A Collection is a selection of features, articles, comments and opinions on any given theme or topic. It allows you to stay up‑to‑date with what interests you most.
Login here to access your saved articles and followed authors.
We have sent you an email so you can reset your password.
Sorry, we had a problem.
Tags related to this article
Published 30 April 2021
The Norwegian Data Protection Authority (the “Norwegian DPA”) has notified Grindr LLC (“Grindr”) of its intent to issue a €10 million fine (c. 10% of the company’s annual turnover) for “grave violations of the GDPR” for sharing its users’ data without first seeking adequate consent.
Grindr boasts to be the world’s largest social networking platform and online dating app for the LGBTQ+ community. three complaints from The Norwegian Consumer Council (the “NCC”), the Norwegian DPA investigated the way in which Grindr shared its users’ data with third party advertisers for online behavioural marketing purposes without consent.
The personal data Grindr shared with its advertising partners included users’ GPS locations, age, gender, and the fact the data subject in question was on Grindr. In order for Grindr to legally share this personal data under the GDPR, it required a lawful basis. The Norwegian DPA stated that “as a general rule, consent is required for intrusive profiling…marketing or advertising purposes, for example those that involve tracking individuals across multiple websites, locations, devices, services or data-brokering.”
The Norwegian DPA also stated in its decision that “the fact that someone is a Grindr user speaks to their sexual orientation, and therefore this constitutes special category data…” requiring particular protection.
Grindr had argued that the sharing of general keywords on sexual orientation such as “gay, bi, trans or queer” related to the general description of the app and did not relate to a specific data subject. Consequently, Grindr’s position was that the disclosures to third parties did not reveal sexual orientation within the scope of Article 9 of the GDPR.
Whilst, the Norwegian DPA agreed that Grindr shares keywords on sexual orientations, which are general and describe the app, not a specific data subject, given the use of “the generic words “gay, bi, trans and queer”, it indicates that the data subject belongs to a sexual minority, and to one of these particular sexual orientations.”
The Norwegian DPA found that “by public perception, a Grindr user is presumably gay” and users consider it to be a safe space trusting that their profile will only be visible to other users, who presumably are also members of the LGBTQ+ community. By sharing the information that an individual is a Grindr user, their sexual orientation was inferred merely by that user’s presence on the app. In conjunction with disclosing data regarding the users’ exact GPS location, there was a significant risk that the user would face prejudice and discrimination as a result. Grindr had breached the prohibition on processing special category data, as set out in Article 9, GDPR.
This is potentially the Norwegian DPA’s largest fine to date and a number of aggravating factors justify this, including the substantial financial benefits Grindr profited from as a result of its infringements.
In these circumstances, it was not sufficient for Grindr to argue that the greater restrictions under Article 9 of the GDPR did not apply because it did not explicitly share users’ special category data. The mere disclosure that an individual was a user of the Grindr app was sufficient to infer their sexual orientation.
London - Walbrook
+44 (0)20 7894 6363
Patrick Hill, Hans Allnutt, Eleanor Ludlam
Pilar Rodríguez, Diego Zapatero Méndez, Astrid Hardy, Diana Lopez
Annabel Walker, Imogen Jones, Jonathan Brogden, Alistair Cooper
Eleanor Ludlam, Astrid Hardy
Hans Allnutt, Cameron Carr
Rhiannon Webster, Jade Kowalski, Charlotte Halford, Eleanor Ludlam, Rebecca Morgan