It has been reported that Campeonato Nacional de Liga de Primera División (aka "La Liga") has been fined €250,000 by the Spanish Data Protection Authority (the AEPD) for various infringements of the General Data Protection Regulation (GDPR). Spanish media outlet Eldiaro [Spanish text] says that the fine relates to La Liga's mobile app, used by around 4 million people. It appears that the app was able to remotely activate the microphone of users' mobile devices to try to determine, from surrounding noise, whether the user was in a location (such as a bar) streaming La Liga's content unlawfully.
Although La Liga had, it seems, no intention (and presumably no basis) to take action against app users for any intellectual property rights violation, the AEPD has found that La Liga infringed GDPR's obligation to process personal data transparently, and that, although users were informed of the "listening" functionality when installing the app, they should also have been informed each time the microphone was activated. The AEPD also found that La Liga's reliance on users' consent as a basis to process the data was flawed.
However, La Liga is said to be appealing the fine, possibly on the basis that the activities undertaken were not actually processing of personal data. Should La Liga be able to back this up, then GDPR simply would not apply to the activity, and the AEPD's power to serve the fine would be removed.
Coming on the back of the French Data Protection Authority's €50m fine for Google, also for infringements of the GDPR transparency principle (a fine which is also being appealed), these developments illustrate the importance for developers and their clients of being open and clear with users of apps about what data is being processed, and for what purposes. This is particularly the case where novel or intrusive operations are being envisaged.
Sports and entertainment rights holders will be looking at this decision with great interest as they are consistently looking at ways to ensure that they are able to protect the valuable rights that generate riches for participating clubs and stars.
Recent efforts to combat anti-piracy activities have focussed on targeting ISPs – forcing them to block well-known sites that allow fans to by-pass traditional pay-per-view models under niche elements of copyright law. Before that, these organisations, particularly in the UK and Europe, were reluctant to directly pursue individual fans due to the negative publicity associated with such activities.
However, the fact that La Liga have now openly accepted that they were using the App in order to combat these types of issue suggests that we are now seeing a new front open up in attempts to combat piracy.
Sporting clubs and other organisations will also now need to be extra careful with their own use of technology – ensuring that appropriate data protection impact assessments have been carried out when using Apps to conduct what could be seen as intrusive activities Apps – so that they don't fall foul of the GDPR, which came into force a little over a year ago.
Finally, fans themselves, who like the public at large, appear to be starting to pay more attention to their data subject rights may view this as troubling – and decide to use other official apps and services that protect their privacy rights or at least are more transparent about how such data are used.