Image source: https://blog.ipleaders.in/the-right-to-privacy/

This article has been written by Eashaa Chan pursuing the Diploma in International Data Protection and Privacy Laws from LawSikho

This article has been published by Oishika Banerji

Introduction

Dating apps in recent years have become extensively popular, as these apps assist in making our life easy, it is crucial to point out that these apps also collect sensitive data about their users. By meticulously calculating the algorithms, these services match our interests, likes, dislikes, and preferences with other people who have similar tastes. But to make these perfect matches, these apps collect personal, sensitive information including sexual preferences, physical location, etc. When that is done, it is apparent these apps should make sure they manage these private data responsibly as it should not affect the users negatively. 

Download Now

When talking about dating apps, two issues need to be dealt with first the sharing or trading of sensitive data (sexual orientation, sexual preference, religious beliefs), second the users being unaware of what kind of information and with whom it is shared (unexpected third parties), as most of the apps do not give users any control over how their data is being used.

Trading sensitive data may have negative consequences on the users, specially in regions where homophobia and trans phobia is prevalent, safety of the users is compromised who may choose to hide their sexuality from friends and family as advertisers use their information for target marketing, may expose their secrets through ads and emails that the user receives, also members of the LGBTQIA+ community (historically marginalized group) have a particularly high risk of being targeted because of their identity or relationships, as users of the dating app GRINDR have been located and targeted in countries where homosexuality is illegal (discussed further).

Many security researchers have discovered that popular dating apps like Tinder, GRINDR, OkCupid, etc. have been accused of breaching GDPR for sharing sensitive and personal information with “unexpected” third parties’ (will be discussed). This vague and ambiguous information provided about the transmission of data between the service provider and the third parties makes it impossible for users to make informed choices about how their data is collected, shared, and used. This can result in grave consequences as the fundamental right to privacy of the data subjects is jeopardized.

Expected and unexpected data transmissions 

A service provider may be incapable of performing all the necessary tasks needed for the proper functioning of the app all by themselves, therefore they may have more than one third-party service provider that processes data on their behalf. This is to make sure the app functions perfectly as intended, therefore these kinds of transmission of information are expected. GDPR precisely mentions in Article 25(2), which specifies the requirements for data protection by default, states that- 

“The controller shall implement appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage, and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons” 

Article 25(2) if not followed, then any kind of transmission to a third party becomes unexpected. 

Adtech companies (third party) through dating apps are receiving a variety of sensitive personal data. Identifiers (information that is enough to identify a person) such as, IP addresses, Android Advertising IDs, and exact GPS coordinates are transmitted together with additional sensitive information about their religious and political believes, sexual preferences more. These kinds of additional transmissions that the users are unaware of are unexpected.

Expected transmission of data includes: 

  • Data that ensures the product’s basic functionality, 
  • Data for crash reports and analytics, 
  • Data to show advertising in the app, 
  • Data for tracking and profiling the user.

When does data transmission become unexpected?

The data sharing becomes unexpected when apps do not clearly inform the user about these third parties, and their intentions behind accessing their information. Sharing the ad server the GPS coordinates when it is unnecessary, sexual preferences, political views, and gender, religious believes (special categories under GDPR) all come under unexpected transmission. 

Consent

When registering in an app for the first time, it is common that the user is presented with a privacy policy. These privacy policies are usually many pages long, the information is very ambiguous and the users cannot get a clear vision of exactly how many parties will get access to their information and what kind of information. If the user refuses to accept the privacy policies, the only option is usually to uninstall the app, therefore here a controller is denying services to users who do not want their personal data to be used for other purposes, this results in denial of valid consent under GDPR. 

Under the GDPR, consent, in order to be considered legally valid, should be freely given, specific, informed, and unambiguous i.e., the user should receive clear and easily understandable information. 

The processors or controllers cannot pressure users to agree to data sharing, the provision of a service should never be conditional on accepting an unnecessary collection of personal data, which means that the use of a dating app should not require the user to consent to their personal data being used for profiling and behavioral advertising.

Therefore the choices and consent prompt should be unambiguous, it should not be confusing and tedious to read, it should be to the point and understandable to a layman to ensure that there are no misunderstandings about what the consumer is consenting to.

For consent to be valid, the data subject must at least have the knowledge of –

  • The controller’s identity,
  • What kind of data will be processed, (no unnecessary collection of data i.e sensitive data)
  • How exactly will it be used?
  • His or her right to withdraw consent anytime. The withdrawal of consent should be as easy as giving consent.

