The Norwegian data protection authority plans to fine the dating app Grindr €9.6 million for sharing personal data with advertising/data firms like MoPub, Xandr and OpenX without a GDPR legal basis, more than 10% of its assumed annual turnover of "at least" $100m.

This is huge.

Here's the 28p draft decision, a must read for every mobile app publisher:
https://www.datatilsynet.no/contentassets/da7652d0c072493c84a4c7af506cf293/advance-notification-of-an-administrative-fine.pdf

This is the result of our 2019 investigation of mobile data/adtech, led by the Norwegian Consumer Council.

App vendors are responsible for data sharing with third parties. The decision has the potential to change how apps share data across the ecosystem. https://twitter.com/WolfieChristl/status/1217044420018786304

According to the Norwegian DPA, Grindr processed special category data without a legal basis by disclosing "personal data linked with the app name or the keywords 'gay, bi, trans and queer' to advertising partners". But special category data is not the main issue in the decision.

The main issue is that "Grindr failed to comply with Article 6(1) when disclosing personal data of its users with third party advertisers". It generally didn't have a legal basis to share data with them, because consent was not:

- freely given
- specific
- informed
- unambiguous

I think, if EU authorities would strictly enforce freely given, specific and informed consent, many users would *not* consent to extensive personal data sharing with a large number of third parties.

Yes, that may make it impossible to get consent for certain practices at scale.

The Norwegian DPA acknowledges that focusing on consent is not enough. There may be other GDPR issues which may be investigated later.

In any case, there are other GDPR complaints against the companies who received personal data from Grindr. I hope we'll see more decisions soon.

I and others believe that the way how digital advertising currently works systematically violates the GDPR and cannot be compliant, consent or not.

As soon as personal data enters the "real-time bidding" sphere, all the companies involved lose control:
https://twitter.com/WolfieChristl/status/1337409116470472704

There are some details in the Norwegian DPA's decision that point in that direction.

They state that Grindr did not implement GDPR "technical and organizational measures" to secure the data shared with advertising/data firms. Grindr "lacked control" of data flows and recipients.

Also, data sharing opt-out via smartphone OS settings or at third-party sites is clearly not enough:

"Grindr would have to rely on the action of others …to halt its sharing of data where so required … Grindr failed to control and take responsibility for their own data sharing"

Summary Norwegian Consumer Council:
https://www.forbrukerradet.no/news-in-english/historic-victory-for-privacy-as-dating-app-receives-gigantic-fine/

NOYB:
https://noyb.eu/en/gay-dating-app-grindr-be-fined-almost-eu-10-mio

Detailed TechCrunch piece:
https://techcrunch.com/2021/01/26/grindr-on-the-hook-for-e10m-over-gdpr-consent-violation

NYT:
https://www.nytimes.com/2021/01/25/business/grindr-gdpr-privacy-fine.html

Threads:
https://twitter.com/finnmyrstad/status/1353960545569951745
https://twitter.com/airavn/status/1353960710502576130
https://twitter.com/NOYBeu/status/1353950814935670784 https://twitter.com/maxschrems/status/1353965563370999808

The Norwegian DPA makes several arguments for why to impose a fine to Grindr.

For example, they found that the GDPR infringements were 'intentional', and that 'Grindr must have gained financial benefits from the infringements'.

("advertising partners presumably profited", too)