A case brought in April 2024 before the High Court of England and Wales alleges that Grindrshared sensitive information, including users’ HIV status, with third parties for commercial purposesin breach of the UK’s data protection regime. Grindr is an LGBT+ social networking and dating app witha reputation for facilitating casual sexual encounters between gay men. On their profiles, Grindr usersare able to share personal health information, including their HIV status. Sharing such information before sexual intercourse is important since, in England and Wales, the transmission of a sexually-transmitted infection, such as HIV, when a sexual partner did not consent to the risk of infection can be prosecuted under the Offences Against the Person Act 1861 (seesection 71 of the Domestic Abuse Act 2021).
This litigation follows two high-profile reprimands against Grindr by European data protection agencies concerning the company’s sharing of user information. In December 2021, the Norwegian Data Protection Authority (Datatilsynet) fined Grindr NOK 65 million (roughly €5.7 million) for sharing user data without voluntary, specific, or informed consent under the EU’s General Data Protection Regulation 2016 (GDPR). The decision was upheld by Norway’s Privacy Appeals Boardand is nowbeing challenged by Grindr before the Norwegian courts. Subsequently, in July 2022, the UK’s Information Commissioner’s Office formally reprimanded the company after determining that it hadfailed to provide “effective and transparent privacy information” to its UK users in relation to the processing of their personal data.
UK’s Data Protection Regime
The cornerstone of the UK’s data protection regime is the EU’s GDPR, retained in domestic law following Brexit as the ‘UK GDPR’. The UK GDPR outlines binding principles for data processing, chief among which are the principles that data be processed ‘lawfully, fairly and in a transparent manner’ (Article 5(1)(a)) and that data is collected for ‘specified, explicit, and legitimate purposes’ and is not further processed in a manner incompatible with those purposes (Article 5(1)(b)). The general principles of Article 5 are expanded upon in later UK GDPR provisions. Most relevant for present purposes is Article 9 which regulates the processing of ‘special categories of personal data’.
HIV Status as Protected Data
Under Article 9(1), it is generally prohibited to process ‘special categories’ of personal data, including ‘data concerning health or data concerning a natural person’s sex life’. It is self-evident that an individual’s HIV status falls within this definition: it clearly concerns an individual’s health and it is also data concerning an individual’s sex life insofar as it relates to an infection capable of sexual transmission. Although Article 9(1) also covers data concerning sexual orientation, to interpret HIV status as concerning sexual orientation would be illogical as persons of all sexual orientations can be HIV-positive. In the UK, for example, the UK Health Security Agency’s 2022 ‘Positive Voices’ survey of HIV-positive Britons reported that 19% of the men and 95% of the women participating in the study identified as heterosexual. The claim against Grindralsoalleges thatinformation about users’ sexual orientation has been illegally shared, but this does not mean that data concerning an individual’s HIV status is, in principle, indicative of a person’s sexuality.
Accordingly, an individual’s HIV status canonlybe processed subject to one of a limited number of exceptions outlined in Article 9(2), the broadest being the exception under Article 9(2)(a) where the individual has given explicit consent to the processing of that personal data for one or more specific purposes. The Grindr claim alleges that explicit consent was not given by users. In other words, individuals’ HIV status – shared out of concern for the health of potential sexual partners – was allegedly exploited by Grindr for revenue,that data being passed to advertising companies and, potentially, fourth parties without users’ consent. Grindr could, foreseeably, argue that its disclosure is covered by the exception in Article 9(2)(e) – which allows for data to be processed which has been ‘manifestly made public’ by an individual – on the basis that a Grindr user’s HIV status is visible on their profile. The counterargument would ask whether sharing one’s HIV status on a profile only visible to other users of an app is data ‘manifestly made public’, particularly if the user does not explicitly identify themselves on that profile.
Taking advantage of an individual’s disclosure of their HIV status by sharing it for profit is an indignity. In the context of international human rights law, it may also engage State obligations to protect an individual’s private life. This question is examined in Part II of this blog.
