The Norwegian Data Protection Authority, Datatilsynet, has notified the comment platform Disqus that the authority intends to issue a fine of NOK 25 million to the company for having violated the Data Protection Act, GDPR.
Disqus is an American company, owned by Zeta Global, which offers commenting platforms that have previously been used by several Norwegian news sites. The company is also involved in advertising. The platform has previously also been used by several Swedish news sites.
According to The Data Inspectorate An investigation carried out by NRK has shown that Disqus has engaged in illegal tracking of visitors to Norwegian websites that have used Disqus’ plug-ins. This data has since been shared with third-party advertisers. Disqus must have been unaware that the GDPR also applies to Norway. Something that Disqu’s owner Zeta Global confirmed in an interview with NRK.
“We consider this infringement to be serious. Disqus has tracked which news sites and articles readers in Norway have visited. This has also been done without users’ knowledge,” the Data Inspectorate writes in a press release.
Disqus has argued that their actions could have a legal basis in the form of “legitimate interest”, even though the company was unaware that the GDPR applies to Norway.
The decision regarding the fine is not yet final. Disqus has the opportunity to comment on the whole thing until 31 May 2021, after which a final decision will be made.