Record fine in the Grindr case confirmed

–  We are very pleased that the Privacy Appeals Board agrees with our conclusions and has upheld our decision. This has been an important and prioritised case for the Norwegian Data Protection Authority and of course for consumers’ data protection," says Line Coll, Director General of the Data Protection Authority.

Background

Grindr is a location-based dating app aimed at gay, bi, trans and queer people. In 2020, the Norwegian Consumer Council lodged a complaint against the app with the Data Protection Authority. The reason was that Grindr shared information about GPS location, IP address, mobile phone advertising ID, age and gender – in addition to an individual being a Grindr user – to several third parties for marketing purposes.

The Data Protection Authority concluded that Grindr disclosed personal data about users to third parties for behavioural advertising without a legal basis. Therefore, in December 2021, a fine of NOK 65 million was imposed.

Grindr appealed the decision, and in 2022 the case was sent to the Privacy Appeals Board accordingly.

The case concerns Grindr’s practices in the time period from when the GDPR became applicable until April 2020, when Grindr changed its consent mecahnism. The Norwegian Data Protection Authority has not assessed the legality of the current practices of Grindr.

Invalid consents

The Norwegian Data Protection Authority’s conclusion in the decision was that consent was required to share the personal data in question, but that the so-called ‘consents’ that Grindr collected were not valid.

The Privacy Appeal Board agrees, stating that consent was neither voluntary, specific nor informed. The Board points out, among other things, that the user was not given a free choice to consent to the disclosure of personal data during registration in the app, and that the relevant information about data sharing was only included in the privacy policy.

– Consent is a tool for giving users control over their own personal data. If users are not made able to understand what they are consented to, or if they are not granted real freedom of choice, the consents are illusory, Coll emphasises.

Special categories of personal data

Information about sexual orientation enjoys particular protection under the GDPR. The Data Protection Authority considered that information revealing that someone is a Grindr user, constitutes such a special category of personal data, because it strongly indicates that they belong to one of the sexual minorities the Grindr app targets. Since the consents Grindr collected were invalid, Grindr was not legally permitted to share such information.

In the decision, the Privacy Appeals Board states that although the specific sexual orientation of the users was not disclosed, information that someone is a user on Grindr says that they most likely have a sexual orientation that differs from that of the majority. In the Board’s view, this means that Grindr has disclosed special category personal data unlawfully.

– Grindr is used to connect with other people in the LGBTQ+ community, and identifiable information about users and their use of Grindr was shared to an unknown number of third parties for marketing purposes. The European Court of Justice has recently confirmed in several decisions that the notion of special categories of personal data must be interpreted broadly in order to ensure a high level of data protection, Coll says.

Important case with high fine

The fine of NOK 65 million is the highest that the Data Protection Authority has ever imposed. The reason for the high fine is the severity of the infringements. Thousands of users in Norway had their personal data unlawfully disclosed to an unknown number of companies in order to serve Grindr’s commercial interests, including location data and the fact that they are Grindr users. Business models based on behavioural advertising are common in the digital economy, and it is important that fines for offences are dissuasive and contribute to compliance with the data protection rules.

The Privacy Appeals Board has not found any reason to change the amount of the fine, and it highlights the seriousness of the infringement, the number of data subjects affected, the categories of personal data in question and the fact that the infringement was ongoing for almost two years. The Board also points out that it is an intentional act where the company has consciously chosen a technical solution that does not make it possible to register in the app without "approving" the disclosure of information for behavioural advertising at the same time.

– Our consumers are entitled to data protection in applications delivered from international players. The decision creates an expectation and shows that international players in the Norwegian market must provide services that safeguard Norwegian users and their data protection rights, says Coll.

Decisions from the Privacy Appeals Board cannot be further appealed, but Grindr can bring legal action before the courts regarding the validity of the Privacy Appeals Board’s decision.