22 Mar The recent decision issued by the Italian Supervisory Authority against an online dating website

Authors: Isabella Oldani, Miriam Andrea Fadda, Andrea Strippoli

In a decision issued on 7 December 2023,[1] the Italian Supervisory Authority imposed a fine of 200,000 euros on an operator of an online dating website for unlawfully processing of personal data of its users, including personal data on sexual preferences and orientations. This is the first decision of the Italian Supervisory Authority against a dating website.

At  the time of registration on the platform, users are required to provide various personal data, such as their email address, region and city of residence, as well as their dating interests and photos. The website then suggests some profiles of other users based on the information provided.

As a result of its investigation, the Supervisory Authority found that several data protection principles have been violated by the operator of the website in question.

The violations identified by the Italian Supervisory Authority

Following its inspections, the Supervisory Authority found that the company failed to set up an adequate privacy notice. This was found to be in violation of the principle of transparency. Moreover, the company did not identify a legal basis for the processing of personal data revealing the sexual orientation and preferences of its users pursuant to the requirements of processing of data under the scope of Article 9 GDPR, e.g., the explicit consent of the users. Consequently, the company also failed to put in place a procedure for collecting such consent at the time of registration, which resulted in a violation of the principle of lawfulness.

In addition, the company did not adopt an adequate data retention policy. In particular, the Supervisory Authority found, among other violations, that the company did not identify clear retention periods for the deletion of personal data pertaining to users who made use of the free trial without subsequently purchasing a subscription. Moreover, the investigation revealed that the users’ photos were stored within the company’s systems even after the user deleted their user profile. The pictures were, however no longer accessible to users. In this respect, the Supervisory Authority clarified the nature of such photos as personal data despite the claim raised by the company in its defence, that these could be qualified as “anonymous” data. The Supervisory Authority rejected the argument put forward by the company, noting that, even if photos are not linked to users’ personal data, by their very nature, they contain specific elements of the physical traits pertaining to individuals featured in those pictures. The individuals could thus still be identified based on those traits.

The Supervisory Authority noted that, while a 10-year retention period starting from the deletion of a user’s profile may be justified with respect to certain categories of personal data e.g., those necessary for billing purposes, such a timeframe would be disproportionate with respect to users’ profile data. This is because they are likely to include sensitive personal data relating to their sexual orientation and/or sexual life. Therefore, the Supervisory Authority reiterated the importance of identifying retention periods that are strictly related to the purposes for which the data are collected.

The Supervisory Authority also questioned the adequacy of the security measures implemented by the company, especially given the specific type of service and the categories of personal data processed, including photos that may have explicit content and would therefore require special protection. This would justify the implementation of specific security measures proportionate to the risk, including measures for the prevention of abusive/unauthorized access. As mentioned, similar measures were not implemented by the company, which resulted in a violation of the principles of integrity and security of the processing of personal data.

Conclusion

It is worth recalling that the processing of special categories of personal data in the context of the use of dating apps (although the same concept is naturally applicable to other contexts as well) deserves special attention. This was also recently highlighted by the Norwegian Data Protection Authority in its decision against the Grindr app.[2] In the context of this latter decision, the Norwegian Supervisory Authority noted that the categories of personal data that fall under the scope of Article 9 GDPR shall be identified in light of the purpose that the said article aims to: ensure a strengthened level of protection to individuals who might be exposed to prejudice and/or discrimination on the basis of their sexual preferences or orientations. In the opinion of the Norwegian Supervisory Authority, this applies irrespective of whether there is evidence that the processing has caused or is likely to cause harm to the data subjects and whether the data are likely to reveal a specific orientation as opposed to another. Attention should in fact be placed on the possible impact of the processing activity in question on the fundamental rights and freedoms of the data subjects, especially in the event of misuse and/or violation of such categories of personal data.

[1] Italian Data Protection Authority (Garante per la protezione dei dati personali), decision of 7 December 2023, doc web 9978568, https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9978568.

[2] Norwegian Data Protection Authority (Datatilsynet), decision of 13 December 2021, 20/02136-18, https://www.datatilsynet.no/en/regulations-and-tools/regulations/avgjorelser-fra-datatilsynet/2021/gebyr-til-grindr/. It is worth mentioning that this decision was appealed by Grindr and subsequently upheld by the Privacy Appeals Board. More information is available at the following links: https://www.datatilsynet.no/en/news/aktuelle-nyheter-2022/datatilsynet-har-mottatt-klage-pa-overtredelsesgebyr-i-grindr-saken/, https://www.datatilsynet.no/en/news/aktuelle-nyheter-2023/record-fine-grindr-confirmed/.