The top Spanish football league, La Liga, has been fined around €250,000 for a breach of the GDPR by the Spanish data protection agency, AEPD.
In an effort to combat piracy of Spanish football live matches, La Liga allegedly used a smart phone app to collect users data without users’ specific consent. AEPD therefore levied the fine against La Liga for breaches of the GDPR’s Article 7 consent provisions.
AEPD claimed that, in breach of the GDPR, La Liga used the official app of the Spanish league to collect users’ audio and location data in order to identify bars and venues where streams were being illegally shown. Interestingly, the app did gain a user’s consent to access their microphones and GPS and this consent was freely given, as the giving of such consent was not a requirement to be able to use the app. However, the app did not inform users as to the purposes of why this data was collected and as such users had no information at all as to why their audio and location data was being collected. The AEPD decided this was a key factor, as they ruled that if the users were not aware why their data was being collected, then the consent was not specific enough.
The app covertly began to collect data when live matches were being shown. The app would collect audio data from the microphone of the user’s phone. This audio data was then compared with ‘control data’ held by La Liga. If the two data sources produced a match, La Liga would know whether a particular match was being watched. La Liga could then use the phone’s GPS function to pinpoint the location of where the match was being shown, and identify if that bar or venue had the rights to show live matches.
La Liga have appealed against the decision, arguing that the app doesn’t actually access the audio fragments collected, since they are automatically converted into a binary code which is then only used to see if it matches the control code. However, AEPD have taken a hard line against La Liga and decided that the form the data was collected in is irrelevant. Further, AEPD went on to state that data subjects were not specifically informed of the intended use of their phone’s microphone and GPS functions, and therefore consent was not specific enough, voiding any consent the user may have given to allow access to these features.
Although piracy is a real issue for sports broadcast rights holders, the AEPD has made it clear that there is no justification for the breach of the GDPR and the circumvention of the data subject consent provisions by not telling users of the intended use of their data.