The sooner companies start to realize that personal data is a liability rather than an asset the better. Happy to see this fine, but as far as I'm concerned given the kind of data we're talking about here it should have been higher.
Grindr is a repeat offender, globally.<p>In 2018 researchers found that Grindr was sharing users' HIV status and location with marketing companies: <a href="https://www.buzzfeednews.com/article/azeenghorayshi/grindr-hiv-status-privacy#.dyPk9w3bW" rel="nofollow">https://www.buzzfeednews.com/article/azeenghorayshi/grindr-h...</a><p>Just this year there was a scandal where an anti-gay church fired one of its officials because a homophobic publication somehow got access to his Grindr account and his location data. The details on how the data got out are not clear. <a href="https://www.vice.com/en/article/pkbxp8/grindr-location-data-priest-weaponization-app" rel="nofollow">https://www.vice.com/en/article/pkbxp8/grindr-location-data-...</a>
For those confused about the fine amount, here is the quote from the original source:<p>> In light of all the relevant criteria of Article 83 described above in sections 6.3-6.4, we consider that the imposition of a fine of NOK 65 000 000 is effective, proportionate and dissuasive in the present case.<p><a href="https://www.datatilsynet.no/contentassets/8ad827efefcb489ab1c7ba129609edb5/administrative-fine---grindr-llc.pdf" rel="nofollow">https://www.datatilsynet.no/contentassets/8ad827efefcb489ab1...</a><p>This is approximately 6.49M EUR.
One thing I'm wondering with these fines is whether they are actually "dissuasive".<p>In particular, the revenue limit seems problematic. For a "normal" company whose profit margin is a relatively small fraction of revenue, 4% of revenue is huge. But for highly profitable large tech companies that make money primarily from ads, it may not be possible to issue a dissuasive fine if it is capped to 4% of revenue. Maybe "4% of revenue, or 200% of profit, whichever is higher" would be a better limit.
The thing that always bothered me most about Grindr is the fact they do not allow any connectivity from VPNs, even if you have an upgraded account. This doesn't seem to jive well with the need for privacy or anonymity in places where it's dangerous to be gay.
The Norwegian Data Protection Authority imposed a fine of €6,500,000 on Grindr for not collecting users' valid consent for sharing data with third parties for profiling and advertising purposes from the Grindr App.<p>Particularly interesting is that it is not allowed under GDPR to have a free version of an app with the condition that it shares personal data (in this case for targeting and profiling for ads) as the consent of the user is not freely given in this case - in a "Take it or leave it" situation, consent cannot be seen as freely given.<p>Link to the section "Consent as a condition to access the service
": <a href="https://gdprhub.eu/index.php?title=Datatilsynet_(Norway)_-_20/02136-18#Consent_as_a_condition_to_access_the_service" rel="nofollow">https://gdprhub.eu/index.php?title=Datatilsynet_(Norway)_-_2...</a>
Good. Grindr is probably the best example of extremely high brand & network value vs shockingly poor security & application quality. The company demonstrates zero integrity and needs to be shut down or fined to death. It would send a proper warning to the industry, though long overdue.
From a systems point of view, the "boiling over" of agitated Grindrs data is no surprise as the source of obvious data abuse, similar to the way that the data on compulsive gamblers is used and abused, I suspect. Yet this is only a tip of an iceburg.<p>In My Own Opoinion - this "surveillance capitalism" is a huge, stinking cancer on free society and is only getting started.. history will show this is absolutely true. "I have nothing to hide" people can get a free Grindr subscription for all I care.. this is a rotten situation.
Unfortunately, data collection and data sales (either of the data directly or via targeted ads) is how many modern internet companies generate revenue. It’s easy to claim that they should just charge money directly for their product but their would-be customers seem to rather pay with their data than a monthly fee.<p>In fact, anecdotally, it’s often the vocal critics of data-funded tech companies who post an archive.is version of every paywalled article.
Maybe it's time that frameworks like Django and Rails make it easier to be GDPR compliant from day 1. ASP.NET Core has APIs and templates for this:<p><a href="https://docs.microsoft.com/en-us/aspnet/core/security/gdpr?view=aspnetcore-6.0" rel="nofollow">https://docs.microsoft.com/en-us/aspnet/core/security/gdpr?v...</a>