See below for the latest Data Blast from our Legal team: Dating app Grindr faces fine of 10% of annual global turnover; ICO seeking answers from Facebook over sharing of WhatsApp data; ICO investigation into online advertising is set to proceed; Npower forced to shut down app after data breach.

Norwegian DPA fines Grindr for illegal disclosure of user data

On 26 January 2021, the Norwegian data protection authority (DPA) announced plans to fine dating app Grindr 100 million Norwegian crowns (£8.3 million) for illegally disclosing user data to advertising companies.

California-based Grindr, a social networking app for the gay, bisexual, transgender and queer community, has stated that the allegations raised by the Norwegian DPA date back to 2018, and no longer accurately represent the company’s data protection practices and privacy policy. The DPA gave Grindr until 15 February to provide a response to the allegations, and is now considering their final decision.

The Norwegian DPA’s investigation stemmed from a complaint made by the Norwegian Consumer Council (NCC), which alleged that Grindr shared user data, including user IP addresses, GPS locations, age and gender, with third-party advertisers. A statement by the DPA explains that ‘our preliminary conclusion is that the breaches are very severe’ and that the proposed fine ‘will constitute approximately 10% of the company’s turnover.’ The General Data Protection Regulation (GDPR) provides for fines of up to €10 million or 4% of a company’s global annual turnover, whichever is higher. Recent widely publicised GDPR fines have been imposed upon larger organisations and measured against the 4% annual turnover threshold; the proposed fine by the Norwegian DPA highlights that organisations with a relatively lower global turnover can face proportionally significantly higher fines for serious breaches.

While not a member state of the European Union, Norway is part of the European Economic Area (EEA), and is thus subject to the GDPR. The Norwegian DPA has stated that the consent relied upon by Grindr in sharing user data was invalid, as it was not unambiguous, informed and freely given, as required under the GDPR. The DPA’s statement explains that the investigation focused on the consent mechanism applicable until April 2020, and that they have not assessed whether subsequent changes are GDPR compliant.

Grindr has suggested that it now relies on the GDPR’s legitimate interest legal basis for disclosing user data to third-party advertisers. It has been noted, however, that Grindr’s position is at odds with the Norwegian DPA’s stated position that ‘any extensive disclosure for the purposes of marketing should be based on the data subject’s consent.’ We shall report further as the enforcement action against Grindr progresses.

UK ICO to write to WhatsApp concerning Facebook data sharing

On 26 January, the UK Information Commissioner’s Office (ICO) announced that it plans to write to WhatsApp to demand that the messaging app not share user data with Facebook. The announcement follows widespread media coverage of changes to WhatsApp’s terms of service, which reportedly caused a surge in the use of competing services such as Signal and Telegram.

In addressing a parliamentary committee, Information Commissioner Elizabeth Denham stated that in 2017 WhatsApp had committed not to share user data with Facebook until it could show that doing so was consistent with the principles of the GDPR. The Commissioner explained that the agreement was enforced by the Irish DPA up until the end of the Brexit transition period on 1 January 2021, and that ensuring WhatsApp’s commitment continues to be upheld now falls within the remit of the ICO.

When asked by the committee chair of the Digital, Culture, Media and Sports sub-committee on online harms and disinformation whether a more recent agreement had been made with WhatsApp since 2017, Denham confirmed that there was no such agreement.

In July 2020, WhatsApp announced plans to implement a new privacy policy for its users, with roll-out set for February 2021, but following public concern this plan has now been pushed back until summer 2021.

Similar inquiries regarding Facebook’s sharing of WhatsApp user data are being made in other jurisdictions, including in South Africa, where the South African Information Regulation has stated that any such data sharing will require the regulator’s prior authorisation in accordance with the country’s data protection laws.

UK ICO reopens investigation into real-time bidding

On 22 January, UK ICO Deputy Commissioner for Regulatory Innovation and Technology, Simon McDougall, announced that the ICO was reopening an investigation into real-time bidding (RTB) and the advertising technology industry; that investigation had been paused with the advent of the COVID 19 pandemic.

RTB refers to the buying and selling of online ad impressions through real-time auctions that occur during the time that a webpage is loading. These auctions are often facilitated through ad exchanges.

McDougall explained in a statement that ‘the complex system of RTB can use people’s sensitive personal data to serve adverts and requires people’s explicit consent, which is not happening right now.’ Furthermore, the ICO is concerned about the security and data retention issues around the sharing of personal data with potentially hundreds of companies, without properly assessing and addressing the risk of such counterparties.

The ICO’s investigation will be carried out through a series of audits focusing on data management platforms, in order to understand better the state of the industry, and it is anticipated that assessment notices may be issued to specific companies in the coming months. It was also announced that the investigation will involve reviewing the role of data brokers in the adtech space more generally.

McDougall concluded by noting that ‘all organisations operating in the adtech space should be assessing how they use personal data as a matter of urgency. We already have existing, comprehensive guidance in this area, which applies to RTB and adtech in the same way it does to other types of processing – particularly in respect of consent, legitimate interests, data protection by design and data protection impact assessments.’

Npower shutters app due to data breach

On 25 February, UK gas and electricity provider Npower Limited (‘Npower’) closed down its app following an attack by hackers which exposed customer personal data.

In a statement on their website, Npower explained that customer accounts were accessed using login data from other websites, a technique known as ‘credential stuffing.’ The company did not immediately confirm how many accounts were accessed, but confirmed that not all accounts were affected, and that those individuals who were affected have been contacted and their accounts locked. Npower explained that affected users have been encouraged to change their passwords, both for the app as well as other services for which they used that same password.

The data exposed during the breach includes customer contact details, dates of birth, and addresses, as well as partial financial information including sort codes and the final four digits of customer bank account numbers, but not full account numbers.

Npower has not confirmed when the breach occurred, though it has been reported that Npower informed certain users of unauthorised access to their accounts on 2 February, but has informed the UK ICO. It is speculated that the app will not be relaunched, as it was reportedly due to be wound down following Npower’s acquisition by Eon.

For more information please contact Partner, James Tumbridge at jtumbridge@vennershipley.co.uk.