La Liga
September 2019
To misquote Joseph Heller in Catch-22, just because you’re not paranoid, it doesn’t mean they aren’t spying on you.
The tale of the egregious La Liga illustrates the point well.
La Liga is the Spanish Premier Football league, and it works hard to promote itself, so it launched an ‘app’ for smartphones to provide news, results, and so on; over ten million people downloaded it. But La Liga is also very keen at protecting its income from broadcasting rights, so it built in a nasty little secret: the app was set it up to spy on its users.
La Liga did this by remotely switching on the smartphone’s microphone and listening for the sound of their games being broadcast on television. When they heard one, they would check with the phone’s geolocation software (they all have it) and see where it was. If it turned out to be in a bar that hadn’t paid its appropriate fee to La Liga, that bar would be visited by some persuasive officials.
It’s bad enough that La Liga even considered ordering this covert surveillance but far worse that they kept it a secret. Happily, the Spanish Data Protection Agency agreed, told them to stop and fined them £220,000.
This is evidence of the quiet growth of an increasingly powerful group of guardians that look after us, in the form of national data protection authorities; they are maturing nicely all over Europe, as they finally begin to flex the muscles they were given under older data protection legislation and the newer, more formidable, General Data Protection Regulation (GDPR) which is not yet two years old.
La Liga should count itself lucky that the case was brought under pre-GDPR rules; under GDPR the fine would have been many times higher.
An appeal is underway, but it is most unlikely that La Liga will win, as what it did was a flagrant violation of transparency rules. Those rules are held in very high regard by the courts, as they should be; breaking them amounts to a breach of trust.
Sometimes, however, even transparency is insufficient. We are all sick of hearing the phrase ‘This call is being recorded for training and monitoring purposes’ but at least it puts us on notice. Not good enough, said the Danish Data Protection Authority to TDC, Denmark’s largest Telecoms company.
Under GDPR, voice recordings are regarded as personal data and must be treated as such. So, the Danish Authority asked TDC to explain how the recordings were a necessary part of its training and monitoring activities; they were not impressed by the rather feeble answers. As a result, TDC is now banned from recording customers’ calls for any purpose, until it can offer a fool proof way for customers to give consent or opt out. I very much hope this ban spreads to other companies, especially in the UK.
It’s becoming clear that the legal principle is that if you don’t really need the data, you shouldn’t collect it; the data-police are on your trail if you don’t toe the line.
A cleaning company in Germany discovered this; it had a fleet of vehicles with tracking devices and the company kept this data for five months. The courts held this was an unnecessary collection and retention of data about the individual cleaners, not least because they had no opportunity to opt out. But mainly, the courts felt that the company simply did not need the data for its business and so had no reason either to collect or keep it.
Our own excellent Information Commissioner now has a staff of over 800 and growing. She and her colleagues in Europe are beginning to show their teeth, and happily, they are firmly on our side.
A few links...
The UK’s Information Commissioner published all the enforcement she takes – read all about its here: https://ico.org.uk/action-weve-taken/
What are Data Protection Authorities? The EU’s explanation: https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-are-data-protection-authorities-dpas_en
A list of European Data Protection Authorities:
https://edpb.europa.eu/about-edpb/board/members_en
378
