Company faces 100 million NOK fine for unlawful disclosure of data
With a recent draft decision, the Norwegian Data Protection Authority has declared its intention to fine a tech company 100 million NOK for disclosure of personal data to third party advertisers without a lawful basis. As part of its reasoning, it emphasized that special categories of data had been shared as the data had revealed information on the users’ sexual orientation.
Following complaints from the Norwegian Consumer Council, the Norwegian Data Protection Authority (DPA) ordered the tech company which operates a GPS-based social networking app to share information on how it disclosed user data to third party advertisers.
Pursuant to the company’s privacy policy, users were informed that certain data was shared with advertising partners, but these had only been named to a very limited extent. Accordingly, the company shared data such as profile and location information, cookies, log files and more.
To determine if the company had complied with its obligations, the Norwegian DPA had to consider if special categories of data also had been disclosed and if user consent had been lawful.
Special categories of data must be broadly interpreted
According to the Norwegian DPA, information shared with third party advertisers also included special categories of data because the information revealed the users’ sexual orientation because the company shared keywords such as “gay, bi, trans, queer” to its advertisers.
The company disagreed and argued that the keywords were applied generally for all users, as a general description for the app. Although the Norwegian DPA agreed that the keywords were not specific to the data subject, it still revealed information on sexual orientation as a result of the mere association with the app. The Norwegian DPA emphasized that “sexual orientation” must be interpreted broadly, and that there was no need to reveal a particular sexual orientation to trigger the scope. It was enough to reveal that the user belonged to a sexual minority.
In turn, the company pointed towards the substantial effects such an interpretation would have upon other tech companies, listing a series of apps which would be impacted. The company also claimed this interpretation would result in many data controllers suddenly finding themselves processing special categories of data unexpectedly. This did not change the findings of the Norwegian DPA.
User consents were invalid
As a main rule, extensive disclosure to third parties of data for marketing purposes should be consent-based. Another lawful basis would neither be fit nor adequate for the purpose.
The Norwegian DPA therefore took a closer look at the company’s consent management platform, which had been in place at the time. It found, among other things, that the consent mechanism had not allowed for separate consent – users had been forced to accept the privacy policy in its entirety to use the app, that access to the services had been dependent on consent, that withdrawal of the consent would have led to extra costs and that the consent had not been specific. Also, the company had failed to properly inform users on what they were agreeing to, and the consent had in any case not been unambiguous.
Pursuant to the company, its consent mechanism exceeded industry standards. It also pointed towards the fact that data on the sexual orientation had already been made manifestly public via the user via the profile on the app. The Norwegian DPA rejected this reasoning, pointing towards the different restrictions which applied before others could gain access to this information.
IUNO’s opinion
Recent cases under the new rules offer increasing clarity on the level of fines companies can expect in case of breach of its data protection obligations. As part of its assessment, the Norwegian DPA emphasized that namely tech companies must be aware of an enhanced responsibility which comes with processing data on a large scale. The proposed fine would be the highest in Norway to date under the new rules, calculated as 10 % of the company’s worldwide turnover.
IUNO recommends that companies pay attention to the fact that national DPAs in many cases will issue fines without prior warning. In this case, the company referred to previous guidance from the Irish DPA giving data controllers six months to comply before action was taken. The Norwegian DPA rejected the argumentation with reference to the recent 50 million EUR fine imposed on Google by the French DPA for non-compliance.
[Draft Decision on an Administrative Fine to Grindr LLC by the Norwegian Data Protection Authority, of 24 January 2021]
Following complaints from the Norwegian Consumer Council, the Norwegian Data Protection Authority (DPA) ordered the tech company which operates a GPS-based social networking app to share information on how it disclosed user data to third party advertisers.
Pursuant to the company’s privacy policy, users were informed that certain data was shared with advertising partners, but these had only been named to a very limited extent. Accordingly, the company shared data such as profile and location information, cookies, log files and more.
To determine if the company had complied with its obligations, the Norwegian DPA had to consider if special categories of data also had been disclosed and if user consent had been lawful.
Special categories of data must be broadly interpreted
According to the Norwegian DPA, information shared with third party advertisers also included special categories of data because the information revealed the users’ sexual orientation because the company shared keywords such as “gay, bi, trans, queer” to its advertisers.
The company disagreed and argued that the keywords were applied generally for all users, as a general description for the app. Although the Norwegian DPA agreed that the keywords were not specific to the data subject, it still revealed information on sexual orientation as a result of the mere association with the app. The Norwegian DPA emphasized that “sexual orientation” must be interpreted broadly, and that there was no need to reveal a particular sexual orientation to trigger the scope. It was enough to reveal that the user belonged to a sexual minority.
In turn, the company pointed towards the substantial effects such an interpretation would have upon other tech companies, listing a series of apps which would be impacted. The company also claimed this interpretation would result in many data controllers suddenly finding themselves processing special categories of data unexpectedly. This did not change the findings of the Norwegian DPA.
User consents were invalid
As a main rule, extensive disclosure to third parties of data for marketing purposes should be consent-based. Another lawful basis would neither be fit nor adequate for the purpose.
The Norwegian DPA therefore took a closer look at the company’s consent management platform, which had been in place at the time. It found, among other things, that the consent mechanism had not allowed for separate consent – users had been forced to accept the privacy policy in its entirety to use the app, that access to the services had been dependent on consent, that withdrawal of the consent would have led to extra costs and that the consent had not been specific. Also, the company had failed to properly inform users on what they were agreeing to, and the consent had in any case not been unambiguous.
Pursuant to the company, its consent mechanism exceeded industry standards. It also pointed towards the fact that data on the sexual orientation had already been made manifestly public via the user via the profile on the app. The Norwegian DPA rejected this reasoning, pointing towards the different restrictions which applied before others could gain access to this information.
IUNO’s opinion
Recent cases under the new rules offer increasing clarity on the level of fines companies can expect in case of breach of its data protection obligations. As part of its assessment, the Norwegian DPA emphasized that namely tech companies must be aware of an enhanced responsibility which comes with processing data on a large scale. The proposed fine would be the highest in Norway to date under the new rules, calculated as 10 % of the company’s worldwide turnover.
IUNO recommends that companies pay attention to the fact that national DPAs in many cases will issue fines without prior warning. In this case, the company referred to previous guidance from the Irish DPA giving data controllers six months to comply before action was taken. The Norwegian DPA rejected the argumentation with reference to the recent 50 million EUR fine imposed on Google by the French DPA for non-compliance.
[Draft Decision on an Administrative Fine to Grindr LLC by the Norwegian Data Protection Authority, of 24 January 2021]
Similar
Expensive right of access requests
Seven commandments when closing the business e-mail account
Unfair design practices resulted in a 345 million euro fine
Accessible personnel files resulted in a data breach
Deadline to establish whistleblower schemes for medium-sized companies approaching
New guidance from the Danish Data Protection Agency on direct marketing