General Data Protection Regulation Fines and Penalties – Spain
One year after GDPR entered into force, it is possible to observe the first penalties and fines imposed by different Data Protection Authorities to several undertakings and institutions. This brief analysis is useful to provide insights and clarifications over possible misapplications of GDPR and related consequences.
Country: Spain | Industry: Sport/Entertainment | Company/Institution: La Liga | Non-Compliance: Failure to recognise data subject’s right to withdraw his/her consent.
An interesting decision released by the Spanish Data Protection Authority (“AEPD”) involves La Liga and its efforts to fight television rights piracy. Then, the Spanish authority has fined the football league La Liga €250.000 for alleged violations of General Data Protection Regulation.
Spanish league has allegedly infringed basic principles of transparency by realising a mobile application used to see live football matches. However, despite the normal use of such application seems lawful and compliant with local and European privacy laws, the app has been used for different purposes. In fact, during app installation, La Liga has retained the possibility to – remotely – activate a hidden feature with the purpose of tracking bars that unlawfully broadcast football matches. In particular, La Liga could activate device microphones of 4 million users with the purpose of tracking potential pirated signals. Furthermore, according to the Spanish authority, La Liga did not include sufficient informative measure to make users aware about the operation of such feature.
Art. 7, paragraph 3 of GDPR states data subject’s right to withdraw the consent at any time. Moreover, it continues affirming that consent withdrawal shall not affect the lawfulness of data processing. Again, prior to giving any consent, data subject shall be informed thereof. Finally, the article states that withdrawing the consent shall be easy as to give it.
The “spy” feature of the app requires data subject’s previous consent. After that, La Liga could remotely activate the microphone with the purpose of detecting pirate signals of Spanish football league. However, as La Liga spokesperson affirmed: “Such signal is converted in a binary code that ascertains whether or not the source code is compatible with the original signal”. Then under these circumstances, there would not be the risk that data subject privacy has been infringed. For this reason, La Liga has decided to promote appeal against Privacy Spanish Authority.
In such scenario, it appears important to notice what lawful basis for processing has been used by La Liga. In fact, generally speaking, consent is the most common legal base for processing personal data. Then, in this case, it seems likely that by withdrawing the consent you may affect the lawfulness of data processing. Moreover, it might be possible to consider La Liga attempt to protect broadcasting rights for Spanish League as legitimate interest for processing personal data.