Shinigami Eyes – Violation Found (Norway, 2022)

In 2021, a data subject lodged a complaint with the Norwegian DPA (Datatilsynet) against "Shinigami Eyes" after they had been marked through the application. Shinigami Eyes is a browser addon that highlights transphobic and trans-friendly social network pages and users with different colors. Consequently, the DPA launched an investigation and sent a request for information to the developer of the extension, who failed to reply. The DPA sent several requests and reminders and, finally, an advance notification of a decision, but the developer never replied back. The data subject, however, provided further comments to the complaint and, following this, the DPA found that they had enough information to be able to issue a final decision. First, the DPA assessed the territorial scope of the GDPR. They were not able to identify an “establishment” of Shinigami Eyes within the EEA as per Article 3(1) GDPR, but found that the GDPR is applicable to their processing activities as per Article 3(2)(b) GDPR - monitoring data subjects' activities. Second, the DPA assessed the material scope and found that Shinigami Eyes processes several types of personal data as per Article 4(1) GDPR, including the name or online identifier of social network users, their posts/behaviour and the color indicating whether they are transphobic or trans-friendly. Third, the DPA found that Shinigami Eyes is the controller for this processing as they determine the purpose of the extension, as well as the means to be utilised and implemented. Next, the DPA assessed the lawful basis of the processing. As they never got a reply from the controller, the DPA considered this themselves and found legitimate interest as per Article 6(1)(f) to be the most prospective legal basis. First, the DPA assessed the condition of “legitimate interest” and concluded that the controller indeed has such an interest, as they claim to want to protect people from harm, like discrimination. Second, the DPA assessed whether