The Norwegian Consumer Council has filed a privacy complaint against popular gay dating app Grindr, after it was revealed the app had been sharing the HIV statuses of its users with third parties.
Shortly after Grindr announced a new feature for the app which would remind users to get tested for HIV every few months, a report revealed that Grindr shares its user data, including HIV status and location, with at least two third-party companies.
In a document published on Tuesday, the Norwegian Consumer Council claimed they were filing the complaint against Grindr “for breaching data protection law.”
“Grindr processes sensitive personal data, such as HIV-status, sexual orientation, and sexual preferences. This complaint concerns how Grindr shares and protects these sensitive personal data,” they explained. “Information about HIV-status, which these services receive from Grindr, are sensitive personal data.”
The Norwegian Consumer Council also claimed it was “disconcerting that users of the Grindr service are at risk of losing control over personal data regarding their sexual preferences and HIV-status,” and noted that, “Data protection legislation in the United States is significantly weaker than in Europe, and the individual is afforded a lower grade of protection for their own personal data.”
“The Consumer Council regard this disclaimer as unfortunate, especially when Grindr is transferring sensitive personal data about European users. European users of the app have the right to have their personal data protected according to European law,” they declared. “The Consumer Council cannot see that Grindr is registered under the trans-Atlantic data transfer agreement Privacy Shield, which is meant to ensure that personal data that is transferred to the United States is protected in line with European data protection law. The Consumer Council see this as a cause for concern regarding whether the privacy rights of European Grindr users are sufficiently respected.”
“Grindr is an app that is targeted to and used by sexual minorities, and on that basis there is reason to believe that information about the use of the service could be sufficient to draw conclusions about sexual orientation,” concluded the Council. “The Consumer Council is of the opinion that Grindr cannot waive their responsibility for how third parties collect data on the users of the service. When Grindr transmits sensitive personal data to third parties, who could use this information for advertising purposes, this is outside of the scope of the original purpose of the data collection, which is to offer a social networking service. This is in breach of the principle of purpose limitation, and to our knowledge Grindr does not sufficiently ask for consent to this further purpose.”
The Council also expressed that in their view, the current policy “is in breach of Norwegian and European data protection law.”