Documentation

Table of Contents

Grindr Faces €5.8 Million Fine: A Reminder on the Importance of GDPR Compliance

The Norwegian Privacy Appeals Board (Personvernnemnda) has upheld the Norwegian Data Protection Authority’s decision to impose a fine of NOK 65 million (approximately €5.8 million) on the widely-used dating app, Grindr. 

Background

This landmark decision roots back to 2020 when the Norwegian Consumer Council (NCC) filed a complaint further to the publication of the “Out of Control” report. The report had served as an eye-opener as it detailed how Grindr indiscriminately shared users’ intimate data with a plethora of commercial entities. These third parties had the autonomy to further distribute the information to an expansive network of companies, primarily for tailoring surveillance-driven advertisements. 

The NCC alleged that Grindr breached the General Data Protection Regulation (GDPR) through these practices. 

Update:

  1. Background: Grindr, the dating application, has initiated legal action against the Norwegian data protection authority, Datatilsynet. This follows a substantial fine of NOK 65 million imposed by the authority for allegedly sharing user location data and advertiser information with marketing partners.
  2. Grindr’s Stance: The company argues that Datatilsynet has misinterpreted the EU General Data Protection Regulation (GDPR). Grindr’s privacy officer, Kelly Peterson Miranda, stated that the lawsuit is not about past practices but focuses on the implications for all data processing activities on Grindr. They seek clearer guidance or a definitive decision on whether using Grindr itself categorizes all collected and processed data as special categories of personal data, which are subject to strict processing requirements under GDPR.
  3. Concerns and Challenges: Miranda expressed concerns that the Norwegian decisions could make it challenging to operate services like Grindr in Europe. They fear that the decisions set precedents not only for targeted advertising but also for other activities like fraud prevention and contextual advertising.
  4. Datatilsynet’s Response: In response to the lawsuit, Datatilsynet’s director, Line Coll, maintains that the decision of the appeal body is correct. Coll notes that personal privacy is once again under pressure, challenged by large commercial entities using their resources and legal prowess to defend their business models, increasingly scrutinized by authorities.
  5. Future Implications: This case highlights the complex interplay between user privacy, data sharing practices, and the interpretation of GDPR. It also underscores the ongoing tension between tech companies and regulatory bodies over data privacy standards and enforcement.

This update provides a comprehensive overview of the latest developments in the Grindr-Datatilsynet case, reflecting the ongoing debate over GDPR interpretation and enforcement in the digital landscape.

Source: NRK News​.

Invalid Consent

Throughout the proceedings, the Norwegian Data Protection Authority also noted that Grindr had not obtained valid consent to share the personal data in question. 

🗣 Personvernnemnda also upheld this and highlighted that: 

“the user was not given a free choice to consent to the disclosure of personal data during registration in the app, and that the relevant information about data sharing was only included in the privacy policy.”

following which, it upheld the Norwegian Data Protection Authority’s decision to fine Grindr.

Welcomed Decision

🗣 Finn Myrstad, the Director of Digital Policy at the NCC, emphasized the gravity of the situation in a press release: 

“Surveillance-based advertising, where companies collect and share personal data for commercial purposes, is entirely unchecked. We applaud the Norwegian Data Protection Authority’s determination in addressing our grievance and the subsequent validation by the Norwegian Privacy Appeals Board, underscoring that Grindr’s sharing of sensitive data with third-party entities is indeed unlawful.”

Recognizing the potential implications, the NCC, accompanied by a consortium of consumer and human rights organizations from Europe and the US, has advocated for the outright prohibition of surveillance-oriented advertising.

A Wake-Up Call for Digital Enterprises

The Grindr case is more than just a hefty fine. It serves as a timely reminder of the immense responsibilities companies shoulder in the digital age. With stricter regulations and an increasingly vigilant consumer base, compliance with data protection norms is non-negotiable.

For businesses navigating these complex legal waters, tools, and services that ensure GDPR compliance are indispensable. It’s not merely about avoiding fines but fostering trust with your user base.

Let iubenda Guide Your Compliance Journey

With a vast landscape of data protection regulations and their intricate nuances, ensuring complete compliance can be daunting. 

At iubenda, we offer a suite of solutions designed to simplify this process. From privacy policies to cookie management, our tools are crafted to help you maintain transparency and stay aligned with evolving regulations.

🚀 Embark on your GDPR compliance journey with iubenda today!

Start generating

Still have questions?

Attend one of our free webinars Email us Live chat