Million-dollar fine against app pro­vi­der: Do not negle­ct data pro­tec­tion in pro­duct development

In a decis­i­on dated 13 Decem­ber 2021, the Nor­we­gi­an data pro­tec­tion super­vi­so­ry aut­ho­ri­ty (Data­til­syn­et) impo­sed a fine of about EUR 6.5 mil­li­on on the pro­vi­der of the app “Grin­dr” for vio­la­ti­ons of the Gene­ral Data Pro­tec­tion Regu­la­ti­on (GDPR). The case is a prime exam­p­le of the con­se­quen­ces of insuf­fi­ci­ent con­side­ra­ti­on of data pro­tec­tion requi­re­ments in pro­duct development.

Data pro­tec­tion vio­la­ti­ons at “Grin­dr

The Nor­we­gi­an data pro­tec­tion super­vi­so­ry aut­ho­ri­ty based its fine decis­i­on on the unlawful dis­clo­sure of per­so­nal data for the pur­po­se of beha­viou­ral adver­ti­sing. The aut­ho­ri­ty explai­ned that the users of “Grin­dr” are almost exclu­si­ve­ly from the LGBTQ+ com­mu­ni­ty and the­r­e­fo­re the fact that a per­son uses the app alre­a­dy pro­vi­des infor­ma­ti­on about the sexu­al ori­en­ta­ti­on of the user. The aut­ho­ri­ty the­r­e­fo­re assu­med that data indi­ca­ting use of “Grin­dr” falls under Artic­le 9(1) of the GDPR and may only be pro­ces­sed for adver­ti­sing pur­po­ses with the express con­sent of the data sub­ject. Accep­ting gene­ral data pro­tec­tion pro­vi­si­ons does not satis­fy the requi­re­ments of the data pro­tec­tion super­vi­so­ry aut­ho­ri­ty in this respect. When asses­sing the fine (only in Ger­man), the aut­ho­ri­ty used not only the size and finan­cial situa­ti­on of the app pro­vi­der but also impro­ve­ments in con­sent manage­ment as a reason to redu­ce the fine. As part of the fine pro­cee­dings, the aut­ho­ri­ty had ori­gi­nal­ly set a fine of around EUR 10 mil­li­on.

Data pro­tec­tion com­pli­ance: Pro­duct deve­lo­p­ment sets the course

The “Grin­dr” case impres­si­ve­ly shows the con­se­quen­ces com­pa­nies face if they offer pro­ducts or ser­vices that vio­la­te data pro­tec­tion laws. In addi­ti­on to fines, the pro­hi­bi­ti­on of data pro­ces­sing acti­vi­ties and the obli­ga­ti­on to dele­te data, the asser­ti­on of dama­ge com­pen­sa­ti­on claims by users should also be taken into con­side­ra­ti­on in par­ti­cu­lar. Ano­ther pro­blem that should not be unde­re­sti­ma­ted is that a pro­duct or ser­vice might not be able to be used by com­pa­nies becau­se it is not pos­si­ble to do so out­side of per­so­nal or fami­ly pur­po­ses in a man­ner that com­pli­es with data pro­tec­tion laws. An exam­p­le of this was the deba­te sur­roun­ding the “Club­house” app last year.

Data pro­tec­tion requi­re­ments for the pro­ces­sing of per­so­nal data should be taken into account by com­pa­nies as ear­ly as the pro­duct deve­lo­p­ment stage in order to avo­id lia­bi­li­ty risks and other detri­ment. In addi­ti­on to a legal basis for data pro­ces­sing, which must be obser­ved par­ti­cu­lar­ly in the case of data-intensive busi­ness models and third-country trans­fers, data pro­tec­tion through the design of tech­no­lo­gy (Artic­le 25(1) GDPR) must also be obser­ved. If con­sent is used as the legal basis for data pro­ces­sing, appro­pria­te mecha­nisms for effec­tively obtai­ning con­sent and docu­men­ting it should be pro­vi­ded at the pro­duct deve­lo­p­ment stage.

What else needs to be considered?

Par­ti­cu­lar­ly in the deve­lo­p­ment and pro­vi­si­on of apps, com­pa­nies should con­sider not only the ori­gi­nal data pro­tec­tion issues, but also the requi­re­ments of the Ger­man Tele­com­mu­ni­ca­ti­ons and Tele­me­dia Data Pro­tec­tion Act (TTDSG) regar­ding the sto­rage of coo­kies and other infor­ma­ti­on on the user’s end devices. If such coo­kies and other infor­ma­ti­on are not tech­ni­cal­ly abso­lut­e­ly neces­sa­ry, con­sent is requi­red for sto­rage – apart from the GDPR. In B2C busi­ness, the pro­vi­si­ons of §§ 327 ff. of the Civil Code (BGB) (only in Ger­man) should also be bor­ne in mind. The­se have gover­ned con­tracts for digi­tal pro­ducts as a new type of con­tract sin­ce 1 Janu­ary 2022. The fact that the­se BGB pro­vi­si­ons also include an obli­ga­ti­on to pro­vi­de (only in Ger­man) state-of-the-art secu­ri­ty updates also makes it clear that, in addi­ti­on to data pro­tec­tion requi­re­ments, legal cyber­se­cu­ri­ty requi­re­ments must incre­asing­ly be taken into account by manu­fac­tu­r­ers and providers.

Imple­men­ta­ti­on in practice

In our expe­ri­ence, the imple­men­ta­ti­on of legal requi­re­ments for data pro­tec­tion and cyber­se­cu­ri­ty in pro­duct deve­lo­p­ment is very suc­cessful when it takes place in product-related com­pli­ance manage­ment. The fol­lo­wing aspects should be con­side­red in particular:

  • iden­ti­fi­ca­ti­on of rele­vant laws and other legal requi­re­ments rele­vant to the pro­duct or ser­vice in the mar­ket. Here, in our expe­ri­ence, it can be advan­ta­ge­ous to assu­me a broad scope of appli­ca­ti­on of spe­ci­fic laws and regulations
  • deri­va­ti­on of con­cre­te requi­re­ments for the tech­ni­cal and orga­ni­sa­tio­nal design of the pro­duct or service
  • imple­men­ta­ti­on of legal requi­re­ments and documentation
  • con­ti­nuous moni­to­ring for chan­ges in the legal situa­ti­on as well as chan­ged legal requi­re­ments resul­ting from adapt­a­ti­ons and exten­si­ons of the pro­duct or service

[Janu­ary 2022]


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.