Invalid consent and illegal sharing of sensitive data - € 6.5 million fine imposed by the Norwegian DPA on Grindr LLC

It would seem that quite strict requirements have been indicated in the General Data Protection Regulation in relation to consent as a legal basis for personal data processing. But even clear-cut conditions (indeed - not always easy to meet) will not force or encourage data controllers to adopt fully compliant practices, especially when the commercial interests are at stake. This time under scrutiny was Grindr - the world’s largest dating app for LGBTQ+ community. Last week the Norwegian Data Protection Authority imposed approximately € 6.5 million fine for several GDPR breaches. 

The main problem concerned the consent mechanism employed in the application. Grindr implemented a model where a user was only asked whether he or she „Cancel” or „Accept” the privacy policy while registering. If the „Cancel” button was chosen, the data subject could not use the app. What is more, users were not asked separately if they wanted to consent to the sharing of their personal data with Grindr’s partners for marketing purposes. They were forced to accept the policy in its entirety in order to use the app - a classical "take it or leave it" situation. And besides, the length of the privacy policy and the variety of information contained therein made it even more difficult to get acquainted with all relevant issues and make a "freely given, specific, informed and unambiguous" agreement to the processing (see: Art. 4(11) of the GDPR). Therefore in the DPA’s view Grindr did not collect valid consent:

"Where the controller has several different purposes for processing personal data, and it does not allow for separate consents to be given, there is a lack of freedom and control for the data subject. If the data subject cannot identify and opt in to the processing purposes for which the data subject wishes to give his or her consent […] there is no genuine free choice or control."(See: pp.17-18 of the decision). 

The DPA underlined also that in the case at hand the provision of behavioural advertisement was not an essential part of the service, and definitely was not the reason why data subjects used the app. Therefore user’s consent cannot be regarded as „freely given”, even if - as Grindr argued - data subjects were informed how to opt-out from data sharing with third parties. However, according to the GDPR, consent should take the form of a statement or a clear affirmative action. There is no doubt that opt-out model does not fulfill this condition. 

The last but not least, in the EU it is generally forbidden to process special categories of data, so called „sensitive data”. Information on sexual orientation is considered as sensitive (as indicated in Article 9(1) of the GDPR) and as such it enjoys a higher standard of protection. In order to process sensitive data a controller must rely on one of the legal basis stipulated in Article 9(2) of the GDPR. Since Grindr did not collect the consents for processing lawfully, it could not lawfully share the data. 

It is not the first and certainly not the last case where the consent mechanism turns out to be far from exemplary. Just for the record - the issue of consent validity in the context of cookies was examined, inter alia, by the Court of Justice in the Planet49 case (C-673/17; reported on this blog here). Despite clear rules referring to the consent as a legal basis for processing, many controllers still look for new ways to optimize the process of obtaining user consents. Some of them accept, consciously or not, to collect consents not necessarily in a manner consistent with the GDPR. Others try to mislead data subjects by showing in their privacy policies or cookie banners, usually in the first information layer, that there is no consent for processing of personal data by default, while in fact the processing takes place on the basis of the legitimate interests of the controller. What other practices will emerge in the future? We do not know yet, but will keep an eye on them.

Two opinions of AG Szpunar on the right to be forgotten

Last week also brought new developments regarding the interpretation of the right to be forgotten - a widely discussed right of data subjects developed by the Court of Justice in its earlier jurisprudence (see our 2014 post Google as data controller...). More specifically, Advocate-General Szpunar delivered his opinions in the two pending cases: C-136/17 G.C. and Others v CNIL and C-507/17 Google v CNIL. Just like Google Spain, both cases relate to Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data (and not yet the General Data Protection Regulation). Both are also concerned with the scope of search engine operators' obligation to respond to de-referencing requests by data subjects. 

Background of the cases

Both references of the French Conseil d’État pertained to disputed decisions of the national data protection authority (Commission for Information Technology and Civil Liberties, CNIL). The setting of each case was nevertheless quite different. In C-136/17 the CNIL refused to take measures against Google for failing to de-reference various links from search results and the affected data subjects complained about inaction. In C-507/17, by contrast, the search engine provider contested the sanctions imposed by the authority.

