Spain – Liga fine for microphone access upheld
The Spanish High Court, Audiencia Nacional, has upheld the €250,000 fine imposed on La Liga by the Spanish data protection authority (“AEPD”). The fine was for failing to provide users with clear and transparent information about the fact that its App accessed the microphone on their phones.
Background
This case arose when an App provided by La Liga to show official football scores remotely accessed its 10+ million users’ microphones and geolocation information.
While on the face of it, this appears to be an outrageous privacy infringement, in practice that access was solely to fight piracy by determining whether a user is in a bar or public place that is illegally broadcasting live games. The App also only captured an acoustic fingerprint of the broadcast signals in the background, not understandable audio.
La Liga stated that the App uses Shazam-like technology to identify whether such identified broadcast signals match paid broadcast signals at the user’s location. This acoustic fingerprint is converted to a hash value that cannot be later reversed to access the original sound.
Nonetheless, the AEPD decided to impose a €250,000 fine on La Liga for the violation of the transparency principle of the GDPR, i.e. the requirement that personal data should be processed lawfully, fairly and in a transparent manner in relation to the data subjects (Article 5(1) GDPR).
La Liga appealed the AEPD’s ruling arguing that it had appropriately informed the users and obtained their consent when the user downloaded the App.
High Court upholds the finding of lack of transparency
The Spanish High Court, Audiencia Nacional, dismissed La Liga’s appeal as unfounded and upheld the AEPD’s ruling and fine.
The Court supported the AEPD’s view that it was not sufficient for La Liga to inform the users of the collection of their audio at the moment of downloading the App. Instead, La Liga is required to inform the users each time its App accesses their microphones, which is when the data processing takes place.
In particular, La Liga could comply with such transparency requirements by showing an icon on the phone screen when the App accesses a user’s microphone. The AEPD also noted that the App was in fact showing an icon when tracking a user’s location and that it is unclear why the App failed to show a similar icon when accessing a user’s microphone.
Transparency and purpose of processing
The Court also decided that La Liga must also consider the purposes of the data processing when addressing the GDPR’s transparency requirements.
The main purpose of the popular La Liga App is to provide users with live football scores, results, standings, and match details. Only as a secondary purpose, might users also give their consent and help La Liga tackle audio-visual piracy by giving access to their phone microphones to identify any illegal broadcasting of live games in bars and public places.
The Court ruled that where the data is processed for such a secondary purpose, data controllers should apply even greater transparency measures to the collection and processing of data. This is because such purposes may not be obvious, and users may not recall the information provided as to secondary purposes after a period of time.
Conclusion
The Spanish High Court not only upheld the AEPD’s finding of breach of the transparency principle (Article 5(1)(a) GDPR) but also concluded that the €250,000 fine imposed by the AEPD is in accordance with the proportionality principle (even though it was higher than the initial settlement offer from the AEPD of €200,000). In particular, the fine was relatively small in the context of La Liga’s €1.75 billion in revenue in 2018.
La Liga has 30 days to appeal the Court’s ruling to the Spanish Supreme Court.