Reprimand issued to Disqus

The decision is based on assessments of the information that has emerged after our advance notification to the company of an administrative fine in 2021. Our conclusion is that Disqus had not obtained valid consent in accordance with the General Data Protection Regulation (GDPR) to disclose personal data to the parent company Zeta Global. The processing of the data subjects’ personal data was thus also contrary to the principle of legality, which is one of the fundamental principles of data protection.

A reprimand is an administrative sanction intended to emphasise criticism of the cited breach of regulations. Based on an overall assessment, the Data Protection Authority has concluded that a reprimand is the most appropriate form of response in this case.

Background

Disqus is an American company that provides public comment sharing solutions and programmatic advertising to websites. The Data Protection Authority became aware that Disqus had incorrectly assumed that the GDPR did not apply in Norway through media coverage in 2019. As a result, during the period 20 July 2018 to 12 December 2019, the company provided a public comment sharing platform to Norwegian websites intended for countries outside the EEA where the GDPR does not apply. During this period, personal data about internet users was shared between Disqus and the parent company without this being known to those responsible for the websites using the company’s platform. This activity was stopped in December 2019 when the discrepancy was discovered.