The Data Inspectorate communicates to Disqus Inc a sanction of 25 million NOK for having breached the responsibility principle, which is a requirement of a legal basis and a lack of data subjects interests.
The Norwegian Data Protection Authority becomes aware of the case by a report of NRKbeta in December 2019. Here was revealed that Disqus Inc shared personal data of internet users without that website that used the solution in the comment framework of the company known that. Based on the coverage of the NKR, the Norwegian Data Protection Authority has verified if Disqus Inc had breached those privacy requirements.
The Authority has considered that Disqus Inc had tracked, profiled and shared personal information of people in Norway when they have visited seven websites with the solution in the field of comments of Disqus Inc between May 2018 and December 2019. Our preliminary consultation is that this happens by breaching the privacy requirements of responsibility, legal basis and information for the register.
Control of visitors of Norwegian websites
Disqus Inc is an American company that, offers solutions for the filed of comments and programmatic for website. NRKbeta has described in different article news on how test have demonstrated that visitors of Disqus Inc controls Norwegian websites that use the field of comments of Disqus. Personal information is shared with a series of companies in the marketing sector without that visitors have been informed.
Based on information that the authority has, in Norway has been mainly a problem. Based on the relationship that the authority has received, they have suggested that interested websites are no/broom, khrono.no, adressa.no, NRK.no/ytring, P3.no, rights.no e document. No, Disqus considers that the tracking, profiling and the sharing of personal data can be based on a balance of interests like a legal basis, despite the fact that Disqus does not known that GDPR was applicable to people in Norway.
After having examined this case, the authority has concluded that Disqus can not base the consent of different websites, services or disposals for marketing purposes on a balance of interests. Those tracking ask for the consent.
The preliminary conclusion of the Data Inspectorate is that Disqus has not a legal basis for the tracking, profiling and the sharing of personal information of Norwegians that have visited those websites which were using the solutions in the filed of comments.
In the notification, the authority has also concluded that Disqus has breached the obligation of information pursuant to the Privacy ordinance and that the society have breached the responsibility principle by wrongly assuming that the privacy ordinance was not applicable to natural person in Norway.
Websites owners are also responsible of third parties to which accede on their websites in compliance to the privacy legislation. In this round, the Norwegian Data Protection Authority has given the priority to the supervision of Disqus.
Serious breaches
The Data Inspectorate takes seriously what has happened in this case. The websites concerned in the case are news sites and Disqus, among other things, monitored the news sites visited by people in Norway. This was also the case without the monitors receiving any information on the matter.
Hidden monitoring and profiling is one of the main intrusions to privacy. When you do not receive information that someone is using our personal information, We lose the opportunity to request access and information and to protest against the fact that our personal information is used for marketing purposes as in this case.
The Norwegian Data Protection Authority has also placed great emphasis on the fact that the sharing of personal data for programmatic marketing involves a high probability that data subjects lose control over who has their personal data.
High cost
Fines for infringements must be effective, proportionate to the infringement and have a deterrent effect. In this case, there are hundreds of thousands of interested, very private information about which news sites you visit, tracking hidden in time, personal information that goes astray in programmatic advertising.
The size of the commission is after a careful assessment set so high because several hundred thousand are interested, because it is private information on which websites you visit, monitoring has been hidden and personal information has gone astray in advertising.
The authority supervised the Disqus service during the period from the entry into force of the Privacy Regulation (GDPR) until December 2019, when Disqus changed its widget on Norwegian websites.
Not a final decision
Disqus has a deadline to send its comments on the notice by May 31. The purpose of the notice is to help them provide feedback on how they assess the case. We make a final decision after considering any comments from Disqus.