The Norwegian Data Processing Authority issues USD 7.2 million fine to U.S. company Grindr LLC
Background
On 14 January 2020, the Norwegian Consumer Council, in collaboration with noyb – European Center for Digital Rights, filed three different complaints against Grindr with the Norwegian Data Processing Authority (DPA). The complaints were based on the findings in an extensive report about Grindr’s personal data processing prepared by the Consumer Council: “Out of control: How consumers are Exploited by the Online Advertising Industry”.
Grindr is said to be the world’s largest social networking app aimed at people who are gay, bi, trans and queer. The app is used in a number of countries worldwide, including Norway.The legal issues
Grindr is a U.S. company with its business address in California, and does not have permanent establishment within the EU/EEA. As Grindr offers its services in Norway and therefore processes personal data pertaining to physical persons located in Norway, Grindr’s personal data processing is subject to Norwegian law under the Norwegian Personal Data Act § 4, ref. also the GDPR Article 3(2).
The investigation by the Consumer Council and their subsequent complaints addressed concerns that Grindr shares personal data pertaining to its users with a number of advertising companies, including MoPub, Xandr Inc., OpenX Software, AdColony and Smaato. These advertising companies, and any other advertising companies that receive the personal data from the advertising companies that initially received it, will use this personal data for the purpose of direct marketing towards the users.
As the Grindr users are predominantly gay, bi, trans or queer, the DPA found that information that a physical person is a Grindr user is also a strong indication about the person’s sexual orientation, which entails that the data sharing must be considered as processing of special categories of personal data under the GDPR Article 9.
As set out in its Privacy Policy, Grindr relies on user consent for the processing of its users’ personal data. Upon registration, the user would be presented with the privacy policy and a pop-up which appeared with the phrase “I accept the Privacy Policy”. If the user elected not to accept the privacy policy as a whole, the data subject would not be able to use the free version of the service, which is financed by advertising. The user would therefore not be given the option of using the service without also consenting to the use of the personal data for marketing purposes, even though this processing is not necessary for the performance of the service. On this basis, the DPA argues that the consent was not freely given, and therefore not a valid basis for processing of personal data. Grindr also failed to comply with the conditions that the consent should be “specific” and “informed”, due to the manner in which the privacy policy was drafted, where the wording regarding consent to personal data processing was not distinguishable from other matters.
The consent mechanism was later somewhat amended by Grindr, however this did not mitigate the concerns of the DPA, who found that the consents given by the Grindr users were not valid under the GDPR and therefore did not form a valid basis for processing of personal data under Article 6(1)(a). The DPA further found that the consent was not valid under Article 9(2)(a), which entails that Grindr’s processing of personal data is a violation of the prohibition against processing of special categories of personal data set out in Article 9(1).The fine
On 26 January 2021, the Norwegian DPA announced its intention to issue a fine to Grindr of NOK 100 million (approximately USD 11.1 million). In its final decision of 13 December 2021, the DPA states that the maximum fine under the GDPR Article 83(5) is EUR 20 million, as this amount is higher than 4 % of Grindr’s annual turover, which in the decision is said to be “well above USD 100 million”. The limit for the fine is therefore EUR 20 million and not the 4 %. The DPA in Norway has previously issued fines in the range of 2-3 % of a company’s turnover, and the Swedish DPA has recently issued a fine which corresponds to 5.38 % of a company’s annual turover. The DPA states that the processing concerns thousands of data subjects, and the illegal processing in question was a part of Grindr’s core business model. The DPA did find, however, that a reduction from the NOK 100 million previously announced was in order, as Grindr had attempted to remedy the manner in which Grindr collects user consents.
All in all, in its binding decision of 13 December 2021, the DPA set the fine amount at NOK 65 million (approximately USD 7.2 million), which was considered appropriate, taking into account the severity of the matter. Grindr has three weeks from the date of the decision in which to lodge an appeal against the DPA’s decision, and a possible appeal will be heard by “Personvernnemnda”, which is a special complaints board which handles complaints against the DPA’s decisions. “Personvernnemnda”’s decision can then be tried by the ordinary courts of Norway.
Further information and the entire 68 page DPA decision are available in English language on the DPA’s web siteArticle provided by INPLP member: Øystein Flagstad (Gjessing Reimers, Norway)
Discover more about INPLP, the INPLP-Members and the GDPR-FINE database
Dr. Tobias Höllwarth (Managing Director INPLP)