Invalid consent and illegal sharing of sensitive data - € 6.5 million fine imposed by the Norwegian DPA on Grindr LLC

It would seem that quite strict requirements have been indicated in the General Data Protection Regulation in relation to consent as a legal basis for personal data processing. But even clear-cut conditions (indeed - not always easy to meet) will not force or encourage data controllers to adopt fully compliant practices, especially when the commercial interests are at stake. This time under scrutiny was Grindr - the world’s largest dating app for LGBTQ+ community. Last week the Norwegian Data Protection Authority imposed approximately € 6.5 million fine for several GDPR breaches. 

The main problem concerned the consent mechanism employed in the application. Grindr implemented a model where a user was only asked whether he or she „Cancel” or „Accept” the privacy policy while registering. If the „Cancel” button was chosen, the data subject could not use the app. What is more, users were not asked separately if they wanted to consent to the sharing of their personal data with Grindr’s partners for marketing purposes. They were forced to accept the policy in its entirety in order to use the app - a classical "take it or leave it" situation. And besides, the length of the privacy policy and the variety of information contained therein made it even more difficult to get acquainted with all relevant issues and make a "freely given, specific, informed and unambiguous" agreement to the processing (see: Art. 4(11) of the GDPR). Therefore in the DPA’s view Grindr did not collect valid consent:

"Where the controller has several different purposes for processing personal data, and it does not allow for separate consents to be given, there is a lack of freedom and control for the data subject. If the data subject cannot identify and opt in to the processing purposes for which the data subject wishes to give his or her consent […] there is no genuine free choice or control."(See: pp.17-18 of the decision). 

The DPA underlined also that in the case at hand the provision of behavioural advertisement was not an essential part of the service, and definitely was not the reason why data subjects used the app. Therefore user’s consent cannot be regarded as „freely given”, even if - as Grindr argued - data subjects were informed how to opt-out from data sharing with third parties. However, according to the GDPR, consent should take the form of a statement or a clear affirmative action. There is no doubt that opt-out model does not fulfill this condition. 

The last but not least, in the EU it is generally forbidden to process special categories of data, so called „sensitive data”. Information on sexual orientation is considered as sensitive (as indicated in Article 9(1) of the GDPR) and as such it enjoys a higher standard of protection. In order to process sensitive data a controller must rely on one of the legal basis stipulated in Article 9(2) of the GDPR. Since Grindr did not collect the consents for processing lawfully, it could not lawfully share the data. 

It is not the first and certainly not the last case where the consent mechanism turns out to be far from exemplary. Just for the record - the issue of consent validity in the context of cookies was examined, inter alia, by the Court of Justice in the Planet49 case (C-673/17; reported on this blog here). Despite clear rules referring to the consent as a legal basis for processing, many controllers still look for new ways to optimize the process of obtaining user consents. Some of them accept, consciously or not, to collect consents not necessarily in a manner consistent with the GDPR. Others try to mislead data subjects by showing in their privacy policies or cookie banners, usually in the first information layer, that there is no consent for processing of personal data by default, while in fact the processing takes place on the basis of the legitimate interests of the controller. What other practices will emerge in the future? We do not know yet, but will keep an eye on them.

To a HEALTHY 2022 - CJEU in Pro Reuchfrei (C-370/20) on tobacco labelling

This is another year when we are likely to wish each other staying in good health throughout year 2022. Interestingly, on December 9 CJEU issued a judgment in a Pro Reuchfrei case (C-370/20), pertaining to the labelling of cigarettes, which as we know is strictly regulated in order to protect consumer health.

Certain automatic vending machines for cigarette packets in use in German supermarkets did not clearly present these packets to consumers. This meant that whilst the buttons on the machine identified various brands, their geographical representation, etc, they did not display the health warnings which are mandated for cigarette packets themselves. As the selected by consumer cigarette packet would be directed immediately to the checkout conveyor belt, consumers may not get it in their hands until after they had paid for the product.

It is Directive 2014/40/EU that requires a clear display of health warnings on cigarette packets. Its Article 8(8) also requires that all 'images of unit packets' must display such health warnings. In this judgment the CJEU finds that following the everyday meaning of the word 'image', this requirement is not limited to the faithful depictions of unit packets of tobacco products (para 24). Also when consumers associate a design with the tobacco product, due to its proportions, colour, outline and brand logo, it would fall within the scope of this provision (para 31). It is for the referring national court though to determine, whether the images of cigarette brands displayed on the selection buttons of the automatic vending machines constituted such images. ... The discretion awarded to national courts seems illusionary, however, as it is difficult to see how this could not be the case.

