negligence is sufficient, and it is not required that culpability be attributed to individuals, cf. HR-2022-1271-A paragraph 47. The standard of proof is clear preponderance of the evidence. As stated above, the choice of consent solution was a deliberate decision by Grindr. The choice was made based on which consent solution was available "off the shelf." If Grindr had chosen another consent solution, representative Miranda explained that they would have had to develop it themselves or in collaboration with a third party, as they later did in collaboration with OneTrust. Miranda also explained that Grindr attempted to get advertising partners to accept that Grindr could avoid sending Add-ID for contextual marketing but did not succeed because this would require access to the source code of the advertising partners, which the advertising partners did not want. Grindr was aware that the available off-the-shelf solution was not adequate but chose to use it anyway. Later, Grindr assisted the company OneTrust in developing a new consent solution. This shows that Grindr had knowledge of the actual actions that constitute the GDPR violation, and it was a conscious choice. The fact that other alternatives would be more expensive or complicated does not exempt the company from their GDPR violations. The choice of consent solution was therefore a conscious commercial decision by Grindr. In any case, it is not the choice of technical solutions alone that is decisive for assessing culpability. Even if Grindr – in its own opinion – had no choice but to use the available consent solution, Grindr had control over the information provided to users in connection with the consent solution. Grindr also did not meet the information requirement for valid consent. If Grindr believed that the information requirement was met, this was a legal misunderstanding that was not diligent. It is expected that Grindr, as a professional actor, thoroughly understands the applicable regulations, cf. GDPR Article 24(1). The court disagrees with Grindr that it met the legal requirements for valid consent and refers to the assessment above. The GDPR was adopted in April 2016 and came into effect in Norway in July 2018. The court understands that there may be a need for some time to understand new regulations when they are implemented, but the GDPR came into effect two years after it was adopted. Additionally, Grindr did not make changes to the consent solution until nearly two years after it came into effect. Grindr's belief that it acted in accordance with "industry standards" does not exempt it from following the regulations. An "industry standard" may only be relevant if it met legal requirements or was used in an unregulated area. Based on this, the court has concluded that Grindr intentionally violated the GDPR. Determination of the Administrative Fine Introduction As mentioned initially, a broad discretionary assessment must be made in determining the size of the administrative fine. In this assessment, various factors listed in GDPR Article 83(2)(a) to (k) must be considered. In its review, the court assumes that the Data Protection Authority and the Privacy Appeals Board have specialized knowledge of the GDPR regulations, which they enforce as supervisory authority and appeal body, respectively. The Data Protection Authority, as the supervisory authority, is familiar with other control cases and is well equipped to assess whether a fine should be imposed and, if so, how large the fine should be. The court also refers to the statements in the preparatory works mentioned above, suggesting that the court should show restraint in overturning the administration's decisions regarding the amount of the fine. The court takes this into account when reviewing the decision. Character, Severity, and Duration of the Violation Regarding the character, severity, and duration of the violation, consideration must be given to the nature, scope, or purpose of the processing in question, as well as the number of data subjects affected and the extent of the damage they have suffered, cf. GDPR Article 83(2)(a). Grindr has failed to comply with the GDPR’s consent requirements, which is a fundamental right in privacy legislation. Additionally, Grindr has shared special category personal data, which requires extra protection, thus making the violation more severe. This means that there has been a breach affecting all of Grindr’s Norwegian users during the period from July 2018 to April 2020. Grindr has argued that the differences between Apple’s and Android’s systems for sharing Ad-Ids should affect the severity of the breach. Grindr pointed out that for users with Apple devices, the Ad-Ids required for contextual marketing, frequency measurement, etc., were converted into a series of zeros. Apple and Android had more or less equal market shares in Norway in 2018 and 2019, while Apple had a larger market share than Android in 2020. The court agrees with Grindr that this impacts the severity regarding how many are affected, but it is just one of several factors in the overall assessment. The court adds that, in any case, a large number of users are affected by this nuance. In assessing the character and severity, the court has also considered that Grindr’s sharing of personal data has led to extensive and uncontrolled dissemination of personal data to advertisers for behavior-based marketing. According to Grindr’s representative Miranda, Grindr had seven to ten advertising partners during the period. One of the partners was MoPub, which in turn had 160 partners. One of MoPub’s partners had 4,000 partners. Thus, thousands of companies gained access to the personal data shared by users. While it is true, as Grindr argues, that this case does not cover how the advertising partners handled the personal data, it is still relevant for the court to consider the consequences for users and how Grindr’s sharing of personal data has affected them—regardless of whether Grindr’s advertising partners are parties to the case. Grindr was aware that their sharing involved further dissemination beyond their control without providing users with sufficient information about this. The harm suffered by Grindr’s users is a violation of privacy for nearly two years, resulting in widespread dissemination of their personal data. Degree of Culpability The violations of the GDPR were committed intentionally, as assessed above, cf. GDPR