Digital Life
Matthew Webster
To misquote Joseph Heller in Catch-22, just because you’re not paranoid, it doesn’t mean they aren’t spying on you.
The tale of the egregious La Liga illustrates the point well.
La Liga is the Spanish premier football league, and it works hard to promote itself – so it launched an app for smartphones to provide news, results and so on; over ten million people downloaded it. But La Liga is also very keen at protecting its income from broadcasting rights. So it built in a nasty little secret: the app was set up to spy on its users.
La Liga did this by remotely switching on the smartphone’s microphone and listening for the sound of their games being broadcast on television. When they heard one, they would check with the phone’s geolocation software (they all have it) and see where it was. If it turned out to be in a bar that hadn’t paid La Liga its appropriate fee, that bar would be visited by some persuasive officials.
It’s bad enough that La Liga even considered ordering this covert surveillance and far worse that they kept it a secret. Happily, the Spanish Data Protection Agency agreed, told them to stop and fined them £220,000.
This is evidence of the quiet growth of an increasingly powerful group of bodies that look after us, in the form of national data protection authorities. They are maturing nicely all over Europe, as they finally begin to flex the muscles they were given under older data protection legislation and the newer, more formidable General Data Protection Regulation (GDPR), not yet two years old.
La Liga should count itself lucky that the case was brought under PRE-GDPR rules; under GDPR, the fine would have been many times higher.
An appeal is under way but it is most unlikely that La Liga will win, as what it did was a flagrant violation of transparency rules. Those rules are held in very high regard by the courts, as they should be; breaking them amounts to a breach of trust.
Sometimes, however, even transparency is insufficient. We are all sick of hearing the phrase ‘This call is being recorded for training and monitoring purposes’ but at least it puts us on notice. Not good enough, said the Danish Data Protection Authority to TDC, Denmark’s largest telecoms company.
Under GDPR, voice recordings are regarded as personal data and must be treated as such. So the Danish Authority asked TDC to explain how the recordings were a necessary part of its training and monitoring activities; they were not impressed by the rather feeble answers. As a result, TDC is now banned from recording customers’ calls for any purpose, until it can offer a foolproof way for customers to give consent or opt out. I very much hope this ban spreads to other companies, especially in the UK.
It’s becoming clear that the legal principle is that if you don’t really need the data, you shouldn’t collect it; if you don’t toe the line, the data police are on your trail.
A cleaning company in Germany discovered this; it had a fleet of vehicles with tracking devices and the company kept the data for five months. The courts held this was unnecessary collection and retention of data about the individual cleaners, not least because they had no opportunity to opt out. But mainly the courts felt that the company simply did not need the data for its business and so had no reason either to collect or to keep it.
Our own excellent Information Commissioner now has a staff of more than 800 and growing. She and her colleagues in Europe are beginning to show their teeth and, happily, they are firmly on our side.