NDPA vs. Grindr LLC

Is the GDPR enforceable against US companies?

• Arve Føyen

In January 2020, the Norwegian Data Protection Authority (“NDPA”) received three complaints from The Norwegian Consumer Council (“the NCC”) in collaboration with noyb — European Center for Digital Rights, on behalf of a complainant. According to the complaints, Grindr lacked a legal basis for sharing personal data on its users with third party companies when providing advertising in its free version of the Grindr application (“app”). The NCC stated that Grindr shared such data through software development kits (“SDKs”). The NDPA on the 24th January issued an advance notification in which they threatened to impose an administrative fine pursuant to Article 58 (2) (i) GDPR against Grindr LLC of 100,000,000 – one hundred million – NOK for having disclosed personal data to third party advertisers without a legal basis. This according to the NDPA constitutes a violation of Article 6 (1) GDPR and (2) – having disclosed special category personal data to third party advertisers without a valid exemption from the prohibition in Article 9 (1) GDPR. Grinder responded to the draft notification by a 63 page letter 1 from their Norwegian legal counsel on the 8th March 2021. In the response Grindr’s legal counsel defends Grindr stating that no violation of the GDPR has been committed, that no special categories of data have been shared and that Grindr’s arrangements with advertising partners could not “put the data subjects’ fundamental rights and freedoms at risk”. The case now is pending a final decision by the NDPA.