° For more information on the requirements for valid • In this context, it is interesting to consider whether consent, you may wish to read the EDPB’s guidelines these circumstances would be considered by a on consent. court to be so serious that data subjects would • It is also relevant to consider the types of personal be able to obtain damages from Grindr, if such an data being processed. Even if one does not directly action were to be brought. process information about the sexuality of the data • According to German and Austrian courts, harm subject, the processing could probably still fall does not have to be economic, but it must be under Article 9 of the GDPR if, in cases such as the objectively significant and involve social or one in question, sensitive personal data could be personal consequences for the data subject, such inferred from knowing which community the data as negative public exposure or humiliation. subject belongs. • It is not inconceivable that this could be the case • The fact that a person creates an online (dating) if this information came into the possession of profile with millions of users does not automatically unauthorized persons - especially considering the mean that sensitive personal data from that profile Norwegian DPA’s premise that Grindr is considered can be processed under the exemption in Article a ”safe space” for people in the LGTBQ+ community. 9(2)(e), even though it says that sensitive personal data made public by the data subject himself can ° If the offense could give rise to a claim for damages, be processed. it is interesting that the case involves a large number of data subjects, each of whom could potentially The imposition of a fine claim damages. This could pose a serious financial threat to Grindr if the Norwegian DPA even ends up • When calculating the fine, the nature of the offense upholding the NOK 100 million fine. may be considered. A larger fine is likely to be imposed if many people have unlawfully accessed ° It is an aggravating circumstance if the data personal data and if the unlawful processing has processor has made money from unlawful taken place over a long period. processing. This takes into account what other fines have been imposed in Europe in similar cases, where, • It is important to consider the types of personal for example, Google was fined EUR 50 million in 2020. data that have been processed and how they When you have monetized unlawful processing, the interact with each other. In this specific case, the supervisory authority in question will probably often Norwegian DPA considered it an aggravating find that the unlawfulness is committed intentionally, circumstance that information about users’ which will also be an aggravating circumstance. sexuality, together with their exact location, was shared, as this constituted a threat to the data ° Finally, it is interesting that the Norwegian DPA subjects’ freedoms. According to the Authority, recognized the COVID-19 situation as a mitigating this should be seen in the context of the fact that circumstance regarding the amount of the fine. Grindr is considered a ”safe space” for people in the LGTBQ+ community and that those in the community are particularly concerned that others do not have access to this information. 136