AG's opinions

The opinions presented last Thursday by the Advocate-General Szpunar shed light on several important aspects of the right to be forgotten: 1) the role of search engine operators in relation to sensitive data, 2) the nature of the respective obligation to respond to de-referencing requests, and 3) territorial reach of required de-referencing measures.

Processing sensitive data by search engine operators

As readers may recall, one of the controversial elements of the 2014 Google Spain judgment was the qualification of search engine operators as data controllers. This implied that the processing of personal data in the course of relevant activities needed to be authorized under one of the legal bases set out in the Directive. While the broader implications of this finding may not have been immediately apparent in the case of non-sensitive data, the picture became more complex as soon as special categories of data (e.g. about religious or philosophical beliefs) came into play. One of the questions asked in G.C. and Others was thus whether the prohibition of processing data falling within certain specific categories also applied to search engine operators.

The Advocate-General sought a balanced solution. He essentially replied in the affirmative, but observed that specific responsibilities, powers and capabilities of search engine operators should be taken into account as part of the interpretation. In particular, it was recognized that the processing carried out by such entities is secondary in its nature (an argument Google already tried to advance in the 2014 case). Hence, according to the AG, prohibitions and restrictions set out in the Data Protection Directive could only apply to an operator of search engine by reason of his referencing activities (searching, finding and making information available in an efficient way). Ex ante control of referenced web pages, which - so the AG - is covered neither by the responsibility, nor by capabilities of search engine providers, should therefore be excluded. Consequently, also with respect to sensitive categories of data, the primary focus remains on ex post verification of de-referencing requests, which was the subject of remaining questions.

Systematic de-referencing

In respect to the search engine operator's de-referencing duty (as a correlate of data subject's right to be forgotten), the Advocate-General first considered whether search engine operators are obliged to systematically de-reference web pages on which sensitive data appear, as soon as the absence of a legal ground for the processing is established. This matter appears to have divided the intervening parties and certainly needs to be looked at in more detail after all language versions of the opinion are available. For the time being, it suffices to report that, in view of the AG, an operator of a search engine should generally be required to accede, as a matter of course (i.e. without regard to elements other than the lack of legal ground), to requests for de-referencing relating to web pages on which sensitive data appear, subject to limited exceptions provided for in Article 8. Notably, however, if the contested processing of personal data falls within the scope of Article 9 of Directive 95/46, i.e. when the processing is carried out solely for journalistic, artistic or literary purposes, a balancing exercise can be required, possibly resulting in the refusal of de-referencing requests.

Territorial scope

The second of the discussed cases, Google v CNIL, dealt with the territorial scope of de-referencing measures. By way of illustration: in case of a request from a French data subject, should Google only deactivate links on Google.fr, on all EU domains, or on all worldwide domains? Or perhaps such de-referencing should (also) depend on the location from which the search is performed (assessed based on the IP address)? It this respect, the AG decided to put limits on the CNIL's extraterritorial ambitions. In particular, he insisted that search requests made outside the EU should not be affected by the de-referencing of search results. A different (broader) interpretation could, in view of the AG, create significant limitations in access to information, and as such should be approached with caution. Considering the facts of the case, worldwide de-referencing duty did not appear justified.

When it comes to the EU, however, the Advocate-General came out in favour of a rather broad territorial scope of de-referencing. Specifically, according to the opinion, once a right to be forgotten within the EU has been established, the search engine operator should take all measures available to it to ensure full and effective de-referencing within the EU, including by use of ‘geo-blocking’ in respect of an IP address located in the EU, irrespective of the domain name used by the internet user.

Concluding thought

The opinions of the Advocate-General come at a time of a heated debate about the application of the European data protection framework following its recent reform. Both the right to be forgotten and the territorial scope of act have been exhaustively discussed in the legislative process leading to the adoption of the GDPR. As usual, the judgment of the Court of Justice is awaited with interest. This time, however, it will reveal not only whether the CoJ shares the view of its advisor, but also to what extent the interpretation eventually provided affects the framework applicable today.