Article 83(2)(b), which suggests a stricter assessment of the administrative fine's size than if the violation were negligent. The Degree of Cooperation with Supervisory Authorities to Remedy the Violation and Reduce its Possible Negative Effects According to Article 83(2)(f), the assessment of the administrative fine's size should consider the degree of cooperation with supervisory authorities. Grindr has pointed out that it has cooperated with authorities by responding comprehensively to all inquiries from the supervisory authorities. Additionally, Grindr has cooperated with the Data Protection Appeals Board and responded to all their inquiries. Grindr has argued that these are mitigating circumstances that warrant a reduction in the administrative fine. Primarily, Article 83(2)(f) concerns cooperation to remedy the violation and reduce any negative effects of the violation. For example, such actions could have included Grindr stopping the use of the consent solution until a lawful consent solution was in place. The fact that Grindr cooperates with the Data Protection Authority and submits the information the Authority requests—and which Grindr is legally obliged to provide—is not a mitigating factor, cf. Guidelines on the application and setting of administrative fines for the purposes of Regulation 2016/679 page 14, which states: "This said, it would not be appropriate to give additional regard to cooperation that is already required by law, for example, the entity is in any case required to allow the supervisory authority access to premises for audits/inspections." Regarding the processing time in this case, the court agrees with Grindr that it has been lengthy. However, the complexity and significance of the case justify the long processing time. The State, represented by the Data Protection Appeals Board, has thoroughly explained the processing time, and the court cannot see any inactivity on the part of either the Data Protection Authority or the Data Protection Appeals Board. The processing time by the Data Protection Authority and the Data Protection Appeals Board is not a mitigating factor in this case. Economic Advantages Obtained Grindr has received revenue from its advertising partners through the sharing of personal data for behavior-based marketing, cf. Article 83(2)(k). Grindr has also saved resources by not implementing a consent solution that met the requirements of the GDPR. The economic advantage obtained supports the imposition of an administrative fine, cf. Guidelines on the application and setting of administrative fines for the purposes of Regulation 2016/679 page 16. The court is aware that Grindr implemented a new consent solution in April 2020. The Data Protection Authority considered this a mitigating factor, noting that Grindr was working on implementing a new consent solution when assessing the administrative fine. When the Data Protection Appeals Board made its decision, the new consent solution was already implemented. The Appeals Board stated in its decision that it did not consider the change in the consent solution when determining the fine since the new technical solution had not been evaluated by the Data Protection Authority or the Appeals Board. The court finds that the fact that Grindr later changed the consent solution should not be considered a mitigating factor. It is not mitigating when a data controller changes an illegal practice to a legal one. Moreover, the new consent solution has not been evaluated by the Data Protection Authority, the Appeals Board, or the court, so it is unknown whether Grindr's current consent solution meets the requirements of the GDPR. An administrative fine should be effective and dissuasive. This applies not only to the entity fined but also to other actors in the same market. Grindr has argued that the Data Protection Authority, in assessing the size of the fine, emphasized that the fine should be dissuasive for both Grindr and other data controllers, but completely overlooked the fact that Grindr had already changed the consent solution when the decision was made. The court believes that there is still an individual preventive consideration in assessing the size of the administrative fine against Grindr. Even though the consent solution was changed, it will still be preventive by ensuring that Grindr complies with the obligations under the GDPR in the future—not just related to consent solutions. Legal Framework for the Size of the Administrative Fine According to GDPR Article 83(5), a violation of Articles 5, 6, 7, and 9 can result in an administrative fine of up to 20,000,000 euros or, in the case of an undertaking, up to 4% of its total global annual turnover in the preceding financial year, whichever is higher. In this case, the maximum fine is 20,000,000 euros. The Data Protection Authority initially notified Grindr of an administrative fine of 100,000,000 NOK. This was later reduced to 65,000,000 NOK in the final decision following a discretionary assessment of the company’s turnover and the changes Grindr was working on regarding the consent solution. The 65,000,000 NOK fine represents slightly under 30% of the maximum fine that can be imposed. An administrative fine should be effective, proportionate to the violation, and dissuasive to both Grindr and other market participants. The court does not find any basis to reduce the administrative fine imposed by the Data Protection Authority, which was later upheld by the Data Protection Appeals Board. The court refers to the factors reviewed above. The court also refers to the specific assessment detailed in the Data Protection Authority's decision section 6.4 and the Data Protection Appeals Board's decision on page 23. The court agrees with the specific assessment, which is based on a correct legal foundation, a factual basis grounded on the severity of the violation, its duration, the number of affected individuals, the category of data involved, culpability, and economic capacity. The assessment also considered comparable supervisory practices from other countries, as referenced during the main hearing. The same factors do not indicate that the administrative fine is disproportionate. Legal Costs Given the outcome, the State represented by the Data Protection Appeals Board has won the case and should, as a rule, be awarded legal costs, cf. Dispute Act § 20-2, first paragraph. There is no basis for reducing the liability for legal costs under the third paragraph of the provision. The State represented by the Data Protection Appeals Board claims 524,195 NOK in legal costs, consisting of attorney fees (514,300 NOK) and expenses related to the main hearing (9,895 NOK). The attorney fees are based on an average hourly rate of 1,850 NOK and do not include VAT. Grindr has not raised objections to the amount of the legal costs claim. The court agrees that the costs appear necessary and reasonable, cf. Dispute Act § 20-5, first paragraph. Based on this, Grindr is ordered to reimburse the State represented by the Data Protection Appeals Board's legal costs in accordance with the cost statement. The judgment has not been delivered within the legal deadline. The reason is the complexity of the case, holiday scheduling, and other work tasks. JUDGMENT 1. The State represented by the Data Protection Appeals Board is acquitted. 