Case study of Tinder and Okcupid

Tinder and OkCupid are known to be very popular dating apps today, and both services are run by the Match Group (Company Based in Los Angeles).  According to their privacy policies, they share the user data with third parties for advertising purposes and also with other Match Group companies. This means that user data is not only shared between Tinder and OkCupid, they also share data with Match group and other Match Group companies, which includes at least 45 dating-related businesses.

This means that, according to the privacy policy, a Tinder-user or OkCupid user could have their personal data used by other match group companies (like plenty of fish) even if they never used that service, this leads to breach of informed consent.

Breach of informed consent 

Both Tinder and OkCupid did not comply with GDPR conditions for informed consent (discussed later), as they failed to provide clear information about third-party data sharing. The user in this case will have to read the entire privacy policy of Tinder and OkCupid along with the privacy policies of Match groups and its subsidiaries, in order to get a clear understanding of the extent of data sharing, this can be very confusing to a layman. This shows that the consent is not informed, specific and is unambiguous. 

Breach of explicit consent

Consent in the privacy policies concerning the processing of personal data has to be explicit.

Violation of principle of purpose limitation 

GDPR Art. 5(1) (b) states that any personal data should only be processed for a specified, explicit, and reasonable purpose, and should not be processed in ways that are contradictory to or conflicting with the aim of processing the data. But in this case both tinder and OkCupid sharing personal data between Match group companies can raise issues as it fails to comply with the data protection principle of purpose limitation.

How data sharing in dating APPS Affects LGBTQ+ community?

It is important to give special attention to LGBTQ+ users in dating apps and dating apps specifically for them. GRINDR, OkCupid, Tinder have been accused of collecting and transferring very sensitive user data that comprises of users’ sexual orientation and sexual preferences with at least 135 different third parties.

This can have way adverse effect on LGBTQ+ users, as many users reside in places where queers are still considered taboo, and the concept of gay relationships is stigmatized and even illegal in many regions. If their sensitive data falls in the wrong hands, the consequences can be life-threatening and a matter of physical safety.

In 2020, Recorded Future, a cyber-security firm, explained how governments and agencies around the world are targeting LGBTQ+ people through user data in dating apps, it also pointed out many loopholes in the data security of these apps.

GRINDR 

This app’s target market is homosexual, bisexual, and Trans people and is the world’s most popular gay dating app. A user using GRINDR, in itself is a strong indicator of his sexual preferences. Therefore even if GRINDR claims that the data transferred does not include sensitive data like sexuality, still, the fact that the users’ data is transferred from an app like GRINDR is itself a strong indicator of his sexuality.

In April 2018, GRINDR was sharing sensitive, intimate and personal details of user data like H.I.V. status, sexual tastes, etc., with third party companies like Apptimize and Localytics. This issue was identified by the Norwegian Consumer Council and consequently, a complaint was filed to the Norwegian Data Protection Authority for breaches of the GDPR.

In August 2019, Pen Test Partners reported that GRINDR, Romeo, Recon, and 3 fun (dating apps) were found to expose users’ exact locations, just by knowing a user name was thus putting users’ physical security at risk.

The Norwegian Consumer Council (a non-profit organization in Oslo) made many claims over the years that GRINDR had violated many GDPR rules and compromised user’s privacy. This resulted in the Data Protection Authority taking action and fined Grindr 11.7 million dollars and Twitter removed GRINDR from its advertising network.

GRINDR is owned by the Chinese gaming company Beijing Kunlun Tech. China has ambiguous IT laws, companies could be forced to hand over network data whether they want to or not in the name of “national security”. In January 2020, John Demers, assistant attorney general for national security at the Department of Justice, expressed concerns over the amount of data collected by social apps owned by Chinese organizations as data collected by Chinese companies is at risk for exposure to the Chinese government. 

Issues with GRINDR’s privacy policies 

  1. TRANSPARENCY

GRINDR is the “controller”, therefore is responsible for any personal data collected and shared through its services, therefore should clearly state how the user information will be processed from the time of collection of the data to its deletion (entire life cycle). GRINDR in its privacy policy only lists MoPub as an advertising partner, and directs users to read the privacy policies of MoPub’s partners to understand precisely how data is used. The issue is that MoPub has more than 160 partners, which makes it impossible for the users to understand how each of these partners may use personal data. It is impossible for users to give informed consent in this case. 

