The Spanish Data Protection Agency, the AEPD, have fined the professional Football League for failing to comply with basic regulations in the GDPR regarding trust and transparency. LaLiga accessed users microphones without their consent through the LaLiga mobile app, with a view to discovering premises where LaLiga matches were being illegally streamed. With more than four million people affected, this was a major breach of GDPR legislation.
As announced by eldiario.es a year ago, the application was designed for a wildly different purpose: not to detect commercial premises screening football matches illegally. When users install the app they gave their approval to LaLiga to remotely activate the microphone of any device with the app installed, so that an automatic system can detect ambient sounds in bars that emit a ‘pirate' signal.
With Laliga procedures seen as ‘opaque’ by the Data Protection Agency, since the spy function activates depending on the location, the AEPD interpret this as a collection of personal data. The AEPD have now instructed LaLiga that they must notify users every time this function is activated, as well as on installation of the app.
While the AEPD states due to the nature of mobile apps, users may forget that they have provided consent in the first instance and therefore should be reminded when subsequently launching the LaLiga app. Therefore it is necessary to provide additional information to the user when the capture of sensitive data is enacted. This can be done in the means of icons that will help users indicate when the microphone has activated to track sounds.
As well as failing to comply with Article 5.1 of the General Data Protection Regulation (GDPR), the AEPD also consider that LaLiga have also violated Article 7.3, which states that the user has the right to withdraw his or her consent at any time. The AEPD gave LaLiga a month to get the company app compliant, or face the possibility of further sanctions.
However, LaLiga have rejected the argument of AEPD, with LaLiga denying violating any of the GDPR rules as the technology and formula they used are common within the app market and comply with the law.
‘We will appeal this resolution’ official sources confirm. ‘We deeply disagree with the interpretation that AEPD had made of this technology so far...and we sincerely believe that it has not made the necessary efforts to understand how it [the app] works’.
LaLiga have stated that the icon of the microphone ‘could be misleading’ and 'even cause the user’s fear that LaLiga were listening to something, when this technology cannot capture human conversation’. Sources from the company explain that the system compares sound patterns through algorithms and not through voice analysis. The sound patterns registered with the user’s microphone are reconciled against LaLiga’s audio files. They assure that they ‘compare spectrograms in search of matches’. Similar to Shazam and how it’s able to identify songs that are heard in the background when users activate the microphone.
LaLiga denounces that the AEPD is using the sanctions as a way to explain its interpretive criterion. With the National Court recently annulled a fine of €15,000 that the agency imposed on Google for the same reason.
However, LaLiga have said that next June they will close the system activation of microphones in their mobile applications, which is why they believe still has nothing to do with the sanction the AEPD had filed. The contract with the supplier has expired and they would no longer renew their subscription, due to it being experimental amongst other technologies they have.
The operation of the spy-mode to detect piracy requires the prior consent of the user. If the users confirms it, at any time can LaLiga remotely activate the microphone of the phone to try to detect if that sounds is a bar or public established where a football match is being screened without the paying fee established by the chain that own the broadcasting rights. Using the geolocation of the phone to locate exactly where that establishment is located.
According to the specialised staff of LaLiga ‘ the signal that arrives is converted into binary code that is compared to the code of the transmission signal by an automatic system that performs the operation in less than one second.’ The signal is not recorded nor is it stored and nothing is analysed. It only checks if the code matches the original code of the broadcasting signal.’ The agency believes that the Data Protection Agency is ignoring the fact that there is no treatment for personal data. ‘ Even if we wanted to, even if we were ordered by a judge, we could not register conversations that are not even related to the piracy that we are pursuing, It’s simply not how the technology works. ‘LaLiga uses the development of an external company for this system.
However, regardless of purpose, users should be informed and have a choice whether to allow what is effectively a “Trojan Horse” application.