TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Europe Data Protection Digest | Notes from the IAPP Europe Managing Director, March 11, 2016 Related reading: Search for UK ICO launches


Greetings from Brussels!

Another household digital brand is making the news in a way they’d rather not; this week its Tinder's turn. It’s a Norwegian story, involving a complaint against the U.S. company by a consumer group. The Norwegian Consumer Council has filed an official complaint with their national ombudsman claiming that Tinder’s terms and conditions are illegal under Norwegian and EU consumer and privacy laws.

The complaint maintains the company is reserving for itself unbalanced and sweeping powers of ownership and control of user over data. Powers such as changing those very same terms of use without notifying users, as well as deleting user accounts without explanation or justification. Moreover it seems that users are unable to delete their accounts of their own accord. The complaint goes on to state that Tinder has a minimum age of 13 as part of its sign-up conditions, which flaunts Norwegian law.

Finn Myrstad, the organization’s director of digital policy noted that this was the council’s first formal complaint arising from its very own “AppFail” campaign. In short, the Norwegian Consumer Council launched a campaign to analyze terms, including privacy policies as well as the behavior of 20 mobile app companies. The purpose was to uncover potential threats to consumer protection, hidden in plain sight in the end-user terms and privacy policies of the apps. A key aim of the campaign was to raise awareness among Norwegians as to the full extent to which they surrender their rights by signing up to app terms and conditions. A full report is available with their findings.

There was also a very recent — and similar — case in France last month. On that occasion, the French consumer organization UFC-Que Choisir asked the CNIL to investigate the dating app Happn over its data-collection practices. UFC-Que Choisir lodged a complaint over suspicions that the dating app company transferred user data to third-party businesses. Furthermore it is also alleged that data transfers continued even after users had uninstalled the app; one wonders about lingering cookies. Another interesting aspect to this story is that the French Consumer Group based its complaint in part on analytical findings identified by the Norwegian Consumer Council through the same “AppFail" campaign. A technical analysis performed by the research institution SINTEF on behalf of the Norwegian Consumer Council showed that key Happn user data was being shared frequently with the U.S. based tracking firm UpSight. As mentioned previously, the consumer watchdogs seem to be gaining momentum, becoming more active in the data protection and privacy space. Coupled with data protection authority activity, it certainly seems that the digital industry can expect additional probes into business practices as the industry expands.

Interestingly, referring back to Tinder, they have no established European operations to mention. That said, they offer Norwegian language services and their app can be downloaded from the Norwegian app stores, so it is certainly servicing the local market. This can only reinforce the argument by the Council that they must comply with local law. If the Norwegian consumer ombudsman takes up the case, it may end up telling Tinder to change its terms and conditions or possibly face fines. 

Who’d have thought that online dating would be the source of public debate, it strikes me as an activity meant to be private and personal. Oddly enough though I have read in other news that the U.S. presidential campaigns have spilled over into Tinder’s space; and while no political campaign seems to be openly endorsing it, no one is actively discouraging it either. So while Tinder is known as a go-to destination for 20-somethings to find hookups; it seems your political views are very much a matchmaker these days, so play nicely.

The bigger-picture lesson here is obvious, though: If U.S. companies are looking to enter European markets, the due diligence is about more than just language and market-sizing. They must be aware of local privacy law and conform to it, or their business efforts could be quickly derailed by bad publicity and regulator interest. 


If you want to comment on this post, you need to login.