  1. SECTION 9 OF GDPR, PROCESSING OF SPECIAL CATEGORIES

Section nine covers “special categories” of data, which includes information on sexual orientation. Under the GDPR, the processing of special categories of personal data is prohibited (with few exceptions). As discussed Grindr has been accused of transmitting user information like sexual orientation, religious believes, political opinions, which all fall under the ambit of special category.

  1. THREAT TO LGBTQ+ THROUGH DATA SHARING

On June 29, 2013, the Russian government enacted policy Law No. 135-FZ (the “gay propaganda” law) that criminalizes public and online expressions of LGBTQIA+ rights, banning the distribution of any information about ‘non-traditional sexual relationships.

May 2016, the Moldovan Socialist Party considered adopting a law against so-called gay propaganda, which seek to “impose fines for spreading ‘homosexual propaganda’ to minors ‘through public meetings, the media, the Internet,’ and other means.” The legislation was later ultimately abandoned

In 2018, the country banned Pride events, Moscow denied more than 100 individual requests to hold Moscow Pride, and in 2019, it blocked LGBTQ groups from officially registering in the country.

March 2020, President Putin then proposed a constitutional amendment banning gay marriage and even banned Russian authorities from recognizing gay marriages registered outside the country.

April 24, 2020, a survey by the Levada Center showed that one out of five Russians wanted to “eliminate” LGBTQ+ from society. LGBTQ violence is only increasing.

The above timeline shows the prejudice of Russia against the LGBTQ+ community. Many countries like Serbia, Turkey, China, and many more similar issues. Understanding the privacy issues Tinder has faced in the past, it cannot be ignored how easily accessible is data from Tinder and could be used against LGBTQIA+ users, to track and potentially punish individuals.

The General Data Protection Regulation (GDPR) 

Privacy and data protection are two rights enshrined in the EU Treaties and the Charter of Fundamental Rights. Article 8 of the charter contains an explicit right to the protection of personal data. The General Data Protection Regulation (GDPR) grants data subjects the right to access data which in turn results in further rights such as rectification and erasure of their personal data. 

  1. DATA SUBJECT- any natural living person (identified or identifiable) whose personal data undergoes processing operations, GDPR protects the rights of the data subjects.
  2. CONTROLLER- an entity that determines the means and purposes of data processing operations. According to the European Court of Justice Ruling decided in the Wirtschaftsakademie case that a marketer who commissions targeted advertising is a controller even if it does not have direct access to personal data being processed as long as they define the means and purposes of the processing.
  3. PROCESSORS- Any institution or organization that carries out data processing on behalf of the controller. 

When a processor can also regulate and determine the purposes and means of the processing of personal data it receives from the controller, it shall be considered a controller or a joint controller in its own right. 

Therefore, if a company uses the personal data it receives for its own purposes and advantage and determines the means and extent of processing, it makes it a separate controller. It cannot depend on the original controller (app provider) to be the only one responsible to obtain legal consent and comply with the GDPR rules for their data operations.

Conclusion

One can come to the conclusion that Privacy is crucial in online dating applications. Dating apps with the data they collect are perfectly capable of constructing a detailed personality of the user and sharing it to third parties to generate more precise targeted advertising. 

Therefore, they should process data responsibly and in compliance with all the data protection laws of places their target audience reside. Information about what user data is collected and who it is transferred to and for what reason must be mentioned in the privacy policy in a clear precise manner so that even a layman understands them. If any data processors are hired, they should be monitored to ensure compliance. The user, especially in dating apps should have a clear choice of what kind of data he wants to allow the app to share and to whom.

Some dating apps, though secure at the server level, do not offer end-to-end encrypted chat service or adopt essential safety measures to protect data from data breaches or third-party access, therefore users should be aware of their institutional privacy and should know the consequences of sharing their personal information before using the application.

References

  1.  https://www.forbrukerradet.no/dark-patterns/
  1. https://www.consumersinternational.org/members/members/norwegian-consumer-council/
  1. https://www.recordedfuture.com/lgbtqia-community-cyber-threats/
  1.  https://www.buzzfeednews.com/article/azeenghorayshi/grindr-hiv-statusprivacy
  1. https://www.forbrukerradet.no/side/filing-complaint-against-grindrssharing-users-hiv-status-and-sexual-preferences/
  1. https://iapp.org/news/a/norwegian-dpa-to-fine-grindr-11-7m-for-alleged-gdpr-violations/.

Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.

LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join: https://t.me/joinchat/L9vr7LmS9pJjYTQ9

Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.

LEAVE A REPLY

Please enter your comment!
Please enter your name here