Even if the consumer had a chance to see the health warnings on the packet of cigarettes before purchasing it, e.g. if the packet was handed out to consumers prior to the purchase being made, this would not make the display of an 'image of unit packets' without health warnings compliant with the Directive (para 36).

This is an interesting case on labelling requirements and the feasibility to broadly interpret a notion of an 'image', which may come in handy in other case law on the transparency of visual information notices.

(Not)Dashing through the snow - AG Athanasios Rantos on delayed flights in United Airlines (C-561/20)

On December 9, AG Athanasios Rantos issued an opinion in the case United Airlines (C-561/20), which concerned interpretation of Articles 5 and 7 of Regulation 261/2004 on air passenger rights. This is another case concerning a delayed connecting flight, through which airlines try to limit their obligation to pay out compensation, pursuant to the rules of the Regulation, to passengers affected by such a delay.

In this particular case, passengers were travelling from Brussels (Belgium) to San José International airport (the US) via Newark International (the US). One reservation was made for these flights with the Community air carrier, German Lufthansa. However, both flights were operated by United Airlines, a non-Community carrier. Due to a technical defect of a plane, the second connecting flight was delayed.

United Airlines refused to pay compensation, invoking the fact that the delay occurred during the second leg of the air travel, during a flight from an airport in the US to another airport in the US, and that they were not a Community carrier.  

Unsurprisingly, following the previous case law of the CJEU (e.g. Wegener, C-537/17, see more here, and Ceske aerolinie, C-502-18, see more here), AG Athanasios Rantos finds that passengers are due compensation, as when the delay occurs in connected flights is irrelevant, as long as one reservation has been made for the flights, which if treated as one unit fall within the scope of application of the Regulation. The slight difference in this case is that the passengers want to claim compensation from a non-Community air carrier, however, AG Athanasios Rantos does not consider this an issue, following the non-contested fact that United Airlines was an operating air carrier on these flights (para 52).

Three new guidance notices for Christmas

The European Commission has been busy in the past months and this resulted, amongst other things, in a publication of three new guidance notices, respectively concerning the interpretation of the Unfair Commercial Practices Directive, Consumer Rights Directive and Price Indication Directive. It will take some time to go through the hundreds of pages provided in these documents, but it is good to see that at a glance many of the current questions that the digitalisation raises are being tackled (such as personalised pricing, influencer marketing), as well as that there are some paragraphs on consumer protection (UCPD) dealing with the environmental claims.

All three documents may be found here.

Consumer organisations may bring proceedings to defend collective interests of consumers based on the GDPR, if national law so states: AG opinion in C-319/20, Facebook Ireland

Yesterday the Advocate-General Richard de la Tour delivered his opinion in case C-319/20, Facebook Ireland, considering whether consumer organisations can have a standing to bring judicial proceedings against infringements of the General Data Protection Regulation 2016/679, independently of actual infringements of data subjects' rights. Arguably, the importance of the case goes beyond the procedural dimension it involves (not least due to Directive 2020/1828 on representative actions which elaborates on the enforcement framework, including for the GDPR). In the expert report published by BEUC earlier this year, the case was highlighted as a possible "game changer" concerning the relation between consumer and data protection law (see also: New study on consumer protection in the digital age...). The direction of the AG's opinion is likely to be welcomed in the consumer protection community.

Facts of the case

The case involves a number of data processing practices identified by the German federation of consumer organisations (vzvb) on the Facebook platform back in 2012. Most notably, the federation argued that information about the processing of personal data in connection with third-party apps available in Facebook's App Centre failed to meet the appliable requirements. German courts generally agreed that the vzvb had a point on the merits. However, following the entry into force of the GDPR a doubt was raised if the federation continued to have standing in cases that involved violations of data subjects' rights, independently of specific infringements.

Opinion of the AG 

Standing of consumer organisations

The problem sounds familiar? That's because it is. A similar question was considered by the CJEU in 2019, in the context of the previously applicable Data Protection Directive (FashionID case). Back then the Court rejected an argument that consumer organisations should not be entitled to bring claims under data protection rules. According to the AG, this has not changed after the entry into force of the GDPR; quite the contrary, the regulation explicitly provides for collective redress and nothing in Article 80(2) of the act implies that an organisation can only bring proceedings if particular persons affected by the processing have been identified.

