The Data Protection Board has now made a decision in the Grindr appeal case, upholding the Data Protection Authority’s decision to impose an infringement fine of NOK 65 million, and the fine remains in place.
“We are very pleased that the Data Protection Board agrees with our conclusions and has upheld our decision. This has been an important and prioritised case at the Data Protection Authority and not least for consumer privacy,” says Line Coll, Director of the Data Protection Authority.
Background
Grindr is a location-based dating app that targets gay and bisexual men, transgender and queer people. In 2020, the Consumer Council complained to the Norwegian Data Protection Authority about Grindr. The background was that Grindr disclosed information about GPS location, IP address, mobile phone advertising ID, age and gender – in addition to the fact that the person in question was a Grindr user – to several third parties for marketing purposes.
The Norwegian Data Protection Authority concluded that Grindr disclosed personal data about users to third parties for behavioural marketing purposes without a legal basis, and in December 2021 imposed an infringement fee of NOK 65 million.
Grindr appealed the decision, and in 2022 the case was referred to the Norwegian Data Protection Board for a final decision.
The case concerns Grindr’s practices in the period from when the GDPR began to apply in July 2018 until April 2020, when Grindr changed its consent solution. The Data Protection Authority has not assessed the legality of Grindr’s current practices.
Invalid consents
The Data Protection Authority’s conclusion in its decision was that consent was required to share personal data, but that the so-called consents Grindr collected were not valid.
The Data Protection Board agrees, and states that consent was neither voluntary, specific nor informed. The Board emphasises, among other things, that the user was not given a free choice to consent to the disclosure of personal data when registering for the app, and that the information that the user consented to the disclosure of personal data to advertising partners was only included in the privacy policy.
“Consent is a tool to give users control over their own personal data. If users are not enabled to understand the choice they are about to make, or given real freedom of choice, consent is illusory,” emphasises Coll.
Special categories of personal data
Information about sexual orientation has special protection in the GDPR. The Norwegian Data Protection Authority has assessed that information that someone is a Grindr user is such a special category of personal data, because it strongly indicates that they belong to one of the sexual minorities targeted by the Grindr app. Since the consents Grindr collected were invalid, Grindr was not legally authorised to share such data.
In its decision, the Data Protection Board states that even if the specific sexual orientation of the users was not disclosed, the fact that someone is a user on Grindr indicates that they are very likely to have a sexual orientation that is different from the majority. In the Board’s view, this is sufficient for Grindr to have unlawfully disclosed special categories of personal data, and agrees with the Norwegian Data Protection Authority that this disclosure was unlawful.
“Grindr is used to connect with others in the LGBTQ+ community, and identifiable information about them and their use of Grindr was shared with an unknown number of companies for marketing purposes. The Court of Justice of the European Union has recently confirmed in several decisions that special categories of personal data must be interpreted broadly to ensure a high level of privacy protection,” says Coll.
High fine and important case
The infringement fee of NOK 65 million is the highest imposed by the Norwegian Data Protection Authority. The reasoning was that the breaches were very serious. Thousands of users in Norway had their personal data illegally disclosed to an unknown number of companies for Grindr’s commercial interests, including location data and the fact that they are Grindr users. Business models based on behavioural marketing are common in the digital economy, and it is important that penalties for offences act as a deterrent and contribute to compliance with data protection regulations.
The Data Protection Board has found no reason to change the size of the fee, and emphasises the seriousness of the offence, the number of data subjects affected, the category of data concerned and the fact that the offence has been ongoing for almost two years. The Board also points out that this is a deliberate act where a technical solution has been deliberately chosen that does not make it possible to register without simultaneously “approving” the disclosure of data for use in behavioural marketing.
“Our consumers are entitled to privacy in applications delivered by international organisations. The decision creates an expectation and shows that international players in the Norwegian market must deliver services that safeguard Norwegian users and their privacy,” says Coll.
Decisions from the Data Protection Board cannot be appealed further, but Grindr can take legal action before the courts regarding the validity of the Data Protection Board’s decision.
https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2023/rekordgebyr-til-grindr-blir-staende/