La Liga has taken substantial flak for tapping into microphones and geolocation services in fans‘ phones in a bid to root out piracy.
Spain’s national data protection agency AEPD has slapped a fine of €250,000 (US$280,000) on the country’s top-flight football league, La Liga, for failing to make it adequately clear to users of its Android app that the app can activate microphones on their phones as well as monitor their location, according to the Spanish daily El Diario.
You may recall our report from a year ago (exactly to the day, in fact) about La Liga’s rather unusual approach to tackling pirate broadcasts of soccer games – by enlisting the help of its app’s users. More precisely, the app would ask for access to the microphones on the fans’ handsets in order to record their surroundings and check if the captured audio fingerprint matched up with the sound of a soccer broadcast. Together with GPS data also collected by the app, this was intended to pin down the locations of bars and other public venues that might be showing games illegally. The functionality provoked an outcry, with many people claiming that the app was essentially turning them into spies and their phones into bugging devices.
Fast forward 12 months, and the Spanish data watchdog concludes that La Liga violated European Union rules about consent and transparency.
Here’s the kicker
While the app does request– twice in fact, according to La Liga – user permissions to activate the microphones and GPS services, AEPD maintains that this is communicated in an “opaque” manner. Additionally, the agency says that the consent should be requested every time the mic is activated, because the practice amounts to the collection of personal data. According to AEPD, La Liga also violated the EU’s General Data Protection Regulation(GDPR) by failing to enable users to withdraw their consent at any time.
La Liga would have none of this, however. In a statement, Spain’s premier soccer league said that it will challenge the decision in court, noting that AEPD made no effort to understand how the technology works. The league also reaffirmed what it’s said before – that the technology doesn’t make it possible to listen to users’ voices and conversations and that there is no way to turn the sound footprint back into the actual content of the recording, hence there’s no collection of personal data to begin with.
La Liga also claims that the captured audio snippet is automatically converted into a binary code on the device itself. The code is then compared to a reference database and, if there’s no match between the two, the former code is discarded. The feature was introduced with an update on June 8, 2018.
Either way, the league said that it will kill the functionality by June 30, although not exactly in response to AEPD’s decision. Rather, La Liga called the feature “experimental”, adding that it won’t extend its contract with the technology’s provider after it expires at the end of this month. Nevertheless, the league said that it will continue to test new technologies in its fight against unlicensed broadcasts of soccer games, which it says cost Spanish soccer €400 million (US$450 million) in lost revenues each year.
The app has more than 10 million users, including 4 million in Spain. Its main functionality is to deliver scores, news, highlights from the top flight of Spanish football.
written by Tomas Foltyn, ESET We Live Security