Skip to content

Norway – Datatilsynet proposes EUR 2.5 million fine on US company for GDPR

Author
Parker Nigel
Nigel Parker

Partner

London

View profile →

11 May 2021

On 5 May 2021, the supervisory authority for Norway (Datatilsynet) announced that it intends to issue a 25 million NOK fine (approximately EUR 2.5 million) to an online public comment sharing platform Disqus Inc. (Disqus) for unlawful tracking and sharing personal data with advertising partners, relating to users of Norwegian news websites. 

Disqus provide a comment widget that allows website publishers to provide individuals with the ability to comment on articles. Datatilsynet found that GDPR applied to Disqus because it offered services to individuals in Norway. The company also monitored user behaviour by placing cookies to collect data on other websites visited by users of the website, which was then used for the purposes of online behavioural advertising. Disqus was collecting data of all website visitors, regardless of whether they used the widget. Disqus claimed it was unaware that the GDPR applied in Norway.

Datatilsynet clarified its preliminary conclusions as follows: 

  • Disqus did not have a legal basis to track, profile and share data of individuals for marketing purposes. Disqus could not rely on the legitimate interests legal basis for tracking individuals across websites, services or devices, profiling and disclosure of personal data for marketing purposes. This kind of tracking would require consent. 
  • Information about data processing was not easily accessible to individuals - such information should have been provided at the latest when tracking started (i.e when the individual opened the website). It was not sufficient that the privacy notice was available on the corporate website of Disqus, and at via a link placed next to the comment function.
  • Disqus had not identified that GDPR applied to Norwegian users, and so had not implemented the data protection safeguards required by GDPR. Disqus had therefore also breached the GDPR accountability principle.

Level of fine proposed

The proposed fine of approximately EUR 2.5 million represents approximately 15% of the estimated annual turnover of the company in 2018. In determining the amount of the fine, Datatilsynet looked for similar cases from other supervisory authorities, although found no directly comparable cases. Datatilsynet also considered how supervisory authorities sanctioned infringements of the same articles of the GDPR as in this case (Articles 5(1) and (2), 6, 12 and 13 GDPR), citing the EUR 50 million fine by the CNIL against Google and the EUR 6 million fine by the AEPD against Caixabank.

Disqus now has the opportunity to comment on Datatilsynet's findings by 31 May 2021, before the decision becomes final.

The press release is available here and the advance notification is available here.

 This article was written in collaboration with the aosphere Rulefinder Data Privacy team. Rulefinder Data Privacy is an online legal subscription service which analyses and tracks data privacy obligations globally. Learn more and request a free trial here.

 

Related expertise