Monday, June 17, 2019
At the end of another compelling football season punctuated with some notable off-the-field incidents like the Leeds United ‘spygate’ incident which resulted in a hefty fine, it turns out that La Liga (the Spanish football league) has been punished for alleged unwarranted surveillance. The Spanish Agency for Data Protection (AEPD) has fined La Liga €250,000 for breach of the transparency principle of the GDPR in the use of a mobile app which allows users to follow results of matches live.
The app, which is used by over 4 million people in Spain, contains a function whereby La Liga could remotely activate the microphone in order to detect from the surrounding sounds whether the user is in a bar. La Liga was apparently using this function to detect whether the app was being used for illegal streaming purposes.
The AEPD was of the opinion that the consent provided by the data subject at the time of installation of the app was not sufficient to justify the ongoing use by La Liga of the so called “spy function”. The AEPD formed the view that users of the app were not provided with sufficiently clear information that La Liga could use the microphone in this way. The AEPD felt that, due to the nature of the data collection (as they saw it), individuals should be alerted to the fact that this function is being used every time it is activated. The AEPD also pointed out that there was no means by which the data subject could withdraw their consent which is one of the conditions required for valid user consent set out in Article 7 of the GDPR.
Although AEPD has flagged La Liga offside, its decision must go to the data protection equivalent of the VAR. La Liga has announced that it will be challenging the decision stating that the sound recorded provides a sound footprint only and individual voices cannot be identified. As such, it is La Liga’s position that no personal data is actually collected when the microphone is activated. La Liga is stating that “the AEPD has not made the necessary efforts to understand how the technology works”. La Liga maintains that the app is compliant with data protection principles pointing out that users of the app must consent twice before their microphone is activated.
This case highlights the difficulties organisations face in using consent as a legal basis for the processing of data – something that many organisations have been struggling with since the GDPR came into force. In particular, this case raises the important question as to how long “consent” can last even if it was validly obtained in the first place. No matter the outcome of the appeal in this case it serves as a reminder to organisations that they would be well advised to seek to rely on alternative legal bases (rather than “consent”) for the processing of personal data.
As corporate partner and sports law expert, Eoin Brereton, commented: “In an era where sporting broadcasters are fighting an uphill battle against illegal streaming, the implications of this finding represent a powerful warning to such organisations to take care in the methods they use to crack down on illegal streaming and to at all times ensure that such methods are in compliance with the law.”
For further information on this topic please contact our Data, Privacy and Technology team.