In an increasingly digital world, most of us have access to and use multiple apps on our phones on a daily basis. Our data is often collected and shared by companies behind those apps. A case in point is dating apps- popular means for LGBTQ+ people to connect and socialise.

For LGBTQ+ people, personal data around sexuality can sometimes be classified as sensitive information. It is therefore important to know why the European Union has introduced laws which seek to protect people’s personal data in such contexts.

The EU’s General Data Protection Regulation, commonly referred to as GDPR, is a law that the EU adopted in 2016, with EU Member States given until 2018 to put it in place in national law. The aim of GDPR is to protect the use of EU citizens’ personal data and is applied to any organisation that operates within the EU. 

The purpose of GDPR is to ensure an individual’s fundamental rights, by protecting the processing and transferring of your personal data. Personal data includes any information that identifies a person either directly or indirectly. This type of data can include your name, phone number, email address, online username, age or location. 

Many companies collect this data for various reasons; in exchange for a service they offer; to amplify a service that they provide; or in exchange for offering that service for free. Phone applications (apps) are an example of where individuals consent to sharing their personal data with companies or organisations, in order to access services, to connect with others or to access an otherwise paid service for free.

Under GDPR, for organisations to collect your personal data they must clearly and concisely request consent for your data to be collected and processed. They must outline what data will be collected, the purpose of the data being collected, who will have access to the data and if this data will be transferred outside the EU. 

GDPR also states that individuals should freely give consent to the specific data that will be collected and processed. In addition, companies must make it easy for individuals to request a copy of the data they have stored. Of course, the type and amount of data will vary depending on the organisation, however, it can be up to 800 pages in length, as one journalist found out when they requested their data from Tinder.

Each EU Member State has a national body responsible for monitoring and ensuring that organisations are following the obligations set out by GDPR. These bodies can launch investigations into how organisations are collecting, using, and sharing data; inform individuals of how their data is being used and recommend legal proceedings. This body in Ireland is the Data Protection Commission.  

In 2018, discussions resulted in GDPR being included in the European Economic Area (EEA) Agreement, which resulted in GDPR being part of national law in three EEA countries, namely Iceland, Liechtenstein and Norway. As a result, Norway’s application of GDPR resulted in one of largest fines issued to a dating app company in 2021, after investigations into Grindr. 

Dating apps use large amounts of personal data including name, email, age and location – preferences that other apps may not collect. As Grindr’s purpose is to cater to members of the LGBTQ+ community, it collects data on users’ sexual orientations. This type of data has additional protections under Article 9 of GDPR, entitled ‘Special Categories of personal data’. 

The Norwegian Data Protection Authority began its investigation after the Norwegian Consumer Council found in 2020 that Grindr had shared “certain categories of personal data to several advertising partners, including advertising ID, IP address, GPS location, gender, age, device information and app name”. The investigation found that “Grindr did not comply with the requirement of ‘informed’ consent for individual’s data to be shared with third parties”. 

As well as this, the Norwegian Data Protection Authority highlighted that due to the nature of the data collected, in particular around sexual orientation, that additional measures were needed to protect users’ data. As a result of the investigation the Norwegian Data Protection Authority fined Grindr, in December 2021, 65 million Norwegian kroner, equivalent to €6.35 million. 

Grindr now provides information on their EEA and UK Legal Bases For Processing page, which includes the legal basis for processing users data under Article 6 of GDPR.

While sometimes what the EU does, in terms of laws and protections for citizens, might seem distant or intangible, GDPR is an example of how EU rules impact people in Europe directly. GDPR ensures the rights of citizens by protecting the use of their data by companies and organisation that operate in the EU and EEA, including online services and apps.

Ciarán O’Driscoll and Elizabeth Moody work with European Movement Ireland, an NGO working on European affairs.