Grindr – Court Ruling (Norway, 2024)

Grindr (the controller) is a location-based social networking app marketed towards the LGBTQ community. The app has an ad-based free version, but users can upgrade to paid subscription versions which include more features and are without ads. In January 2020, the Norwegian Consumer Council together with noyb lodged a complaint with the Norwegian DPA (“Datatilsynet”) against the controller for unlawful sharing of personal data with third parties for marketing purposes. This included GPS location, IP address, Advertising ID, age, gender and the fact that the user in question was on the controller's app. Users could be identified through the data shared, and the recipients could potentially further share the data. On 13 December 2021, the DPA fined the controller €6,4 million (NOK 65 million) for disclosing personal data to advertising partners without a valid legal basis, violating Article 6(1) GDPR. Furthermore, the controller violated Article 9(1) GDPR for disclosing special categories of personal data to advertising partners. On 14 February 2022, the controller appealed this decision at the Privacy Appeals Board (“Personvernnemnda”). The Privacy Appeals Board upheld the DPA’s decision. On 27 October 2023, the controller filed a lawsuit against the Privacy Appeals Board at the Oslo District Court (“Oslo tingrett”). The controller argued that the Appeals Board’s decision should be declared invalid or alternatively that the fine should be reduced. Disclosure of special categories of personal data The court held that by providing the App ID, the controller shared information with their advertising partners that a specific user is a user of their app. The court held that by just being a user of the controller’s app, one can draw the conclusion that the user is not heterosexual and thus is covered by sexual relationships and orientation under Article 9(1) GDPR. Thus, the court concluded that the controller disclosed personal data of special categories of personal da