European Union: The Biggest Fine Ever Imposed In Norway For Sharing Special Category Data

Introduction

A world-known, location-based social networking app ("Data Controller") creator fined $7 million for improper data sharing in Norway. The Norwegian DPA fined the tech company following a claim regarding unlawful sharing of personal data of users of the free version of the app.

The first step of this issue started to reveal itself in 2020 when the Norwegian Consumer Council filed a complaint against the Data Controller before the Norwegian DPA; claiming that the Data Controller practices unlawfully sharing of personal data with third parties for marketing purposes without taking the data subject's proper consent.

Data Controller

Data Controller advertised itself as one of the most popular networking app and fulfilled a certain type of demand in the social network industry by its clientele. Even though statistics vary; the current user database of the Data Controller in Norway on a large scale can be determined as thousands. Furthermore, the users of app on a global scale can be mentioned as millions. In that regard; it is easy to say that Data Controller has control of millions of people's special category data throughout the world.

Even though the company is not based in the EU or EEA since the service that is provided to the clientele in Norway is so according to the provision of Art. 3.2 of GDPR; applies to controllers that offer goods or services to, or that monitor the behaviour of, people in the EEA. That is why the Data Controller faced the fine from Norwegian DPA.

Process

Once the free version of app was checked to detect which type of data has been shared without consent; as the complaint indicates, the data that been shared was GPS location data, IP address, age, gender and advertising ID of the users. Since the Data Controller's system works as exchanging data regarding profile's of the users; users could be identified easily through the data shared.

The Norwegian DPA limited the investigation process to the version that is been used from 2019 and up to April 2020 which Data Controller used to obtain consent at the time of the complaint. As the Norwegian DPA concluded; Data Controller has disclosed user data to third parties for behavioural advertisement without a legal basis. Further, as the complaint indicates that the data subject's consents were the applicable legal basis in this case to a certain extent, regarding the purported consents Data Controller collected for sharing personal data with advertising partners; which were not legally valid.

The information regarding the share of personal data was not properly communicated to data subjects in other words users of tha app. Data subjects were not fully comprehended that their certain type of data are shared with certain third parties before the process. Those third parties were a group of combined third parties which lead to the misleading process of data transfer.

The fact that; app is targeted to a certain clientele and has been used by certain group of people; the data that reveals the fact that someone is a the app user strongly proves that they belong to a minority group. Data concerning a person's sexual orientation constitutes special category data that merit particular protection under the GDPR. As the practice emphasized that the consents Data Controller collected from the data subjects were not valid under the GDPR so as a result, such data could not lawfully shared via app which contradicts the Data Controller's practices.

Analysis

Any extensive disclosure to third parties of the data subject's data for marketing purposes should be based on the data subject's valid consent under GDPR. So any other reasoning or legal bases mentioned in Art.6(1) of GDPR would not be adequate to process such data. While using the app, data subjects were forced to accept the privacy policy in its entirety to use the app, and they were not asked specifically whether they wanted to consent to the sharing of their data with third parties or not.

Because the consents given through app were not fulfilling the requirements of valid consent which is being freely given, specific, informed and unambiguous¹, the consent mechanism of the app did not allow for users to consent separately for every data processing operation or different purposes. Norwegian DPA stated that the consents that be given on the app for sharing personal data with advertisement partners were not valid due to the reasoning of not being given freely and not valid under Art.4(11) of GDPR.

Under the GDPR; the consent mechanisms be constituted to prevent "take it or leave it consents" which is contrary to the Data Controller's practices. App designed as asking the user to either accept or cancel the privacy policy. Once users press cancel to not accept the behavioural advertising, the app excludes users from the free version. In other words; to access the free version of the app; Data Controller bind data subject to the condition of giving consent to sharing personal data for marketing purposes.

Norwegian DPA states that; becoming this specific app's user is not an affirmative act by the data subject to make special category data public. It's not an open platform so; the user's intention would not be manifestly made such data out in public. Even though the processing falls within the scope of Art.9 of GDPR, Data Controller failed to demonstrate the exceptions in Art.9/2 and a legal basis in Art.6 for the disclosure of personal data linked with keywords indicated user's special category data.

Conclusion

Under Art.4/11 and Art.6/1(a) of GDPR; the Norwegian DPA concluded that Data Controller's consent mechanism did not comply with the requirements of freely given consent, the consents that had already been given under this mechanism were not valid regarding sharing data with advertising partners of the firm due to lack of legal basis. Under Art 9. Data Controller failed to fulfil the requirements to be fall within the scope of provision's exceptions. So, the requirement of explicit consent arises to process special category data which Data Controller did not obtain a valid one under Art. 9/2(a).

As the data subjects refer to the process of special category data under Art.9/2(e) as relying upon the term "manifestly" neither the motivation nor the intuition of the users to do so since the platform is a closed group of people's reach rather than a public. Additionally; app makes the data subject's profile available for other app users, the free version of the app only displays a limited number of users at a time. Only users within a certain range from the user's actual or chosen location are visible to them.

This mechanism also shows that an app user who uploads certain info on its profile may not necessarily have intended to make the information "public", but only available to a limited number of relevant users. By this definition; users did not have to expect that Data Controller would still share information regarding special categorty data with third-party advertisers. By doing that; Data Controller breached the prohibition in Art.9/1 of GDPR by disclosing the keywords indicating as such to advertising partners. Consequently, Norwegian DPA imposed NOK 65 000 000 – approximately € 6.5 million fine to the Data Controller for not complying with the GDPR rules on consent.

Footnote

1. Art. 6/1(a), GDPR

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.