If you are processing someone’s personal data, then you have a multitude of obligations in order to protect the privacy of that data subject
Eddie PowellEddie Powell is a partner and head of the Commercial, Sports and IP team at Fladgate LLP. He specialises in data protection, IP transactions, protection and disputes, commercial contracts technology matters, e-business and competition law.
It is no secret that piracy of live sports broadcasts is one of the biggest problems currently faced by both sports leagues and sports broadcasters. As technology continues to develop, tracking and identifying illegal streams is one of the more challenging aspects in tackling such piracy. Leagues and broadcasters are having to come up with ever more imaginative ways to identify illegal streams and protect their commercial rights.
A recent effort by Spain’s top football league, LaLiga, was found by the AEPD, the country's data protection agency, to have breached the provisions of the EU’s data protection regulations, known as the GDPR. A breach of the GDPR’s consent provisions led to the AEPD handing down a fine of €250,000 ($280,000) to La Liga, a reminder that the privacy concerns of individuals must not be disregarded when combatting sports piracy.
LaLiga’s innovative approach to identifying piracy concentrated on users of the official LaLiga app on android smartphones. When users installed that app, they were asked once (when they first used it) whether they would allow the league to access the user's location data and microphone. Provided the user gave their consent, LaLiga would then turn on the microphone feature during live broadcasts of games.
They collected audio data using the phone’s microphone and compared the raw data against control audio data. The idea behind this was that if the audio data produced a match, La Liga would know that the game being played at that time was being shown on a TV screen where the user was located. The app could then rely on the user’s location data to pinpoint where the match was being shown on TV. If the location data showed the user was watching a match in a bar or club which did not have the rights to broadcast it, the league would know the match was being illegally shown by that venue.
The AEPD adjudged this process to be a breach of the GDPR.
By way of very brief information, the GDPR applies to any processing of personal data. If you are processing someone’s personal data, then you have a multitude of obligations in order to protect the privacy of that data subject. The personal data in question in this case was the user’s audio and location data.
Consent under the GDPR must be 'freely given, specific, informed and unambiguous.'
LaLiga was found to be in breach of article 7 of the GDPR (conditions for consent). Consent under the GDPR must be "freely given, specific, informed and unambiguous." AEPD deemed that the consent given by users of the LaLiga app did not meet the criteria for the following reasons:
1. The consent was not deemed to be specific enough. Although the app did tell users it wanted to use their audio and location data, the app did not tell users why this data was being collected and what it would be used for. Therefore, as users were not fully aware of the reason why they were giving consent (and taking into account that users often just accept the use of such features when they download an app) there were justifiable concerns from the AEPD that LaLiga had not done enough to make the user aware of exactly what their personal data was being used for;
2. Users were only asked for consent to use their audio and location data once. The AEPD deemed this to be a crucial factor and stated LaLiga should have asked for permission each time the features were activated as users would not remember giving consent for this purpose and would not be aware of how often the feature was being used. This voided the consent as it was not freely given and informed; and
3. LaLiga also contended that users were not able to withdraw their consent. The GDPR is clear that data subjects must be able to withdraw their consent at any time, and as such this was a clear breach.
It is worth noting that LaLiga has appealed against this decision on the grounds that the AEPD did not understand the technology behind the app. The league states that audio data was only collected in binary form to see if it matched the underlying binary code official audio data.
LaLiga therefore claims that it cannot constitute “personal data” under GDPR.. The league has not challenged the finding that if the information gathered was personal data, the consent it obtained was invalid.
LaLiga did attempt to obtain users’ consent to use the data, and it is notable that the consent was not forced, as users could use the app without allowing the league to access this data. If La Liga had properly obtained full consent in the following ways then it is entirely plausible that the league would have been in compliance with the GDPR:
1. Informing users exactly why they were collecting the data;
2. Informing users that they would access these features during every La Liga match, or gaining consent each time; and
3. Allowing users to withdraw consent.
If that is the case, it would allow a path for leagues to combat piracy. However, it is notable that if users were knowingly watching illegal streams then they would probably not allow the app to use this data.
The lessons to be learnt by leagues and broadcasters alike are that privacy rights enshrined in the GDPR cannot be circumvented. The GDPR is a focal point of EU regulation and authorities are on the ball in relation to any breaches.
If leagues or broadcasters want fan assistance with targeting illegal piracy then they must be upfront with those fans about how the personal data of the fan will be collected and used. It will be interesting to see whether any league does form a collaborative attempt with fans to combat piracy in a GDPR-complaint way.
Thomas Edwards, a trainee solicitor at Fladgate currently sitting in the corporate department, contributed to this article.