Disqus, Inc. – €2,175,000 Fine (Norway, 2021)

Disqus is an American company owned by Zeta Global. The company offers an online public comment sharing platform, which was previously used by a number of Norwegian online newspapers, and it also engages in programmatic advertising. The Norwegian DPA was made aware of the matter through news articles by the Norwegian National Broadcaster (NRK). According to the NRK, Disqus conducted unlawful tracking of visitors to Norwegian websites using the Disqus plugin. Their data were then disclosed to third party advertising partners. The NRK further wrote that this happened because Disqus was unaware that the GDPR applied in Norway, which Disqus’ parent company Zeta Global confirmed in an interview.[https://www.datatilsynet.no/en/news/2021/intent-to-issue--25-million-fine-to-disqus-inc/] The decision covers a range of topics, but primarily concerns: Does the GDPR apply (material scope)? Can the Norwegian DPA handle the case (territorial scope)? Did the processing have a legal basis pursuant to Article 6 GDPR? Did Disqus provide adequate information concerning their processing of personal data? The Norwegian DPA ('Datatilsynet') found that both the material and territorial scope applied to the processing of personal data, with the DPA having competence to decide the case. Datatilsynet highlighted that Disqus tracked, profiled and shared the personal data of all visitors to the websites implementing the Disqus widget without the users' knowledge, finding a breach of Article 12(1), 13 and 5(1)(a) GDPR. Datatilsynet found that the processing could have been carried out with less invasive means, and did not pass the necessity condition pursuant to Article 6(1)(f) GDPR. In addition, the processing did not pass the balancing test. Datatilsynet highlighted the negative impact of wide-scale profiling, and that Disqus' interest in providing behavioral online marketing are less important compared to the adverse negative effects on the data subjects, and "must weigh significantly