There is much speculation about the data technology companies collect on us and what they do with it, including countless theories on unethical practices. What does Tinder infer when two users’ phones are in the same location? Do they track how long the phones stay in the same place for and any joint change of location? Do they analyse user sentiment and sense of humour?
However, theoretically, we shouldn’t have to speculate, because us Europeans all have the right to know. This article gives an account of my attempt to find out exactly what data Tinder collected on me, processed and stores.
In May 2018 the General Data Protection Regulation (GDPR) was fully implemented across the EU, following a two year grace period. It is thought to fundamentally reshape the way in which data is handled across every sector, from advertising to banking to healthcare to… dating.
I requested to be provided with all of the information collected on me. However, as you can see on the screenshots presented in this blog post from 2018, Tinder gives you almost none of it. So instead, I tried to exercise my rights by continuously engaging with Tinder via email over several months requesting all of the data they hold on me. Since all I got was a number of unsatisfactory responses, I raised a GDPR complaint against Tinder. Or to be precise, against MTCH Technology Services, a Dublin based company acting as the data controller for Tinder, OkCupid, Plentyoffish and other companies.
Timeline of Events
- 2 June 2018 – I submitted my Subject Access Request (SAR) to Tinder via email.
- 8 June 2018 – Tinder responded to my SAR, informing me that I could download my personal information from their website.
- 10 June 2018 – I informed Tinder that I was not satisfied with their response to my SAR. I stated that I only received a subset of the information I believe it holds in regard to myself.
- 11 June 2018 – Tinder replied stating that they could not provide me with information in relation to other users.
- 3 July 2018 – After the statutory delay of 30 days, I submitted my complaint to the Information Commissioner’s Office (ICO) in the UK, where I live.
- 17 September 2018 – The ICO let me know that the organisation I have raised a complaint about has its main establishment in Ireland and therefore would fall under the Irish supervisory authority.
- 25 February 2019 – I submitted my complaint to the Data Protection Commission (DPC) Ireland.
- 16 May 2019 – The DPC accepted my case and assigned an Assistant Commissioner.
- 17 May 2019 – The DPC got in touch with Tinder to inform them that they act as the Lead Supervisory Authority in relation to my complaint.
- 29 May 2019 – Tinder replied with a wordy letter stating they are happy to co-operate followed by three pages making a case for having “provided the data subject with access to the relevant personal data”.
In summary, for the last 13 months, Tinder got away with claiming to have given me all of my data. The following quote from their letter illustrates their stance and overarching argument:
Requests outside Scope of Right of Access
As with any right, a data subject’s right of access is not without restrictions. In this case, we provided the data subject with a significant amount of statistical data so that he could understand how he used the Tinder app (on any given date: how many times he opened the app, how many times he liked other users, passed other users, matched with other users, how many messages he sent and how many messages he received). Requests for further granular information would far exceed the scope of the right of access under the GDPR, and it would not be reasonable or proportionate for Tinder to be obliged to search for, structure and provide this information.
If this is all it takes to rebut a GDPR complaint, then the regulation seems to have failed its purpose.
Can you help?
I am hopeful that with the help of the Irish Data Protection Commissioner I will, at some point, be able to exercise my rights. Speaking on the phone to them today 9 August 2019, they said they’d be able to give me an update on my case within 2 weeks.
However, I’d be grateful for any help to support my case. If you are, or have connections to, an activist, journalist, lawyer or data expert and think that you can help my case in any way, please do get in touch.