Ireland’s Data Protection Commission May Swipe Left on Tinder’s GDPR Compliance
On February 4, 2020, Ireland’s Data Protection Commission (DPC) announced an investigation into the dating app Tinder’s compliance with Europe’s General Data Protection Regulation (GDPR) in accordance with the co-operation mechanism outlined under Article 60 of the GDPR.[1] Tinder’s parent company, MTCH Technology Services Limited (“MTCH”), processes private personal data. It has been alleged that MTCH is in breach of the General Data Protection Regulation due to the way that the company deals with data processing and how it complies with its legal obligations to deal with data requests from account holders.[2] The DPC will set out to establish whether the company has a legal basis for the ongoing processing of its users’ personal data and whether it meets its obligations as a data controller with regard to transparency and its compliance with data subject rights requests.[3] However, this issue is not unique to Ireland—there have been complaints about Tinder from multiple countries. The DPC is taking the lead on this cross-border investigation under Recital 124 of the GDPR.[4] It said that the Tinder probe came about as a result of active monitoring of complaints received from individuals “both in Ireland and across the EU” in order to identify “thematic and possible systemic data protection issues.”[5] If the GDPR complaints are upheld, it could result in a multimillion-Euro fine for MTCH.[6]
The DPC released a statement saying, “The Inquiry of the DPC will set out to establish whether the company has a legal basis for the ongoing processing of its users’ personal data and whether it meets its obligations as a data controller with regard to transparency and its compliance with data subject right’s requests.”[7] In response to the DPC’s comments, MTCH issued a release, stating, “Transparency and protecting our users’ personal data is of utmost importance to us. We are fully cooperating with the Data Protection Commission and will continue to abide by GDPR and all applicable laws.”[8]
On February 20, 2020, the DPC published its 2019 Annual Report. One of the report’s major highlights is the DPC’s statutory inquiries in relation to “multinational technology companies’ compliance with the GDPR”—which now totals twenty-one inquiries.[9] However, there have yet to be any DPC decisions regarding any GDPR violations.[10] Rising anger from civil rights groups, privacy experts, consumer protection organizations, and ordinary EU citizens over the paucity of flagship enforcement around key privacy complaints is clearly piling pressure on the regulator.[11]The DPC handled 6,904 GDPR complaints in 2019, which is a 75% increase from 2018.[12]
The GDPR seems to be keeping agencies like the DPC quite busy, so it may take some time for this investigation to bear any fruit. It will be interesting to see whether or not the GDPR makes any decisions on this investigation or the other twenty open investigations in 2020. Will the DPC continue to see a rise in complaints due to the GDPR, or was 2019 a unique year because it was the first full year of the regulation? Only time will tell.
Footnotes