2. Grindr LLC is ordered to pay 524,195 NOK in legal costs to the State represented by the Data Protection Appeals Board within 14 days of the service of this judgment. The court adjourned. Anne-Lene Åvangen Hødnebø Guidance on appeals in civil cases is attached. Guidance on Appeals in Civil Cases In civil cases, the rules in Chapters 29 and 30 of the Dispute Act apply to appeals. The rules for appealing judgments, rulings, and decisions are slightly different. Below you will find more information and guidance on the rules. Appeal Deadline and Fee The deadline for filing an appeal is one month from the day the decision was made known to you unless the court has set a different deadline. The following periods are excluded when calculating the deadline (judicial holiday): - From the last Saturday before Palm Sunday to the second Easter day - From July 1st to August 15th - From December 24th to January 3rd Those who appeal must pay a processing fee. You can get more information about the fee from the court that handled the case. What Must the Notice of Appeal Contain? The notice of appeal must include: - Which decision you are appealing - Which court you are appealing to - Names and addresses of parties, representatives, and legal counsel - What you believe is wrong with the decision that was made - The factual and legal grounds for the alleged error - Any new facts, evidence, or legal grounds you will present - Whether the appeal concerns the entire decision or only parts of it - The claim the appeal case concerns and the result you are seeking - The basis for the court to handle the appeal if there has been doubt about it - How you believe the appeal should be processed further If You Want to Appeal a District Court Judgment to the Court of Appeal Judgments from the district court can be appealed to the court of appeal. You can appeal a judgment if you believe there is: - An error in the factual findings described in the judgment - An error in the application of the law (misinterpretation of the law) - An error in the procedural process If you wish to appeal, you must submit a written notice of appeal to the district court that handled the case. If you are handling the case yourself without a lawyer, you can go to the district court and appeal orally. The court may also allow representatives who are not lawyers to appeal orally. There is usually an oral hearing in the court of appeal to decide an appeal over a judgment. In the appeal process, the court of appeal should focus on the disputed parts of the district court’s decision and those that are in doubt. The court of appeal can refuse to hear an appeal if it finds there is a clear preponderance of evidence that the district court’s judgment will not be changed. Additionally, the court may refuse to consider some claims or grounds for appeal, even if the rest of the appeal is heard. The Right to Appeal is Limited in Cases Involving Assets Worth Less Than 250,000 NOK If the appeal concerns assets worth less than 250,000 NOK, consent from the court of appeal is required for the appeal to be heard. When the court of appeal considers whether to grant consent, it takes into account: - The nature of the case - The parties' need to have the case reviewed - Whether there appear to be weaknesses in the decision being appealed or in the handling of the case If You Want to Appeal a District Court Ruling or Decision to the Court of Appeal A ruling can generally be appealed on the grounds of: - Errors in the factual findings described in the ruling - Errors in the application of the law (misinterpretation of the law) - Procedural errors Rulings related to procedural matters that are based on discretion can only be appealed if you believe the exercise of discretion was unreasonable or clearly unjust. A decision can only be appealed if you believe: - The court did not have the authority to make this type of decision based on the legal grounds, or - The decision is obviously unreasonable or unjust If the district court has issued a judgment in the case, decisions on procedural matters cannot be separately appealed. Instead, the judgment can be appealed on the grounds of procedural errors. Rulings and decisions are appealed to the district court that issued the decision. Appeals are usually decided by ruling after written proceedings in the court of appeal. If You Want to Appeal the Court of Appeal’s Decision to the Supreme Court The Supreme Court is the appellate court for decisions made by the court of appeal. Appeals to the Supreme Court over judgments always require consent from the Supreme Court's Appeals Selection Committee. Consent is only granted when the appeal concerns questions of significance beyond the current case, or for other reasons it is particularly important for the Supreme Court to hear the case. Appeals over judgments are usually decided after oral proceedings. The Supreme Court's Appeals Selection Committee can refuse to hear appeals over rulings and decisions if the appeal does not raise issues of significance beyond the current case, and there are no other considerations that suggest the appeal should be heard. The appeal can also be denied if it raises extensive factual questions. When an appeal over rulings and decisions in the district court has been decided by ruling in the court of appeal, the decision can generally not be further appealed to the Supreme Court. Appeals over the court of appeal’s rulings and decisions are usually decided after written proceedings in the Supreme Court's Appeals Selection Committee.