Norwegian Data Protection Authority intends to issue € 2.5 million fine to Disqus Inc.

| Insight

According to the Norwegian Data Protection Authority (Datatilsynet), the Zeta Global-owned US company Disqus Inc. is responsible for many hundred thousands of Norwegians being tracked secretly while visiting Norwegian websites. The Authority has now notified that it intends to issue a huge fine for violation of the GDPR.

Background

Disqus is an American company offering online public comment sharing services. These services were previously used by various Norwegian online newspapers. The Data Protection Authority has investigated whether Disqus has been sharing information about the users of the comment sections with marketing companies, without the knowledge of neither the users nor the owners of the online newspapers, and in breach of the GDPR.

Preliminary findings of infringements

Based on its investigations, the Data Protection Authority has made a draft decision to fine Disqus. The decision is based on the following assessments:

  • Lack of legal basis: Disqus could not rely on the legitimate interests balancing test as a legal basis for or tracking across websites, services or devices, profiling and disclosure of personal data for marketing purposes. Disqus should have obtained consent from the data subjects.
  • Lack of transparency:  Disqus did not adequately inform the data subjects about the company’s tracking, profiling and disclosure of personal data.
  • Lack of accountability: Disqus had wrongly considered that the GDPR did not apply to data subjects in Norway. This despite the GDPR having been implemented in Norwegian law since 2018 through the Norwegian Personal Data Act.

When determining the size of the fine, the Data Protection Authority considered in particular that the infringements concern fundamental obligations, that hundred thousands of data subjects were affected, that the personal data processed were of a highly private nature and may relate to minors and/or reveal political opinions, and that the tracking, profiling and disclosure of data was invasive and non-transparent.

Not a final decision

The decision of the Data Protection Authority is currently a draft. Disqus may comment on the preliminary findings and decision until 31 May 2021, after which the Data Protection Authority will make a final decision.

The advance notification of the administrative fine is available here.

SVW’s team of specialized data protection lawyers are following the matter and the regulatory development in Norway closely and assist industry players daily on these issues. Please do not hesitate to contact us with any questions you may have in this regard.