A Norwegian court on Monday 1 July upheld a $6m fine for LGBTQ+ dating app Grindr after finding it illegally shared users’ sensitive data. Meanwhile, users are bringing a similar case in the UK. So, the Norwegian fine may well offer a glimpse into what could happen here.
Grindr: your data NSFW – or anywhere, clearly…
Norway’s data protection agency Datatilsynet had earlier found that Grindr shared personal data with advertisers. Datatilsynet had issued the 65 million-kroner fine in 2021 over data-sharing between 2018 and 2020.
The data included geographical coordinates and users’ ages and sex as well as their status as users of the app, aimed at LGBTQ people.
Datatilsynet had ruled that Grindr gave users insufficient information on its data-sharing practices. It said the practices violated the European Union’s general Data Protection Regulation (GDPR), in force since 2018.
Grindr took the case to a court in Oslo, where a judge dismissed its appeal on Monday, in a ruling seen by Agence France-Presse (AFP).
It upheld the judgement that the app company had infringed the GDPR’s rules on consent for data-sharing.
It ruled that the data constituted “sensitive” information since it related to sexual orientation.
Norwegian media cited Grindr spokeswoman Kelly Miranda as saying that the company would consider lodging a further appeal. However, the verdict could have implications in the UK.
Letting third parties know you’re a bi bb bubblebutt
As Queerty reported, in 2022 the UK’s data watchdog slapped-down Grindr:
The ICO [The Information Commissioner’s Office] deemed that Grindr has failed to provide effective and transparent privacy information to its UK data subjects in relation to the processing of their personal data.
However, in April this year it emerged that 650 users were taking Grindr to court. As BBC News reported, the case claims that the app:
shared sensitive data with third parties for commercial purposes, in breach of the UK’s data privacy laws.
It says it included information about the ethnicity and sexual orientation of users.
The claim alleges it mainly occurred before 3 April 2018, though the data was also shared between 25 May 2018 and 7 April 2020.
It names data analytics companies Apptimize and Localytics as third parties which had access to the sensitive data.
However, it says that a potentially unlimited number of third parties used the data to customise advertisements to Grindr’s users.
In addition, it is claimed that firms may then have retained some of the shared data for their own purposes.
This comes after Grindr also shared user’s HIV status in the UK with third parties.
Given the upholding of the Norwegian case – and that the UK is under the same GDPR rules – a win in the UK courts against Grindr could be likely.
Additional reporting via Agence France-Presse
Featured image via the Canary