The Norwegian Privacy Appeals Board has upheld the Norwegian Data Protection Authority's record fine of NOK 65 million (Euro 6.2 million) for the failure to obtain valid consent to share personal data to AdTech companies for marketing purposes. This is the highest GDPR violation fine imposed thus far in Norway. The decision is the result of a complaint from the Norwegian Consumer Council, which has been assisted by Hjort's GDPR team.
The Privacy Appeals Board found that Grindr shared information about Grindr users with advertising companies for marketing purposes without obtaining valid consent from those users. Users were neither sufficiently informed nor had they given voluntary consent to this sharing of information, partly because information about the disclosure of the users' information to Grindr's advertising partners, was only included in Grindr's privacy policy. As use of the Grindr app gives indirect information about a person's sexual preferences, the case also involved illegal use of one of the special categories of data that are subject to additional protection under the GDPR. As a result, the Privacy Appeals Board found that thousands of Norwegian Grindr users have illegally had their sensitive, personal data handed over to an unknown number of third parties that in turn may have shared this information further.
The case is of major importance for the AdTech industry's collection, use and sharing of personal data for digital marketing purposes. The Norwegian Consumer Council and a number of other consumer and human rights organisations in Europe and the United States, have long advocated a ban on surveillance-based marketing. The Norwegian case was based on the Norwegian Consumer Council's report "Out of Control", which revealed how consumers' personal data are exploited by the AdTech industry through targeted, surveillance-based advertising.
The case has attracted considerable media attention, including international coverage from The New York Times, Axios and many others.
It has been a great experience for our GDPR-team to work with the Norwegian Consumer Council on GDPRs issues arising out of digital marketing. Besides applying our prior GDPR expertise, we have had much use of our firm's general experience on administrative infringement fees from other sectors.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.