The Norwegian Data Protection Agency imposes a provisional fine of EUR 2.5 million on a US company that uses web tracking IDs
On May 2, 2021, the Norwegian data protection authority Datatilsynet Disqus Inc. (“Disqus”), a US company owned by Zeta Global, announced its intention to fine Norwegian kroner 25 million (approx. 2.5 million euros) to impose. . The provisional fine was imposed for non-compliance with the General Data Protection Regulation (GDPR) requirements for accountability, legality and transparency, mainly due to Disqus’ tracking of website visitors.
Disqus provides a public online platform for sharing comments and moderation tools for online publishers. Numerous Norwegian online newspapers used their services through the Disqus plug-in (the “widget”). Disqus collected data via cookies that were placed on the devices of the website visitors using the widget and then passed the personal data collected by these cookies on to third-party advertising partners and their parent company. The data collected included information about other websites on which the visited widget users run, IP addresses of the users, browser data and unique identifiers. The processing of Disqus for programmatic advertising purposes was published by the Norwegian Broadcasting Corporation, which published news articles describing Disqus’ activities.
Datatilsynet came to the conclusion that Disqus had processed personal data (through tracking, analysis and profiling as well as disclosure of data to third party advertisers) without a legal basis in accordance with Article 5 (1) (a) and Article 6 (1) of the GDPR. Datatilsynet also noted that Disqus had not notified its data processing pursuant to Article 5 (1) (a), 12 (1) and 13 and that Disqus had not recognized the applicability of the GDPR to their processing in general. Zeta Global confirmed in its communications to the regulator that the GDPR compliant version of the widget was not implemented in Norway as Disqus did not know that the GDPR would apply as it is not an EU member state.
Disqus alleged in its communications to Datatilsynet that it did not come under the jurisdiction of the regulator as it did not do business in Norway and that it did not know that it had collected data on Norwegian individuals. However, the widget was offered on seven Norwegian news websites which, according to the regulator, indicated that Disqus was providing a service to data subjects in Norway. In addition, the widget was available in Norwegian with a top-level domain with Norwegian country code. Datatilsynet therefore came to the conclusion that Disqus’ activities fall within the scope of Article 3 (2) (a) of the GDPR. The regulator also considered that the placement of cookies by Disqus and the subsequent tracking of Norwegian data subjects constituted surveillance of persons in accordance with Article 3 (2) (b).
Disqus also argued that the information collected was not personally identifiable as the relevant individuals could not be identified from their cookie IDs. The regulatory authority refuted this on the grounds that the GDPR expressly confirms that online identifiers represent personal data. Datatilsynet stated regarding cookie IDs: “Regardless of whether this is identifiable information, each cookie ID is unique and is stored in a natural person’s browser so that the controller can distinguish one website user from another and monitor how every user interacts with the website … Therefore, a cookie ID fulfills the criteria in Article 4 (1) GDPR and represents “personal data”. “
On the basis that Disqus was not informed of the applicability of the GDPR to its activities, the regulator concluded that it was clear that Disqus did not assess the legality of its activities and its responsibility to comply with and demonstrate compliance with the GDPR Failure to do so had violated the principle of accountability. Disqus had also failed to adequately inform individuals of its processing as the vast majority of those who were being prosecuted for online behavioral advertising had no reason to expect such processing to take place as they had never directly interacted with Disqus. Individuals could therefore not judge whether they wanted to be followed and profiled by Disqus. The regulatory authority stated that Disqus should have provided information at the latest at the start of the tracking, ie when the website using the widget was opened.
With regard to the determination of the applicable legal basis for the processing, Datatilsynet confirmed that Disqus had a legitimate interest in the processing, but that the processing was not necessary for this interest as the processing activities could have been carried out with less invasive means. In addition, the regulatory authority found that the fact that the processing constituted profiling impaired the legitimate balance of interests test, since this type of processing endangers the fundamental rights and freedoms of the individual, in particular the right to freedom of expression and information, in several ways. Datatilsynet commented, “Hidden surveillance or tracking of people’s online activities can have a deterrent effect, which means they abandon lawful behavior for fear of being seen online.” As a result, the regulatory authority came to the conclusion that Disqus did not fulfill the test to weigh up legitimate interests and had carried out its processing without a legal basis.
As part of its decision to impose a fine, Datatilsynet took into account the fact that data subjects’ online browsing behavior had been widely disseminated, potentially leading to tampering with those individuals, as well as the fact that it was likely to have been several one hundred thousand people were affected, which indicates a systemic violation. Datatilsynet also noted that while Disqus had deleted the relevant information, it was of little concern as the data had already been fed into the online behavioral ecosystem. Additionally, online reading processing processing could reveal a lot about the individual through tracking and analysis over time. The regulator looked at this highly private information, possibly sensitive information such as political opinions.
Disqus has until May 31, 2021 to comment on the results of the regulatory authority. Datatilsynet will finalize its decision once the response has been assessed by Disqus.