Norway’s Data Protection Authority (DPA), Datatilsynet, found that Grindr had not complied with the EU’s General Data Protection Regulation (GDPR) and imposed an eye-watering fine of NOK 65 million, the DPA’s largest ever fine.
Legal basis of the fine
The legal basis of the fine was Grindr’s contravention of Article 58(2)(i) GDPR, for:
- Having disclosed personal data to advertising partners without a valid legal basis, which constitutes a violation of Article 6(1) GDPR.
- Having disclosed special category personal data to advertising partners without a valid exemption from the prohibition set out in article 9(1) GDPR.
The DPA’s investigation
The DPA’s investigations into Grindr found that the company had disclosed to third party companies the personal data of their users including:
- Advertising and user ID;
- Age;
- Gender;
- GPS location; and
- IP address.
The personal information was shared for behavioural advertisement purposes but the DPA found that Grindr had not taken the appropriate steps to obtain the customer’s consent. Grindr argued that all users had to accept a privacy policy that included sharing personal data with third parties in order to use the app.
Self-proclaimed as the ‘world’s largest social networking app for gay, bi, trans and queer people’, Grindr’s responsibility to their users under GDPR must be followed to protect their users. The DPA explained that the nature of the app would identify the user as someone who belonged to a sexual minority and therefore likely to belong to a special category data and require additional protection under the regulations.
Article 9(1) GDPR provides that:
‘Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited’.
Article 9(2) GDPR includes exemptions as follows:
- The data subject has given explicit consent to the processing of those personal data for one or more specified purposes[…]
(e) processing relates to personal data which are manifestly made public by the data subject.
The DPA was not satisfied that Grindr’s forceful blanket approach in making all users accept a data privacy policy was enough to protect their users. Separate consents must be given to different personal data processing operations and so each user must be given genuine freedom of choice to choose what they consent to and what they don’t. Grindr should have therefore asked each user for specific consent for sharing their data for behavioural advertisement purposes and communicated this to each user.
Comment
Whilst the decision was made by the Norwegian DPA, the above case is a good reminder to companies in the UK to pay close attention to their GDPR responsibilities, especially if they process sensitive information of their users or customers.
How can we help?
Vikky Lai is a Trainee Solicitor at Nelsons.
If you would like any advice in relation to the subjects discussed in this article, please contact Vikky or a member of the team in Derby, Leicester, or Nottingham who will be able to assist.
Please call 0800 024 1976 or contact us via our online form.
Contact usRelated articles
- Business
- Individuals
Requirement For Data Controllers Not Established In The UK To Have A Representative
Read more
- Business
- Individuals
How Industry 4.0 Will Have An Increasing Role To Play In Managing Supply Chain Costs For Manufacturers
Read more
- Business
- Individuals
Force Majeure Clauses & War – Conflict In Ukraine
Read more