29 January 2020

Data Blast: Dating app Grindr faces data sharing complaint; new cybersecurity guidance for medical devices…

Data Blast: Dating app Grindr faces data sharing complaint; new cybersecurity guidance for medical devices; another £500K fine for poor data security; Canada looks to Europe for a new data law

GDPR complaint filed against dating app Grindr

The Norwegian Consumer Council has lodged a complaint with the European Data Protection Supervisor (EDPS), asserting that the data processing practices of Grindr, a dating app directed exclusively at LGBTQ users, shares personal data with its advertising network in breach of the General Data Protection Regulation (GDPR). The collection and sharing of user data with advertising partners is common across mobile and online advertising networks. In the mobile environment (such as here), various Software Development Kits (SDKs) are available to allow third parties to target advertising to users of a particular app. The complaint seizes upon the widely used MoPub SDK, as well as named advertising networks AppNexus and OpenX. The focus of the complaint is an alleged lack of consent from users of the Grindr app for the processing of their personal data.

What sets the complaint apart is that it is asserted that because of the exclusive focus of Grindr on LGBTQ users, all personal data which can be linked to the use of the app is ‘special category’ data, and that consequently only the explicit consent of users can serve as a legal basis for processing in accordance with the GDPR. This does not mean, however, that the complaint is not relevant to the wider online advertising ecosystem:

  • It is increasingly possible to infer special category data about individuals (including, for example, sexual orientation), when non-special category data such as geolocation data from a mobile phone is processed in combination with other data. In such a case, an advertiser relying on that inferred characteristic will need to identify a condition under Art. 9 of the GDPR to permit that data processing, i.e. explicit consent of the data subject will be required.
  • The complaint also raises, as an alternative argument in the event that Grindr data is not found to be special category data in its entirety, that online tracking to enable targeted advertising is not a ‘legitimate interest’ which can permit the processing of a user’s personal data without their consent. The UK Information Commissioner’s Office (ICO) has previously investigated the way in which personal data is used to target online advertising to consumers (relying on what is called Real Time Bidding, or RTB), concluding that the RTB system as it stands is not compliant insofar as it relies upon a legal basis other than user consent. A grace period was provided in order to bring RTB processing into compliance, but that period has now elapsed.

We will be monitoring the progress of this complaint, as well as any developments in the ICO’s position on RTB online advertising.

New guidance on cybersecurity issued for medical devices

The Medical Device Coordination Group (‘MDCG’) has recently published new guidance to assist manufacturers of devices satisfy the cybersecurity requirements of the Medical Devices Regulation (MDR) and the In Vitro Diagnostic Regulation (IVDR) (the ‘Regulations’). The MDCG includes representatives from all EU member states and is chaired by a representative of the European Commission.

Both Regulations came into force in May 2017, and are being applied progressively until May 2020 for the MDR and May 2022 for the IVDR. Medical device cybersecurity, and the risk of serious incidents, is a growing concern as devices and in vitro diagnostics become ever more sophisticated and embedded in healthcare systems worldwide. The new guidance addresses both the pre-market and post-market requirements of the Regulations, with the stated aim of assisting companies achieve ‘an adequate balance between benefit and risk during all possible operation modes of a medical device.’

The guidance classifies cybersecurity as being either ‘weak’, ‘restrictive’ or ‘strong’. For example, cybersecurity maybe considered weak if the design of an implantable cardiac device allows a malicious operator to interfere with the device. On the other hand, cybersecurity may be considered too restrictive if medical personnel are not able to access a device and the information held during an emergency. The guidance states that strong cybersecurity measures are required in normal operating conditions.

The guidance highlights how manufacturers should consider cybersecurity requirements in accordance with each type of device, and that devices should be designed so that risks are ‘removed or minimised.’ Manufacturers are also required to share and disseminate cybersecurity information and vulnerabilities, and to effectively respond to incidents.

The guidance also makes it clear that manufacturers should monitor the security of devices throughout their operational lifetime, and evaluate outcomes and take appropriate measures to mitigate any risks with future models.

