Online dating app Tinder told the Irish Data Protection Commissioner it was not obliged to release “deeply private” information, such as entire chat logs, to users who requested their data under strict privacy laws.
The DPC launched an inquiry into Tinder on Tuesday over concerns about how it processes users’ data and its compliance with “subject rights requests” – when an individual user requests all information a company holds on them.
The inquiry was not launched in response to a specific complaint, although several were made to the DPC by users over how Tinder handled their data.
Correspondence between the DPC and Tinder relating to one complaint was posted online by PersonalData.io, a privacy website. It shows the complainant argued that he was given “merely a subset” of the data held on him following a subject rights request.
‘Unauthorised disclosure’
The company told the complainant that it would not release messages he had received from other users on the platform. In correspondence with the DPC last May, Tinder said there was “potential for deeply private information to be shared during the exchange of messages”.
It said that it would not provide the messages the complainant was sent by other users, nor any other data related to other Tinder users “as this would lead to the unauthorised disclosure of other users’ personal data and would not align with their reasonable expectations that their usage and the messages they send on the Tinder platform are private”.
Privacy expert Simon McGarr said subject access requests showed the scope of data gathered by companies about their users, but he also said there are limits to what will be made available to users.
The DPC also announced a separate inquiry into Google’s use of location data. Tinder said it was co-operating with the DPC and abides by all relevant laws.