Oslo District Court has found Grindr’s sharing of personal data illegal as a result of the Norwegian Consumer Council complaint from 2020. Accordingly, Grindr has to pay EUR 5 million, as fined by the Council.
Our guardians of personal data and privacy: NDPA, NPAB, and NCC
As we have written multiple times in our blog series about GDPR and consequences of this EU-regulation, Norway has a long history of protecting citizens’ personal information. It started out with the first Personal Data Act implemented in 1978 with the purpose of protecting the individual against privacy being violated through the processing of personal data. The law was updated with GDPR clauses in the year 2000.
In 1980, the Norwegian Data Protection Authority (NDPA) was established as an independent authority whose task is to monitor compliance with the Personal Data Act. It is important to note that the NDPA has two roles: supervisory authority and ombudsman.
The NDPA decisions may be appealed to NPAB, Norwegian Privacy Appeals Board (Personvernnemda), whose decisions are final.
During recent years, another Norwegian governmental public body, the Norwegian Consumer Council (NCC), whose role is to protect consumers’ interests, has become involved in privacy, more precisely the misuse of personal data that big tech companies are involved in. As a governmental-independent agency, the NCC is free to chose the cases they want to work on.
Sharing of personal data is illegal without specific consent: The Grindr case
Recently, the NCC has put effort into the task of preventing the big tech companies from using personal information for surveillance-based marketing that the users have not consented to. Neither have users given consent to how personal data is transmitted to the companies’ partners.
The figure below, from https://noyb.eu/en/eu-58-million-fine-grindr-confirmed, illustrates the problem.
In our blog post #14, The Norwegian Consumer Council’s voice heard worldwide, we told you about Grindr, how they breached the GDPR, and was fined NOK 100 million (€ 9.63M or $ 11.69M) by the NDPA in 2021.
Grindr appealed to the NPAB who upheld the NPDA’s fine, now reduced to NOK 65 million, approximately EUR 5,8 million.
To no one’s surprise, Grindr took the case and the fine to court. But the Oslo District Court (Oslo tingrett) on July 1, 2024, convicted Grindr to pay EUR 5,86 million.
This verdict can however also be appealed.
What this is all about
We quote the director of NCC, Inger Lise Blyverket, who according to https://www.forbrukerradet.no/side/the-district-courts-judgment-in-the-grindr-case/ says:
–This [the verdict] sends a strong signal to all companies that engage in commercial surveillance. There are no blank cheques to collect and share personal data. We expect that the digital advertising industry, which profits from tracking and profiling consumers, makes comprehensive changes in order to protect consumers’ fundamental rights.
–There are many examples of how personal data is used for all manner of purposes, including to influence elections and to target advertising to individuals struggling with addictions and other vulnerabilities. Such information can also be used to target and persecute minority individuals and groups.