Norway – Datatilsynet proposes EUR 2.5 million fine on US company for GDPR

Disqus provide a comment widget that allows website publishers to provide individuals with the ability to comment on articles. Datatilsynet found that GDPR applied to Disqus because it offered services to individuals in Norway. The company also monitored user behaviour by placing cookies to collect data on other websites visited by users of the website, which was then used for the purposes of online behavioural advertising. Disqus was collecting data of all website visitors, regardless of whether they used the widget. Disqus claimed it was unaware that the GDPR applied in Norway.

Datatilsynet clarified its preliminary conclusions as follows: 

• Disqus did not have a legal basis to track, profile and share data of individuals for marketing purposes. Disqus could not rely on the legitimate interests legal basis for tracking individuals across websites, services or devices, profiling and disclosure of personal data for marketing purposes. This kind of tracking would require consent. 
• Information about data processing was not easily accessible to individuals - such information should have been provided at the latest when tracking started (i.e when the individual opened the website). It was not sufficient that the privacy notice was available on the corporate website of Disqus, and at via a link placed next to the comment function.
• Disqus had not identified that GDPR applied to Norwegian users, and so had not implemented the data protection safeguards required by GDPR. Disqus had therefore also breached the GDPR accountability principle.

Level of fine proposed

The proposed fine of approximately EUR 2.5 million represents approximately 15% of the estimated annual turnover of the company in 2018. In determining the amount of the fine, Datatilsynet looked for similar cases from other supervisory authorities, although found no directly comparable cases. Datatilsynet also considered how supervisory authorities sanctioned infringements of the same articles of the GDPR as in this case (Articles 5(1) and (2), 6, 12 and 13 GDPR), citing the EUR 50 million fine by the CNIL against Google and the EUR 6 million fine by the AEPD against Caixabank.

Disqus now has the opportunity to comment on Datatilsynet's findings by 31 May 2021, before the decision becomes final.

The press release is available here and the advance notification is available here.

This article was written in collaboration with the aosphere Rulefinder Data Privacy team.* Rulefinder Data Privacy is an online legal subscription service which analyses and tracks data privacy obligations globally. Learn more here.

DISCLAIMER: aosphere ceased to be affiliated with Allen & Overy on 8 February 2024 and is no longer part of the Allen & Overy group. aosphere is a separate business that is not regulated by the Solicitors Regulation Authority. A&O does not receive any referral fees from aosphere.