EN
Data protection

Company faces 100 million NOK fine for unlawful disclosure of data

logo
Legal news
calendar 25 February 2020
globus Denmark, Norway

With a recent draft decision, the Norwegian Data Protection Authority has declared its intention to fine a tech company 100 million NOK for disclosure of personal data to third party advertisers without a lawful basis. As part of its reasoning, it emphasized that special categories of data had been shared as the data had revealed information on the users’ sexual orientation.

Following complaints from the Norwegian Consumer Council, the Norwegian Data Protection Authority (DPA) ordered the tech company which operates a GPS-based social networking app to share information on how it disclosed user data to third party advertisers.

Pursuant to the company’s privacy policy, users were informed that certain data was shared with advertising partners, but these had only been named to a very limited extent. Accordingly, the company shared data such as profile and location information, cookies, log files and more.

To determine if the company had complied with its obligations, the Norwegian DPA had to consider if special categories of data also had been disclosed and if user consent had been lawful.

Special categories of data must be broadly interpreted

According to the Norwegian DPA, information shared with third party advertisers also included special categories of data because the information revealed the users’ sexual orientation because the company shared keywords such as “gay, bi, trans, queer” to its advertisers.

The company disagreed and argued that the keywords were applied generally for all users, as a general description for the app. Although the Norwegian DPA agreed that the keywords were not specific to the data subject, it still revealed information on sexual orientation as a result of the mere association with the app. The Norwegian DPA emphasized that “sexual orientation” must be interpreted broadly, and that there was no need to reveal a particular sexual orientation to trigger the scope. It was enough to reveal that the user belonged to a sexual minority.

In turn, the company pointed towards the substantial effects such an interpretation would have upon other tech companies, listing a series of apps which would be impacted. The company also claimed this interpretation would result in many data controllers suddenly finding themselves processing special categories of data unexpectedly. This did not change the findings of the Norwegian DPA.

User consents were invalid

As a main rule, extensive disclosure to third parties of data for marketing purposes should be consent-based. Another lawful basis would neither be fit nor adequate for the purpose.

The Norwegian DPA therefore took a closer look at the company’s consent management platform, which had been in place at the time. It found, among other things, that the consent mechanism had not allowed for separate consent – users had been forced to accept the privacy policy in its entirety to use the app, that access to the services had been dependent on consent, that withdrawal of the consent would have led to extra costs and that the consent had not been specific. Also, the company had failed to properly inform users on what they were agreeing to, and the consent had in any case not been unambiguous.

Pursuant to the company, its consent mechanism exceeded industry standards. It also pointed towards the fact that data on the sexual orientation had already been made manifestly public via the user via the profile on the app. The Norwegian DPA rejected this reasoning, pointing towards the different restrictions which applied before others could gain access to this information.

IUNO’s opinion

Recent cases under the new rules offer increasing clarity on the level of fines companies can expect in case of breach of its data protection obligations. As part of its assessment, the Norwegian DPA emphasized that namely tech companies must be aware of an enhanced responsibility which comes with processing data on a large scale. The proposed fine would be the highest in Norway to date under the new rules, calculated as 10 % of the company’s worldwide turnover.

IUNO recommends that companies pay attention to the fact that national DPAs in many cases will issue fines without prior warning. In this case, the company referred to previous guidance from the Irish DPA giving data controllers six months to comply before action was taken. The Norwegian DPA rejected the argumentation with reference to the recent 50 million EUR fine imposed on Google by the French DPA for non-compliance.

[Draft Decision on an Administrative Fine to Grindr LLC by the Norwegian Data Protection Authority, of 24 January 2021]

Following complaints from the Norwegian Consumer Council, the Norwegian Data Protection Authority (DPA) ordered the tech company which operates a GPS-based social networking app to share information on how it disclosed user data to third party advertisers.

Pursuant to the company’s privacy policy, users were informed that certain data was shared with advertising partners, but these had only been named to a very limited extent. Accordingly, the company shared data such as profile and location information, cookies, log files and more.

