In 2020, the Norwegian Consumer Council revealed how a number of apps collect and share large amounts of sensitive data behind their users’ backs. Based on these discoveries, the Consumer Council filed legal complaints against the company behind the dating app Grindr, and five connected companies involved in surveillance-based advertising, for breaches of the General Data Protection Regulation (GDPR).
The Data Protection Authority followed the arguments made in the complaint and announced an intention to impose a fine against Grindr, to the sum of 100 million NOK (ca € 10 million/ $ 12 million), which is the highest fine ever imposed by the Norwegian DPA. This amounts to around 10 percent of the company’s annual global turnover.
– The Data Protection Authority is clearly establishing that companies cannot collect and share personal data as they please. It is crucial that companies that breach the law are held accountable for illegally sharing personal data, Finn Myrstad, Team leader for digital policy in the Norwegian Consumer Council says.
– Consumers’ fundamental rights will not be safeguarded until the processing and sharing of illegally collected personal data is halted. As long as this data is out there, it may be shared onward and be used by companies that monetize personal data for surveillance-based marketing and other purposes.
According to the privacy NGO noyb, which has assisted with the legal complaint, Grindr fails to adequately address the concerns outlined in the complaint.
– Grindr’s claim that other apps and companies follow the same practices is a political statement, and not a valid legal argument, nor an excuse to breach the law. Also, the argument according to which the EDPB guidelines are non-binding and would create new rules is not convincing. The requirements for consent were spelled out over 10 years ago, way before the GDPR, says Romain Robert, lawyer at noyb.
Grindr has to clean up its act
Following the requests made in the complaint, the Consumer Council is asking the Data Protection Authority to impose other measures, in addition to the fine, by ordering Grindr to:
- Inform about which other companies had access to personal data, and how this data may have been shared with further companies.
- Delete all illegally collected personal data and ensure that other companies that have received the data also delete it.
- Ensure that, in the future, Grindr users are not exposed to sharing and spreading of personal data to other companies.
– The information was collected without valid consent and must be considered particularly sensitive as it concerns users’ sexual orientation. Therefore, it is important to set strict demands that the company cleans up its act and safeguard consumers’ fundamental right to privacy, Finn Myrstad says.
May have significant consequences
In the report “Out of Control”, the Norwegian Consumer Council showed how the collection and use of personal data is happening without control, by companies most people have never heard about. Users have no way to know what data is collected, who it is shared with, and how it may be used.
– The comprehensive knowledge about consumers’ preferences and when we are most susceptible to being influenced is not only a threat to consumer and privacy rights, but can have serious consequences for society at large, Finn Myrstad says.
– There are many examples of how this type of information can be used in attempts to manipulate everything from democratic elections, to targeting advertising for gambling toward individuals struggling with addictions. Data leakage or data breaches can also lead to scams or identity theft, and in the worst case scenario it may be used to persecute people, for example in countries were homosexuality is illegal.