La Liga Fined 250K Euros For Using Mobile App To Try To Catch 3rd Party Pirates
from the goooooooal dept
Roughly one year ago, we wrote about La Liga, the Spanish soccer league, pushing out an app to soccer fans that allowed the software to repurpose a mobile device’s microphone and GPS to try to catch unauthorized broadcasts of La Liga matches. The league publicized this information, which had previously been buried in obscure language in its TOS, as mandated by the GDPR. At the same time, the league attempted to brush the whole thing off as above board, claiming that what was in the TOS informed users of the app enough that their own mobile devices were being compromised and turned into copyright snoop networks.
If this all sounds like The Dark Knight Rises for European soccer… you aren’t wrong.
La Liga apparently was wrong, however, in its claims that all of this was okey-dokey.
While controversial, La Liga felt that it was on solid ground in respect of the feature and its declaration to app users. AEPD, Spain’s data protection agency (Agencia Española de Protección de Datos), fundamentally disagrees.
As a result, AEPD has hit La Liga with a significant 250,000 euro fine for not properly informing its users in respect of the ‘microphone’ feature, including not displaying a mic icon when recording.
The data protection agency said that La Liga’s actions breached several aspects of the EU’s GDPR, including a failure to gain consent every time the microphones in users’ devices were activated.
Now, the GDPR is an absolutely useless monstrosity in nearly every instance, but it’s actions — such as those taken against La Liga — fool everyone into thinking such laughably broad regulation is necessary in the first place. For any business to somehow think that it would be a good idea to compromise the mobile devices of its customers in order to catch pubs and bars, something like fining the business via the GDPR sure makes it seem like the GDPR is doing something. This is what poisons the well, in other words.
The pro-GDPR argument stemming from this example is undercut, however, by the fact that La Liga is arguing that it modeled its actions to very specifically follow the spelled out way the GDPR enables these kinds of privacy intrusions. This too is an argument we’ve made about the GDPR.
In a statement, La Liga says it “disagrees deeply” with the AEPD’s decision and believes the agency has “not made the effort to understand how the technology works.” Announcing it will go to court to challenge the ruling, La Liga says it has always complied with the GDPR and other relevant data protection regulations. Noting that users of the app must “expressly, proactively and on two occasions give their consent” for the microphone to be used, La Liga further insists that the app does not “record, store or listen” to people’s conversations.
“[T]he technology used is designed to generate only a specific sound footprint (acoustic fingerprint). This fingerprint only contains 0.75% of the information, discarding the remaining 99.25%, so it is technically impossible to interpret the voice or human conversations. This footprint is transformed into an alphanumeric code (hash) that is not reversible to the original sound,” La Liga says.
As if another test case was needed, the outcome of the appeal will certainly be one for the usefulness of the GDPR. Because if the outcome is that La Liga actually did comply with it, all while snooping on 3rd parties using the mobile hardware of customers that didn’t really know what was happening, that should be revealing.