The Norwegian data protection agency on Tuesday announced its intention to fine gay dating app Grindr €10 million for violations of Europe’s data protection code, the GDPR.
Campaigning groups including the Norwegian Consumer Council and Austrian activist Max Schrems-fronted noyb.eu filed complaints against Grindr in early 2020, accusing the app of illegally sharing user data with ad companies.
In a statement Tuesday, Norway’s data agency, known as Datatilsynet, largely upheld those complaints, announcing its intention to slap the dating app with a €10-million fine for collecting “invalid consent” to share data.
“Our preliminary conclusion is that Grindr needs consent to share these personal data and that Grindr’s consents were not valid. Additionally, we believe that the fact that someone is a Grindr user speaks to their sexual orientation, and therefore this constitutes special category data that merit particular protection,” said Bjørn Erik Thon, Datatilsynet’s director-general, in the statement.
Finn Myrstad of the Norwegian Consumer Council described the proposed penalty as a “milestone.”
“This not only sets limits for Grindr but establishes strict legal requirements on a whole industry that profits from collecting and sharing information about our preferences, location, purchases, physical and mental health, sexual orientation, and political views,” Myrstad said in a statement.
The proposed fine, which Grindr has until February 15 to respond to, would represent around 10 percent of the company’s annual turnover according to Datatilsynet. Under the GDPR, companies can be fined up to 4 percent of their annual turnover or €20 million, whichever is higher.
Speaking to POLITICO by phone Tuesday morning, Datatilsynet’s Tobias Judin said that while not final, it was unlikely that there would be much change to the fine. “We feel we have a good understanding of the facts of the case, and we have already asked them questions as part of the process,” he said.
Norway was able to act directly against Grindr because it does not have a legal establishment in Europe. Under a European mechanism known as the one-stop-shop, the data regulator in the country where a company has its legal establishment must take the lead on investigations.
Datatilsynet is also investigating five of Grindr’s commercial partners that were also targeted by the complaints. Of those, one has been passed to a German regulator under the one-stop-shop, and another — a Twitter subsidiary — may be passed to the Irish regulator.
Grindr did not immediately respond to a request for comment.