To determine if the company had complied with its obligations, the Norwegian DPA had to consider if special categories of data also had been disclosed and if user consent had been lawful.

Special categories of data must be broadly interpreted

According to the Norwegian DPA, information shared with third party advertisers also included special categories of data because the information revealed the users’ sexual orientation because the company shared keywords such as “gay, bi, trans, queer” to its advertisers.

The company disagreed and argued that the keywords were applied generally for all users, as a general description for the app. Although the Norwegian DPA agreed that the keywords were not specific to the data subject, it still revealed information on sexual orientation as a result of the mere association with the app. The Norwegian DPA emphasized that “sexual orientation” must be interpreted broadly, and that there was no need to reveal a particular sexual orientation to trigger the scope. It was enough to reveal that the user belonged to a sexual minority.

In turn, the company pointed towards the substantial effects such an interpretation would have upon other tech companies, listing a series of apps which would be impacted. The company also claimed this interpretation would result in many data controllers suddenly finding themselves processing special categories of data unexpectedly. This did not change the findings of the Norwegian DPA.

User consents were invalid

As a main rule, extensive disclosure to third parties of data for marketing purposes should be consent-based. Another lawful basis would neither be fit nor adequate for the purpose.

The Norwegian DPA therefore took a closer look at the company’s consent management platform, which had been in place at the time. It found, among other things, that the consent mechanism had not allowed for separate consent – users had been forced to accept the privacy policy in its entirety to use the app, that access to the services had been dependent on consent, that withdrawal of the consent would have led to extra costs and that the consent had not been specific. Also, the company had failed to properly inform users on what they were agreeing to, and the consent had in any case not been unambiguous.

Pursuant to the company, its consent mechanism exceeded industry standards. It also pointed towards the fact that data on the sexual orientation had already been made manifestly public via the user via the profile on the app. The Norwegian DPA rejected this reasoning, pointing towards the different restrictions which applied before others could gain access to this information.

IUNO’s opinion

Recent cases under the new rules offer increasing clarity on the level of fines companies can expect in case of breach of its data protection obligations. As part of its assessment, the Norwegian DPA emphasized that namely tech companies must be aware of an enhanced responsibility which comes with processing data on a large scale. The proposed fine would be the highest in Norway to date under the new rules, calculated as 10 % of the company’s worldwide turnover.

IUNO recommends that companies pay attention to the fact that national DPAs in many cases will issue fines without prior warning. In this case, the company referred to previous guidance from the Irish DPA giving data controllers six months to comply before action was taken. The Norwegian DPA rejected the argumentation with reference to the recent 50 million EUR fine imposed on Google by the French DPA for non-compliance.

[Draft Decision on an Administrative Fine to Grindr LLC by the Norwegian Data Protection Authority, of 24 January 2021]

Receive our newsletter

Anders

Etgen Reitz

Partner

Kirsten

Astrup

Associate

Similar news

logo
Data protection HR Legal

5 April 2021

Can companies ask to see their employees’ corona passports?

logo
HR Legal Corporate Data protection

15 March 2021

New Act will introduce requirements on whistleblower schemes

logo
Data protection

11 March 2021

CCTV monitoring at the workplace

logo
HR Legal Data protection

25 February 2021

Remembering data protection when receiving employees’ test results

logo
HR Legal Data protection

25 February 2021

How to lawfully prevent the spread of coronavirus at the workplace

logo
Data protection

20 May 2020

Companies can apply the Danish Standard Data Processing Agreement in Norway and Sweden

Learning

logo
HR Legal Data protection
18 November 2014

Seminar on Employee Privacy and Data Protection in the Nordic Region (Stockholm)

logo
HR Legal Data protection
17 November 2014

Seminar on Employee Privacy and Data Protection in the Nordic Region (Oslo)

logo
HR Legal Data protection
11 November 2014

Seminar on Employee Privacy and Data Protection in the Nordic Region (Copenhagen)

logo
HR Legal Data protection
10 November 2014

Seminar on Employee Privacy and Data Protection in the Nordic Region (Helsinki)