Norwegian DPA Plans to Fine a U.S. Company €2.5 million for the GDPR Violations

The Norwegian Data Protection Authority (NO DPA) has notified Disqus Inc. that it intends to issue an administrative fine of €2.5 million against it for not complying with the GDPR requirements of accountability, lawfulness, and transparency.

Disqus is a U.S. company that offers an online public comment sharing platform, which was previously used by a number of Norwegian online newspapers.  Disqus has collected and disclosed personal data to third party advertising partners about data subjects in Norway through Disqus widget, a comment plug-in for websites.

The data was first collected through cookies that Disqus placed in the terminal equipment of all visitors to the websites running the Disqus widget. Subsequently, these cookies collected personal data about the users before disclosing it to multiple third-party advertising partners.

The key conclusions of the NO DPA in this case including the following:

• Assigning cookie IDs to users, tracking users across websites, as well as subsequently analyzing and sharing data about the online behavior concerning each unique ID constitutes “processing of personal data” pursuant to the GDPR.

• Online tracking using cookies and behavioral advertising are activities that constitute monitoring of behavior on the territorial scope of the GDPR, thus subjecting Disqus to the Regulation pursuant to Article 3 of the GDPR.

• Disqus’s asserted lack of awareness that the GDPR applied to the data subjects in Norway means that it failed to fulfil its responsibility as a controller to comply with and be able to demonstrate compliance with the GDPR.

• Pursuant to its transparency obligations under the GDPR, Disqus was required to provide information to the data subjects at the latest when the tracking started – e., when data subjects opened the website. Disqus making the company’s privacy policy available through its website and in the widget did not fulfill the criteria of the information being “easily accessible,” as required by the GDPR.

• Disqus did not obtain consent from the data subjects before it processed the personal data collected through its cookies.

• Disqus’s assertion that it did not advertise on Norwegian websites and did not have the goal of targeting users in Norway strongly suggests that the tracking was not necessary, as the tracking did not serve any particular purpose.

• The data subjects’ interests, rights, and freedoms precede Disqus’s economical interest in online behavioral marketing, and therefore Disqus could not fulfill the balancing of interests required for establishing the legitimate interest basis for data processing.

The NO DPA’s decision to impose the €2.5 million fine is note a final one.  Disqus has an opportunity to comment on the DPA’s findings until May 31, 2021, and the DPA will make a final decision on the penalty once it reviews the company’s comments.

Take a tour of Clarip’s patented data privacy technology and learn how Clarip can help your enterprise comply with emerging state level data subject rights regulations. Call Clarip today at 1-888-252-5653 or schedule a Demo Online!