- This is a milestone in the ongoing work to ensure that consumers’ privacy is protected online. The Data Protection Authority (Datatilsynet) has clearly established that it is unacceptable for companies to collect and share personal data without user´s permission, Finn Myrstad, director of digital policy in the Norwegian Consumer Council said.
In 2020, the Norwegian Consumer Council revealed how many apps collect and share large amounts of sensitive information without users’ knowledge. Based on these findings, the Consumer Council filed legal complaints, together with noyb, the European Center for Digital Right, against the dating app Grindr and five commercial partners for breaches of the General Data Protection Regulation (GDPR).
The Data Protection Authority has now upheld the Consumer Council’s complaint and issued an advance notification of a 100 million NOK (€ 9 600 000) one-time administrative fine, which amounts to 10 percent of Grindr’s global annual revenue. Grindr has until February 15th to provide comments or remarks on the decision.
– This not only sets limits for Grindr but establishes strict legal requirements on a whole industry that profits from collecting and sharing information about our preferences, location, purchases, physical and mental health, sexual orientation, and political views, Myrstad said.
- This is excellent news and sends a clear signal that it’s illegal to monitor consumers without their consent 24/7 to collect and share their data. The GDPR does have teeth and consumer groups stand ready to act against those who break the law, Monique Goyens, Director General of The European Consumer Organisation (BEUC), said.
– The message is simple: ‘take it or leave it’ is not consent. If you rely on unlawful ‘consent’ you are subject to a hefty fine. This does not only concern Grindr, but many websites and apps, Ala Krinickytė, Data protection lawyer at noyb said.
As a result of the Norwegian Consumer Council’s revelations in 2020, more than 40 consumer and human rights organizations in the EU and US notified their national authorities about the findings and set forth demands that the data free-for-all must cease.
Sets strict limits on data sharing
The decision from the Norwegian Data Protection Authority rules that Grindr users were not given sufficient information about how personal data was collected and shared onward with third party companies. Consumers had to accept data sharing with third parties in order to use the app.
– It is great that the Norwegian Data Protection Authority is taking a leading role in enforcing the General Data Protection Regulation in Europe. We hope that this marks the starting point for many similar decisions against companies that engage in buying and selling personal data, Myrstad said.
- We now expect Grindr to ensure that any personal data that was illegally collected and shared with third party companies is deleted. Other companies and apps that engage in similar activities should ensure that they are operating in accordance with the legal precedence that has now been established.
Commercial surveillance has serious consequences
The comprehensive knowledge companies have not only about consumers’ preferences but even about when we are most receptive to being influenced threatens consumer and data protection rights and may have dramatic consequences for society at large.
– There are many examples of how personal data is used to manipulate everything from elections to targeting gambling ads against individuals struggling with addiction. Furthermore, data breaches may lead to scams or identity theft, and can be used for stalking or persecution, for example in countries where homosexuality is illegal, Myrstad said.
– Information about us is often used in completely different contexts from where and when it was collected. For example, health data may be used to determine insurance offers, or to discriminate against groups or individuals on the basis of ethnicity or sexual identity.