The conclusion reached by the AG in respect of the GDPR appears to be well-founded. The reasoning relies on both literal, systematic and teleological interpretation. The AG refers both to the definition of parties entitled to bring representative actions under Article 80 of the GDPR. According to the AG, that definition extends to "all entities which pursue an objective in the public interest that is connected with the protection of personal data", which also applies to consumer protection associations (para. 61). As regards further conditions for bringing representative actions, the AG found it sufficient for an entity to demonstrate "an infringement of the provisions of Regulation 2016/679 designed to protect the subjective rights of data subjects", without the necessity to verify if the rights of one or more specific persons have been infringed (para. 63). In addition, arguments concerning the effectiveness of the GDPR, its consistency with Directive 2020/1828, and a high level of protection of personal data have been cited.

Two broader points

Aside from the above, two further aspects of the opinion merit attention. Firstly, the AG considers the "particular characteristics" of the GDPR as a regulation and connects it to discussions on full harmonisation. The AG notes that while the GDPR "seems, at first sight, to tend towards full harmonisation ... the truth is more complex" (paras. 50-51). According to the AG:

"[T]he legal basis of Regulation 2016/679, namely Article 16 TFEU, precludes the view that in adopting that regulation the European Union would have pre-empted all the ramifications which the protection of personal data may have in other areas relating, in particular, to employment law, competition law or even consumer law, by depriving Member States of the possibility of adopting specific rules in those areas, more or less independently, depending on whether the area in question is governed by EU law. In that sense, although the protection of personal data is by nature cross-sectoral, the harmonisation implemented by Regulation 2016/679 is limited to the aspects specifically covered by that regulation in that area. Apart from those aspects, the Member States remain free to legislate, provided that they do not undermine the content and the objectives of that regulation." (para. 51)

One can wonder to what extent the above finding depends on the legal basis chosen. This is particularly important in the context of the ongoing legislative developments at EU level which equally take form of regulations, but are also based on Article 114 TFUE. A prominent case in point is the proposed Artificial Intelligence Act and the more recent proposal on political targeting. Arguably, doubts about the Member States' discretion can best be resolved by way of careful drafting that makes adequate use of 'opening clauses'.

Secondly, the opinion touches upon the broader relationship between consumer and data protection law. The AG admits that "unlike ... in the United States of America, in EU law the regulations relating to unfair commercial practices and those relating to the protection of personal data have developed separately" and "are thus the subject of different regulatory frameworks" (para. 79). The opinion further observes that unlike EU consumer law, the GDPR "is not based on a consumerist concept of the protection of natural persons in relation to the processing of personal data, but on the concept that that protection is ... a fundamental right" (para 82). A number of important connections between consumer and data protection law are nonetheless recognized, as illustrated below:

"[T]here is some interaction between the two areas, so that actions falling within the framework of the regulations relating to the protection of personal data may, at the same time and indirectly, contribute to putting an end to an unfair commercial practice. The opposite is also true." (para. 80)  

"[I]n the age of the digital economy, data subjects often have the capacity of consumers. It is for that reason that the rules designed to protect consumers are often relied on to ensure that consumers are protected against a processing of their personal data that is contrary to the provisions of Regulation 2016/679." (para. 83)

and finally

[T]here may be an overlap between the representative action provided for in Article 80(2) of Regulation 2016/679 and that provided for in Directive 2020/1828 in order to obtain injunctive relief when ‘data subjects’, within the meaning of that regulation, also have the capacity of ‘consumer’, within the meaning of Article 3(1) of that directive. I see there the sign of complementarity and convergence of the law relating to the protection of personal data with other areas of law, such as consumer law and competition law. With the adoption of that directive, the EU legislature went even further and expressly linked the protection of the collective interests of consumers with compliance with Regulation 2016/679. The effective application of the rules contained in that regulation cannot but be strengthened as a result." (para. 83)

Concluding thought

Overall, the AG not only speaks out in favour of consumer organisations' standing in cases involving data protection violations, but also supports a close relationship between consumer and data protection law. Arguably, both fields can also be aligned conceptually and, indeed, complement each other in the attainment of a high level of consumer and data protection. A judgment endorsing the AG's point of view would thus be very welcome.