Share this page!

Wolfie Christl Profile picture
Twitter logo
26 Jan, 13 tweets, 6 min read
The Norwegian data protection authority plans to fine the dating app Grindr €9.6 million for sharing personal data with advertising/data firms like MoPub, Xandr and OpenX without a GDPR legal basis, more than 10% of its assumed annual turnover of "at least" $100m.

This is huge.
Here's the 28p draft decision, a must read for every mobile app publisher:
datatilsynet.no/contentassets/…
This is the result of our 2019 investigation of mobile data/adtech, led by the Norwegian Consumer Council.

App vendors are responsible for data sharing with third parties. The decision has the potential to change how apps share data across the ecosystem.
According to the Norwegian DPA, Grindr processed special category data without a legal basis by disclosing "personal data linked with the app name or the keywords 'gay, bi, trans and queer' to advertising partners". But special category data is not the main issue in the decision.
The main issue is that "Grindr failed to comply with Article 6(1) when disclosing personal data of its users with third party advertisers". It generally didn't have a legal basis to share data with them, because consent was not:

- freely given
- specific
- informed
- unambiguous
I think, if EU authorities would strictly enforce freely given, specific and informed consent, many users would *not* consent to extensive personal data sharing with a large number of third parties.

Yes, that may make it impossible to get consent for certain practices at scale.
The Norwegian DPA acknowledges that focusing on consent is not enough. There may be other GDPR issues which may be investigated later.

In any case, there are other GDPR complaints against the companies who received personal data from Grindr. I hope we'll see more decisions soon.
I and others believe that the way how digital advertising currently works systematically violates the GDPR and cannot be compliant, consent or not.

As soon as personal data enters the "real-time bidding" sphere, all the companies involved lose control:
There are some details in the Norwegian DPA's decision that point in that direction.

They state that Grindr did not implement GDPR "technical and organizational measures" to secure the data shared with advertising/data firms. Grindr "lacked control" of data flows and recipients.
Also, data sharing opt-out via smartphone OS settings or at third-party sites is clearly not enough:

"Grindr would have to rely on the action of others …to halt its sharing of data where so required … Grindr failed to control and take responsibility for their own data sharing"
Summary Norwegian Consumer Council:
forbrukerradet.no/news-in-englis…

NOYB:
noyb.eu/en/gay-dating-…

Detailed TechCrunch piece:
techcrunch.com/2021/01/26/gri…

NYT:
nytimes.com/2021/01/25/bus…

Threads:



The Norwegian DPA makes several arguments for why to impose a fine to Grindr.

For example, they found that the GDPR infringements were 'intentional', and that 'Grindr must have gained financial benefits from the infringements'.

("advertising partners presumably profited", too)
And yep, apart from the fine:

1) "We now expect Grindr to ensure that any personal data that was illegally collected and shared with third party companies is deleted" (forbrukerradet.no/news-in-englis…)

2) Even more important: obligations for future personal data processing/sharing.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Wolfie Christl

Wolfie Christl Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @WolfieChristl

Wolfie Christl Profile picture
19 Jan
Dass öffentliche Stellen - wie hier das Land Oberösterreich - es nicht mal auf so sensiblen Seiten wie der Anmeldung für die Impfung schaffen, ohne Datenübertragung an Google (samt zwangsweiser "Einwilligung") auszukommen, ist echt eine Bankrotterklärung. land-oberoesterreich.gv.at/files/covid19i…
Laut Datenschutzerklärung gehts um Google reCaptcha, ein Dienst, der das Anmeldeformular vor Bots und Manipulationen etc schützen soll:
land-oberoesterreich.gv.at/files/covid19i…

reCaptcha ist aber sehr datenintensiv+intransparent. Es gibt Alternativen. Sollten die nicht reichen, brauchts welche.
Wenn ich die Seite aufrufe, wird alles mögliche an Google übertragen, einiges davon in Cookies gespeichert, inkl. "_ga" Cookie. Würde sagen, da ist einiges an personenbezogenen Daten dabei, das weit über die IP hinausgeht.

(die Formularinhalte werden nicht an Google übertragen)
Read 4 tweets
Wolfie Christl Profile picture
19 Jan
#psd2

How it started How it’s going
"The PSD2 'Open Banking' regulation has forced banks to open up consumer data via APIs..."

...so that companies can now exploit yet another category of personal information - bank transaction data - for marketing surveillance (and credit assessment etc).
rippll.com/index#open
I disagree. Practically, most people won't get "power over their banking data". In most cases, predatory data and fintech companies will get power over their banking data.
Read 5 tweets
Wolfie Christl Profile picture
19 Jan
"Several large data brokers and adtech companies are still reselling data on millions from shady sources. They must urgently clean up their data supply chain, and they must be held responsible"

Amazon resold location data secretly gathered via mobile apps vice.com/en/article/epd…
Amazon resold "granular location data from X-Mode, a controversial firm that collected at least some of its data without informed consent. X-Mode, whose customers include U.S. military contractors, obtained data from Muslim Pro…"

AWS marketplace listing:
web.archive.org/web/2020051317…
"Motherboard first contacted AWS ... at the start of January and did not receive a response. Some time later, the listings were removed ... It is not clear whether AWS itself removed them or whether X-Mode did ... Neither company responded to multiple requests for comment"
Read 4 tweets
Wolfie Christl Profile picture
15 Jan
Regardless of the announced update, what kind of personal information does Whatsapp currently share with FB, according to its website?

- account+device info
- transaction data
- service-related information
- information on how you interact with others

Basically, all metadata.
Personal data Whatsapp shares with Facebook "may include other information identified in the Privacy Policy section entitled ‘Information We Collect’ or obtained upon notice to you or based on your consent"

Upon 'notice'?

Current non-EU privacy policy:
whatsapp.com/legal/updates/…
According to the current privacy policy for non-EU users, Facebook may use Whatsapp (meta)data for all kinds of extensive digital profiling including for "product suggestions (for example, of friends or connections, or of interesting content) and showing relevant offers and ads".
Read 17 tweets
Wolfie Christl Profile picture
14 Jan
This acquisition shouldn't have happened.
It may not primarily be about past body/health data.

But in addition to Fitbit's hw/sw/brand/workforce, it's about ongoing access to future device data and taking control over user+b2b relationships in order to expand Google/Alphabet's intermediary/healthcare/insurance business.
Read 5 tweets
Wolfie Christl Profile picture
6 Jan
Austrian telco A1 with 25 million customers in Austria, Bulgaria, Croatia, Slovenia, Serbia, North Macedonia and Belarus announces to sell 'insights into the movement of people' based on 'aggregate'+'anonymized' location data via @here's data marketplace:
here.com/sites/g/files/… Image
Exploiting the pandemic to expand on commercial location data business, great.

"Our analytics product, A1 Mobility Insights, has already proven itself to be considerably helpful during the current coronavirus crisis. By joining the HERE Marketplace, we can go a step further" Image
'A1 Mobility Insights' is provided together with invenium.io. According to the FAQ, A1 'replaces' IMSI numbers with daily changing 'random IDs' before sharing data with Invenium.

This would still mean they process (pseudonymous) personal data.
invenium.io/de/blog/2020-1… ImageImage
Read 9 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @WolfieChristl has new unrolls!

Check out other threads from @WolfieChristl!

Read all threads by @WolfieChristl