Norway: Intention to fine dating app €9.6 million for GDPR breach

The Norwegian Data Protection Authority (Datatilsynet) yesterday issued an advance notification of a 100 million Norwegian krone (€9,600,000) administrative fine to the dating app Grindr.

The planned fine is a result of a legal complaint filed a year ago by the Norwegian Consumer Council together with noyb and the European Center for Digital Rights.

“This is a milestone in the ongoing work to ensure that consumers’ privacy is protected online. The Data Protection Authority has clearly established that it is unacceptable for companies to collect and share personal data without users’ permission,” declared Finn Myrstad, director of digital policy in the Norwegian Consumer Council. 

The Norwegian Data Protection Authority said that Grindr users were not given sufficient information about how personal data was collected and shared onward with third party advertisers. Consumers had to accept data sharing with third parties in order to use the app. 

According to the DPA, the fine would amount to 10% of Grindr’s global annual turnover. It said the level of the fine reflects the fact that the infringements were intentional and data was shared with up to 160 third parties. Also, the number of data subjects in Norway that were affected is very high, and the type of data shared includes special categories of personal data, such as data concerning sexual orientation. In light of this, the DPA says that “the amount of 100 million NOK seems effective, proportionate and dissuasive.”

Grindr has until 15 February to comment.

See the news (in English) from Norway's DPA and from the Consumer Council.