Norway’s Data Protection Authority intends to levy a 25 million kroner ($3 million) fine against the San Francisco-based comment-sharing platform Disqus Inc. for multiple breaches of EU privacy law.
According a notice on Wednesday from the data regulator, Disqus used a plugin linked to comment fields to track thousands of visitors to Norwegian websites without asking for prior consent. An investigation by national broadcaster NRK, whose online platform was one of those affected, resulted in the U.S. company being reported to the regulator in 2020.
While Norway isn’t an EU member, it adheres to most EU law—including the blocwide General Data Protection Regulation, or the GDPR—through its membership of the European Economic Area, or the EEA.
Personal data, including internet protocol addresses and browsing history, were passed on to the company’s advertising partners between May 2018 and December 2019, the regulator said.
The practice of processing personal data without consent entailed a serious GDPR breach, according to the regulator. The fact that data subjects weren’t given adequate information about the company’s tracking practices was an aggravating factor, it said.
Following the NRK report, Norway’s data regulator asked Disqus a series of questions. Disqus responded by stating that the cookies had been ”placed in error” and weren’t knowingly used to target Norwegian data subjects.
It also questioned whether the regulator had legal jurisdiction to issue sanctions as “neither Disqus nor its parent Zeta Global has any business operations in Norway.” The regulator rejected this argument.
“Regardless of whether or not they are citizens, if you process data about people in the EU or the EEA then the GDPR applies,” Data Protection Authority Head of International Affairs Tobias Judin said Thursday. “In other words, if you operate in that market, you need to be very diligent as the GDPR may apply to you. Ignorance is no excuse for breaking the law.”
Disqus and Zeta Global didn’t respond to a request for comment Thursday.
“Regardless of whether it is located inside or outside Europe, any company that processes personal data about natural persons within the EU or EEA as a data controller can be subject to the GDPR,” Advokatfirmaet Thommessen attorney Christopher Sparre-Enger Clausen said. “This was well-known long before the law came into force in 2018. The scope of GDPR is one of its main features.”
The fine, if confirmed, would be the second largest to be issued by the nation’s data regulator, he said. The online dating platform Grindr was fined 100 million kroner ($12 million) in January.
“The fine should be seen as a wake-up call for companies that process customer data for marketing and analytic purposes,” Sparre-Enger Clausen said. “In my experience, many still process personal data, including cookies, without providing the data subjects with the required information or assessing the lawfulness of the processing. “
Disqus has until May 31 to comment on the provisional ruling, and any statement will be factored in before a final decision is made.
To contact the reporter on this story: Marcus Hoy in Copenhagen at firstname.lastname@example.org
To contact the editor responsible for this story: