An American dating app has responded to Norway’s data protection authority regarding alleged breaches of the General Data Protection Regulation (GDPR) that could result in a fine as high as €9.6 million. In February, Norway’s Datatilsynet issued an advance notification to Grindr that it would fine the company about 10% of its worldwide revenue for
- having disclosed personal data to third party advertisers without a legal basis, which constitutes a violation of Article 6(1) GDPR; and
- having disclosed special category personal data to third party advertisers without a valid exemption from the prohibition in Article 9(1) GDPR
The Datatilsynet explained it instigated the investigation upon receipt of a complaint and limited its investigation only to the issue of consent and reserves the right to investigate any related GDPR violations (see here for more detail and analysis.)
In its response, Grindr summarized the main legal arguments as to why the Datatilsynet was mistaken:
- Grindr has legal basis for the processing in question
- The principle of legal certainty (No: “legalitetsprinsippet”) under EEA law and Norwegian administrative law requires that in order to impose an administrative fine, there must be a clear legal basis and “objective, non-discriminatory criteria which are known in advance to the undertakings concerned”. The requirements in Article 6 and 9, when applied to Grindr’s previous consent mechanism, do not suffice as legal basis for imposing the notified administrative fine.
- Even under historical practice, Grindr obtained appropriate consent for the described processing according to the requirements in the GDPR itself. “Guidelines” from the EDPB cannot be the legal basis for administrative sanctions as set out by Datatilsynet.
- Users had ample possibilities to consent or object to the processing before such processing took place:
- At the beginning of the sign-up process in the App, users had to confirm having read Grindr’s Terms and Conditions of Service (“T&Cs”);
- To continue signing up for the App, users had to confirm adherence to the T&Cs;
- Users could choose not to share data with advertising partners. If users denied sharing data with advertising partners via the controls available in their device’s mobile operating system, the App would still work equally well. In June 2019, Grindr began implementing the industry-leading OneTrust consent management platform to give users even greater granularity and control from within the App with respect to their information sharing options.
- Like in many free apps, users had the option of upgrading to a paid subscription without ads for a small, reasonable fee. Offering an ad-free, payable version of an app, as an alternative to a free version of an app financed by advertisements, is both a common and legal practice.
- If users did not approve of Grindr’s processing of their personal data or the overall concept/service offerings of the App, users had the choice to select alternative apps. Grindr does not have a monopoly in its particular app category.
Grindr went on to claim it does not share its user’s sexuality with advertising partners:
- Grindr has not shared special categories of personal data with advertising partners
- Grindr did not share a user’s sexual orientation with advertising partners.
- Grindr shared data points common in the industry such as Advertising ID (provided by the device’s mobile operating system and under full user control) and information about the computing environment (operating system version, model, screen resolution, etc.); age, gender (e.g., male or female) and location. As of June 2020, Grindr stopped sharing even a user’s obfuscated location information, age or gender with advertising partners.
- Grindr is one of the few places where the full spectrum of sexual orientations are represented and where users can interact with each other safely. Grindr is used by users of all sexual orientations, including those who belong to the LGBTQ+ community as well as users who identify as heterosexual. The fact that an individual has the App installed on their device does not reveal the specific sexual orientation of said user. Therefore, the presence of the App on one’s device does not equate to a special category of personal data, in and of itself. This is supported by a German judgement.
Naturally, Grindr objected to the Datatilsynet fine:
- On the size of the warned fine
- Datatilsynet has not given adequate attention to the many measures taken by Grindr to fine-tune its mechanisms for obtaining consent. Grindr has always been proactive in securing the privacy of its users. Consent mechanisms have been in place since the launch of the App, and the consent mechanisms have been fine-tuned as industry consent practices and guidance have evolved, including through regulator feedback. The facts recorded by NCC, and that Datatilsynet relies on, relate to a consent mechanism that Grindr stopped using in April 2020. The privacy regulatory landscape, including interpretations of the GDPR (and more specifically, notions related to consent) have evolved and continue to evolve over time. Therefore, it is not proportionate to impose an administrative fine against Grindr, which has had appropriate consent mechanisms in place. Further, the size of the administrative fine indicated in the Advance Notification is certainly not proportionate to the alleged breach, nor would a fine be effective in protecting the privacy of the users, as Grindr had already further enhanced its consent mechanisms.
- A survey of recent administrative fines demonstrates that Datatilsynet’s Advance Notification sets out the largest GDPR-related fine, not only in the Nordic countries, but throughout the European Union as well relative to Grindr’s size. Datatilsynet’s anticipated fine is meant to address how Grindr was processing personal data of all EEA users, but the fine is not proportionate. The fine would disproportionately punish Grindr for not adhering to certain EU guidance on the finer details in how consent shall be obtained, but the guidance does not have the force of law.(And as noted, Grindr has since fine-tuned its consent mechanism that satisfies such guidance.) Therefore, the proposed fine is neither proportionate nor justified by the asserted gravity, duration, scope, or nature of the alleged breach.
- Datatilsynet’s warning of the largest administrative fine that the Nordics have ever applied appears to be motivated by a desire to protect the LGBTQ+ community. However, the record-setting fine against one small player in a much larger ad tech ecosystem would have a disproportionately punitive impact on Grindr and the LGBTQ+ community that the company supports. Industry leading companies that provide services concerning heterosexuals are typically larger (in some cases exponentially so) than those serving minority communities. Thus, regulators must ensure that any penalties below the statutory cap do not disproportionately punish smaller companies, particularly ones like Grindr that demonstrate a commitment to the principles of the GDPR and work extensively to improve acceptance and a safe and open environment for the LGBTQ+ community and those supporting it.
Moreover, the entity that jointly filed the complaint against Grindr that gave rise to the Datatilsynet investigation and preliminary fine is asking that the agency force the company to delete user data. The Norwegian Consumer Council (NCC) “is now asking the Data Protection Authority to impose measures to ensure that the company also must identify and delete illegally collected personal data” according to its press release. The NCC is requesting that the Datatilsynet order Grindr to:
- Inform about which other companies had access to personal data, and how this data may have been shared with further companies.
- Delete all illegally collected personal data and ensure that other companies that have received the data also delete it.
- Ensure that, in the future, Grindr users are not exposed to sharing and spreading of personal data to other companies.
© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.