The Norwegian Consumer Council (NCC) has taken a strong position against commercial surveillance online, and has made it very visible how the Ad-Tech industry is exploiting personal data for business purposes.
“Big data” has since the entry of social platforms on the Internet, been accumulated and used unscrupulously by some companies for profit. Some of the players in the field are sharing information they collect on users with third party advertisers without their users’ knowledge or consent. The driver is all the money connected to targeted advertising. However, sharing of personal data in this way is prohibited according to the EU’s General Data Protection Regulation (GDPR).
The NCC has no authority to enforce personal data legislation, but the Norwegian Data Protection Authority (NDPA) does. And so, the NCC can freely report findings of breaches of the GDPR and Norwegian data protection regulations to the NDPA.
NCC and NDPA at the forefront
A good illustration of this interaction is the case against Grindr. Earlier this year the NCC, based on the report “Out of Control” (2020), raised the case against Grindr and five Ad-Tech companies that were receiving personal data through the app: Twitter`s MoPub, AT&T’s AppNexus, OpenX, AdColony and Smaato.
All the complaints were filed (in cooperation with the European Center for Digital Rights, noyb.eu), at the NDPA because of violations of the GDPR. The complaints concern Grindr transmitting sensitive personal data as for example group affiliation, sexual orientation, and geographic location, with several other parties without encrypting the traffic.
Even if data is anonymised, such as when third parties operate with their own proprietary identification numbers, it is possible to combine data from various sources with openly available information to produce a picture that can identify an individual.
In January, the NDPA announced a fine of 65 mill NOK (€ 5,8 M or approximately $ 6,5 M) on Grindr. The NCC has also in May this year acted against 8 companies and asked for details of their surveillance through the services Perfect365 and MyDays.
The Norwegian urge to protect personal data was also illustrated in May 2021. Then the NDPA submitted an advance notification of an administrative fine of NOK 25 mio to Disqus Inc. The company does widget tracking, analysing and profiling, and disclosing personal data to third party advertisers, and in doing so violates multiple articles (i.e. Article 6 and Article 7) of the GDPR.
Update on 30 September 2023 on the Grindr case
Grindr appealed the decision to the Norwegian Personal Protection Board, which rejected the appeal in its decision on 29 September 2023, and announced that it upholds the fine. – We have received the decision and cannot comment on it until we have been able to discuss it with our client, says the lawyer who represents Grindr.
The privacy movement grows stronger
All of these cases illustrate the NCC mission, but the NCC is working from a broader perspective: To establish a broad, international movement towards surveillance-based advertising.
This movement got a push with NCC’s seminal report Out of Control (2020), which has received media coverage in more than 70 countries, included the US and Japan (see our previous blog post).
Recently (June 2021), the NCC released another report: Time to ban surveillance-based advertising, with the subtitle The case against commercial surveillance online.
On page 4 there is quite a good summary of what the driving force is:
…today’s dominant model of online advertising is a threat to consumers, democratic societies, the media, and even to advertisers themselves. These issues are significant and serious enough that we believe that it is time to ban these detrimental practices.
In a coalition with more than 60 organizations from Europe and the US, including some 10 consumer organisations and the umbrella organisation BEUC – the European Consumer Organisation – the NCC on June 23 2021 sent an open letter to EU and US policymakers. The letter urges the policymakers to “…take a stand and consider a ban of surveillance-based advertising as part of the Digital Services Act in the EU, and for the U.S. to enact a long overdue federal privacy law.” The coalition is backing up its call with the reports by NCC.
On behalf of NCC, the consumer research company YouGov conducted a survey among a representative selection (internet population) 18 years+ about their attitude to surveillance-based advertising. The result was unambiguous: Only 10% responded positively to the idea of commercial actors collecting information about them online, and only one in five think that ads based on personal information is OK
Runbox has a clear standing against the collection of consumer data and surveillance-based advertising: Our service is ad-free, and we never expose our customers’ data for commercial purposes. We are very strict when law enforcement authorities in Norway or foreign countries request that we disclose data about our customers.
At Runbox we are proud to reside in a country that puts privacy first, and we wholeheartedly support the appeal to ban surveillance-based advertising. Therefore Runbox will annually donate to support noyb.eu, and we have joined the list of individuals supporting the appeal.