La Liga Fined €250K For Breaching GDPR While Spying on Piracy
Spanish soccer league La Liga has been fined 250,000 euros by local data protection agency AEPD. The penalty comes after La Liga deployed a controversial feature in its Android app which activated device microphone and location services in an effort to identify establishments airing matches without a license.
With millions of fans around the globe, Spain’s La Liga soccer league is one of the most popular in the game.
To allow fans to keep up with all the latest news, La Liga offers an Android app with a number of features including schedules, kick-off times, and the all-important results.
Controversially, however, the app also has a surprising trick up its sleeve.
After gaining consent from users, La Liga’s software turns fans’ phones into spying devices which are able to analyze their surroundings using the microphone, listening out for unauthorized broadcasts in bars and restaurants, for example. This audio, collected Shazam-style, is then paired with phone GPS data to pinpoint establishments airing matches without a license.
The feature was outlined in the app’s privacy policy along with stated uses that include combating piracy.
“The purposes for which this functionality will be used are: (i) to develop statistical patterns on soccer consumption and (ii) to detect fraudulent operations of the retransmissions of LaLiga football matches (piracy),” the policy read when first uncovered last summer.
While controversial, La Liga felt that it was on solid ground in respect of the feature and its declaration to app users. AEPD, Spain’s data protection agency (Agencia Española de Protección de Datos), fundamentally disagrees.
As a result, AEPD has hit La Liga with a significant 250,000 euro fine for not properly informing its users in respect of the ‘microphone’ feature, including not displaying a mic icon when recording.
The data protection agency said that La Liga’s actions breached several aspects of the EU’s GDPR, including a failure to gain consent every time the microphones in users’ devices were activated.
In a statement, La Liga says it “disagrees deeply” with the AEPD’s decision and believes the agency has “not made the effort to understand how the technology works.” Announcing it will go to court to challenge the ruling, La Liga says it has always complied with the GDPR and other relevant data protection regulations.
Noting that users of the app must “expressly, proactively and on two occasions give their consent” for the microphone to be used, La Liga further insists that the app does not “record, store or listen” to people’s conversations.
“[T]he technology used is designed to generate only a specific sound footprint (acoustic fingerprint). This fingerprint only contains 0.75% of the information, discarding the remaining 99.25%, so it is technically impossible to interpret the voice or human conversations. This footprint is transformed into an alphanumeric code (hash) that is not reversible to the original sound,” La Liga says.
AEPD has ordered La Liga to introduce new mechanisms to ensure that users are properly notified when the anti-piracy features of the app are in use. However, La Liga says it has no need to implement them because at the end of the current season (June 30, 2019), the functionality will be disabled.
“La Liga will continue to test and implement new technologies and innovations that allow us to improve the experience of our fans and, of course, fight against this very serious scourge that is piracy,” the league concludes.