The MDCG’s new guidance can be found here.

Dixon’s Carphone fined £500,000 by ICO

On January 7th, the UK ICO issued a £500,000 fine to Dixon’s Carphone, after a hack of their retail store tills exposed the data of roughly 14 million individuals.

The ICO’s investigation report found that the hack went unidentified for close to 10 months, from July 2017 until April 2018, when it was finally spotted. The hack resulted in upwards of 5.6 million payment cards being exposed, including account numbers and expiry dates, in addition to non-financial personal data including names, addresses, phone numbers and dates of birth.

The ICO reported that Dixon’s was unable to confirm the total number of affected customers, but Dixon’s has estimated that the personal data of 14 million customers was likely compromised.

Dixon’s ran afoul of the Data Protection Act 1998 (DPA 1998) for ‘poor security arrangements and failing to take adequate steps to protection personal data’, including insufficiently patching software, a lack of network segregation and security testing, and lacking a local firewall. The ICO’s director of investigations stated that ‘systemic failures’ had been in how Dixon’s maintained their customer data.

This fine may sound familiar, as last year the ICO fined Carphone Warehouse £400,000, stemming from an investigation which found similar vulnerabilities in their data security practices.

Both Dixon’s and Carphone Warehouse were fortunate in that their data breaches occurred under the DPA 1998, when the maximum fining penalty available to the ICO was £500,000. Since the implementation of the (GDPR and Data Protection Act 2018, the ICO and other European data protection authorities can now fine companies up to 4% of annual global turnover of €20 million, whichever figure is higher. This new fining power was exercised last summer, when the ICO issued its notice of intention to fine British Airways £183 million (which was previously covered here).

While both Dixon’s and Carphone Warehouse were fortunate to be fined under the DPA 1998, this case serves as a reminder to companies that, by failing to properly secure customer data, you may open yourself up to considerably larger fines in the future.

Canadian government to pursue new data protection law including a ‘right to be forgotten’

Mandate letters sent to two ministers in Prime Minister Justin Trudeau’s new cabinet indicate that the government will be moving forward with the introduction of new data protection legislation during the current parliament. The initiative is to include a ‘digital charter’ for Canadians, setting out individuals’ rights over the use of the personal data, and strict penalties for businesses that fail to comply with the law.

Also referenced in the ministers’ letters, is a right to erasure (or so-called ‘right to be forgotten’) similar in terms to article 17 of the GDPR. One Canadian minister has said that the government is actively studying data protection laws in Europe and California, to identify model approaches to be adopted.

One area already raising concerns, is the suggestion that individuals whose personal data is used in breach of the law, will be entitled to seek ‘appropriate compensation.’ Whilst little clarity has been offered as yet, speculation has begun as to how such compensation will be achieved; for instance, will the government seek to provide new remedies beyond the existing mechanisms for individual and collective (‘class action’) lawsuits? Whatever direction the legislation ultimately takes, it is clear that Canada will continue to look to Europe as a blueprint for regulating the use of personal data.

Met Police to begin use of facial recognition technology

On January 24th, the Metropolitan Police Service (MPS) announced that it will begin the operational use of Live Facial Recognition (LFR) technology in specified locations around London.

The London police force has been trialling LFR since 2016, and the technology will be deployed in locations where intelligence suggests the MPS are most likely to locate serious offenders. We have previously reported on the English court’s important decision relating to the use of LFR by the South Wales Constabulary (here) as well as the ICO’s Opinion issued shortly after that decision (here).

The MPS have stated that the LFR cameras will be clearly signposted, and that they will deploy officers in the targeted locations to hand out leaflets regarding the activity. The ICO has acknowledged that ‘an appropriately governed, targeted and intelligence-led deployment of LFR may meet the threshold of strict necessity for law enforcement purposes’, while stating that they will continue to monitor the MPS’s use of the technology going forward.

For more information please contact Partner, James Tumbridge at