Million-dollar fine against app pro­vi­der: Do not neglect data pro­tec­tion in pro­duct development

In a decisi­on dated 13 Decem­ber 2021, the Nor­we­gi­an data pro­tec­tion super­vi­so­ry aut­ho­ri­ty (Data­til­syn­et) impo­sed a fine of about EUR 6.5 mil­li­on on the pro­vi­der of the app “Grin­dr” for vio­la­ti­ons of the Gene­ral Data Pro­tec­tion Regu­la­ti­on (GDPR). The case is a prime examp­le of the con­se­quen­ces of insuf­fi­ci­ent con­si­de­ra­ti­on of data pro­tec­tion requi­re­ments in pro­duct development.

Data pro­tec­tion vio­la­ti­ons at “Grin­dr

The Nor­we­gi­an data pro­tec­tion super­vi­so­ry aut­ho­ri­ty based its fine decisi­on on the unlaw­ful dis­clo­sure of per­so­nal data for the pur­po­se of beha­viou­ral adver­ti­sing. The aut­ho­ri­ty exp­lai­ned that the users of “Grin­dr” are almost exclu­si­ve­ly from the LGBTQ+ com­mu­ni­ty and the­re­fo­re the fact that a per­son uses the app alrea­dy pro­vi­des infor­ma­ti­on about the sexu­al ori­en­ta­ti­on of the user. The aut­ho­ri­ty the­re­fo­re assu­med that data indi­ca­ting use of “Grin­dr” falls under Arti­cle 9(1) of the GDPR and may only be pro­ces­sed for adver­ti­sing pur­po­ses with the express con­sent of the data sub­ject. Accep­t­ing gene­ral data pro­tec­tion pro­vi­si­ons does not satisfy the requi­re­ments of the data pro­tec­tion super­vi­so­ry aut­ho­ri­ty in this respect. When asses­sing the fine (only in Ger­man), the aut­ho­ri­ty used not only the size and finan­cial situa­ti­on of the app pro­vi­der but also impro­ve­ments in con­sent manage­ment as a rea­son to redu­ce the fine. As part of the fine pro­cee­dings, the aut­ho­ri­ty had ori­gi­nal­ly set a fine of around EUR 10 mil­li­on.

Data pro­tec­tion com­pli­an­ce: Pro­duct deve­lo­p­ment sets the course

The “Grin­dr” case impres­si­ve­ly shows the con­se­quen­ces com­pa­nies face if they offer pro­ducts or ser­vices that vio­la­te data pro­tec­tion laws. In addi­ti­on to fines, the pro­hi­bi­ti­on of data pro­ces­sing acti­vi­ties and the obli­ga­ti­on to dele­te data, the asser­ti­on of dama­ge com­pen­sa­ti­on claims by users should also be taken into con­si­de­ra­ti­on in par­ti­cu­lar. Ano­t­her pro­blem that should not be unde­re­sti­ma­ted is that a pro­duct or ser­vice might not be able to be used by com­pa­nies becau­se it is not pos­si­ble to do so out­side of per­so­nal or fami­ly pur­po­ses in a man­ner that com­plies with data pro­tec­tion laws. An examp­le of this was the deba­te sur­roun­ding the “Club­house” app last year.

Data pro­tec­tion requi­re­ments for the pro­ces­sing of per­so­nal data should be taken into account by com­pa­nies as ear­ly as the pro­duct deve­lo­p­ment sta­ge in order to avoid lia­bi­li­ty risks and other detri­ment. In addi­ti­on to a legal basis for data pro­ces­sing, which must be obser­ved par­ti­cu­lar­ly in the case of data-intensive busi­ness models and third-country trans­fers, data pro­tec­tion through the design of tech­no­lo­gy (Arti­cle 25(1) GDPR) must also be obser­ved. If con­sent is used as the legal basis for data pro­ces­sing, appro­pria­te mecha­nisms for effec­tively obtai­ning con­sent and docu­men­ting it should be pro­vi­ded at the pro­duct deve­lo­p­ment stage.

What else needs to be considered?

Par­ti­cu­lar­ly in the deve­lo­p­ment and pro­vi­si­on of apps, com­pa­nies should con­si­der not only the ori­gi­nal data pro­tec­tion issu­es, but also the requi­re­ments of the Ger­man Telecom­mu­ni­ca­ti­ons and Tele­me­dia Data Pro­tec­tion Act (TTDSG) regar­ding the sto­rage of coo­kies and other infor­ma­ti­on on the user’s end devices. If such coo­kies and other infor­ma­ti­on are not tech­ni­cal­ly abso­lute­ly necessa­ry, con­sent is requi­red for sto­rage – apart from the GDPR. In B2C busi­ness, the pro­vi­si­ons of §§ 327 ff. of the Civil Code (BGB) (only in Ger­man) should also be bor­ne in mind. The­se have gover­ned con­tracts for digi­tal pro­ducts as a new type of con­tract sin­ce 1 Janu­a­ry 2022. The fact that the­se BGB pro­vi­si­ons also inclu­de an obli­ga­ti­on to pro­vi­de (only in Ger­man) state-of-the-art secu­ri­ty updates also makes it clear that, in addi­ti­on to data pro­tec­tion requi­re­ments, legal cyber­se­cu­ri­ty requi­re­ments must incre­a­singly be taken into account by manu­fac­tu­rers and providers.

Imple­men­ta­ti­on in practice

In our expe­ri­ence, the imple­men­ta­ti­on of legal requi­re­ments for data pro­tec­tion and cyber­se­cu­ri­ty in pro­duct deve­lo­p­ment is very suc­cess­ful when it takes place in product-related com­pli­an­ce manage­ment. The fol­lowing aspects should be con­si­de­red in particular:

  • iden­ti­fi­ca­ti­on of rele­vant laws and other legal requi­re­ments rele­vant to the pro­duct or ser­vice in the mar­ket. Here, in our expe­ri­ence, it can be advan­ta­ge­ous to assu­me a broad scope of app­li­ca­ti­on of spe­ci­fic laws and regulations
  • deri­va­ti­on of con­cre­te requi­re­ments for the tech­ni­cal and orga­ni­sa­tio­nal design of the pro­duct or service
  • imple­men­ta­ti­on of legal requi­re­ments and documentation
  • con­ti­nuous moni­to­ring for chan­ges in the legal situa­ti­on as well as chan­ged legal requi­re­ments resul­ting from adap­t­ati­ons and exten­si­ons of the pro­duct or service

[Janu­a­ry 2022]

back

Stay up-to-date

We use your e-mail address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.