The Norwegian privacy watchdog plans to fine the discussion platform Disqus in the amount of 2.5 million euros. Disqus would unnecessarily track users in the country, although it does adhere to privacy law in the rest of the EU.
The Datatilsynet says the Disqus parent company wants to give Zeta Global a GDPR fine of 25 million Norwegian kroner. That is equivalent to 2.5 million euros. According to the regulator, Disqus is used by several Norwegian newspapers and websites. The privacy investigation into Disqus started following a series of articles by the Norwegian public broadcaster. It described how websites on which the discussion platform was implemented would unlawfully track visitors. The data was then forwarded to external advertisers. For the investigation, the watchdog looked at seven websites on which Disqus was active.
It is striking that, according to the Norwegian public broadcaster, Disqus did indeed comply with the GDPR in the rest of the EU. Zeta Global is said to have previously said in an interview with the broadcaster that it was not aware that the GDPR applied in Norway. Norway is not a member of the European Union, but falls within the European Economic Area. That is all 27 European member states, plus Iceland, Liechtenstein and Norway. The GDPR is also active in those last three countries.
Nevertheless, Zeta Global did invoke the legitimate interest vis-à-vis the Norwegian privacy watchdog. That is one of the six bases on which a company may collect personal data under the GDPR. The Datatilsynet does not go along with that. “Based on our preliminary investigation, we believe that Disqus has no legitimate interest in the cross-site tracking and transfer of personal data,” the regulator wrote. “This kind of tracking requires user consent.
In addition, Disqus is not transparent about what information it collects. The company allegedly failed to provide users with adequate information about how it uses data. Finally, Zeta Global allegedly violated the GDPR’s principle of responsibility by stating that the privacy law did not apply to its Norwegian users.
The regulator calls it a serious violation, and says the fine is so high because the information collected was so sensitive. The data about website visits would allow the company to aggregate what someone’s political preferences are. In addition, it is possible that minors were tracked. They have an extra protected position under the GDPR.
The fine is not yet final. The Datatilsynet first sent Disqus a letter to which the company can respond before the end of the month. A final decision will then follow.