In a decision dated 13 December 2021, the Norwegian data protection supervisory authority (Datatilsynet) imposed a fine of about EUR 6.5 million on the provider of the app “Grindr” for violations of the General Data Protection Regulation (GDPR). The case is a prime example of the consequences of insufficient consideration of data protection requirements in product development.
Data protection violations at “Grindr
The Norwegian data protection supervisory authority based its fine decision on the unlawful disclosure of personal data for the purpose of behavioural advertising. The authority explained that the users of “Grindr” are almost exclusively from the LGBTQ+ community and therefore the fact that a person uses the app already provides information about the sexual orientation of the user. The authority therefore assumed that data indicating use of “Grindr” falls under Article 9(1) of the GDPR and may only be processed for advertising purposes with the express consent of the data subject. Accepting general data protection provisions does not satisfy the requirements of the data protection supervisory authority in this respect. When assessing the fine (only in German), the authority used not only the size and financial situation of the app provider but also improvements in consent management as a reason to reduce the fine. As part of the fine proceedings, the authority had originally set a fine of around EUR 10 million.
Data protection compliance: Product development sets the course
The “Grindr” case impressively shows the consequences companies face if they offer products or services that violate data protection laws. In addition to fines, the prohibition of data processing activities and the obligation to delete data, the assertion of damage compensation claims by users should also be taken into consideration in particular. Another problem that should not be underestimated is that a product or service might not be able to be used by companies because it is not possible to do so outside of personal or family purposes in a manner that complies with data protection laws. An example of this was the debate surrounding the “Clubhouse” app last year.
Data protection requirements for the processing of personal data should be taken into account by companies as early as the product development stage in order to avoid liability risks and other detriment. In addition to a legal basis for data processing, which must be observed particularly in the case of data-intensive business models and third-country transfers, data protection through the design of technology (Article 25(1) GDPR) must also be observed. If consent is used as the legal basis for data processing, appropriate mechanisms for effectively obtaining consent and documenting it should be provided at the product development stage.
What else needs to be considered?
Particularly in the development and provision of apps, companies should consider not only the original data protection issues, but also the requirements of the German Telecommunications and Telemedia Data Protection Act (TTDSG) regarding the storage of cookies and other information on the user’s end devices. If such cookies and other information are not technically absolutely necessary, consent is required for storage – apart from the GDPR. In B2C business, the provisions of §§ 327 ff. of the Civil Code (BGB) (only in German) should also be borne in mind. These have governed contracts for digital products as a new type of contract since 1 January 2022. The fact that these BGB provisions also include an obligation to provide (only in German) state-of-the-art security updates also makes it clear that, in addition to data protection requirements, legal cybersecurity requirements must increasingly be taken into account by manufacturers and providers.
Implementation in practice
In our experience, the implementation of legal requirements for data protection and cybersecurity in product development is very successful when it takes place in product-related compliance management. The following aspects should be considered in particular:
- identification of relevant laws and other legal requirements relevant to the product or service in the market. Here, in our experience, it can be advantageous to assume a broad scope of application of specific laws and regulations
- derivation of concrete requirements for the technical and organisational design of the product or service
- implementation of legal requirements and documentation
- continuous monitoring for changes in the legal situation as well as changed legal requirements resulting from adaptations and extensions of the product or service