| |
| ▲ | jamiecurle 3 days ago | parent | next [-] | | The escape hatch with all personal data processing is "legitimate interest". Consent is a big part of it, but an industry with sufficiently deep legal pockets would likely go down the route of "legitimate interest" if cornered. I'm not a legal professional. I just work next to this stuff. | | |
| ▲ | ahtihn 3 days ago | parent | next [-] | | That's not what legitimate interest is supposed to mean though. Legitimate interest is about collection of data necessary to operate your service. Listening to detect if someone in a user's surrounding is showing a match without license has nothing to do with the function of the application. There's no legitimate interest there. | | |
| ▲ | PeterStuer 2 days ago | parent [-] | | It is perverted. Legitimate Interest includes hovering up all your data and shuffle it of to 100+ data brokers who 'legitimately' are interested in that data. |
| |
| ▲ | d1sxeyes 3 days ago | parent | prev [-] | | I think a lot would depend on whether they do any kind of on-device processing to determine whether the audio is likely to be a football match or not. I think they could successfully argue that data processed on your phone and not shared with them is processed by you, and then they could argue that the data that is shared falls under legitimate interests and would be proportionate, and pass a balancing test. IANALEither |
| |
| ▲ | bilekas 3 days ago | parent | prev [-] | | Are we sure ? I'm not disputing it, but is geo location alone as a data point covered GDPR ? I'll have to look that up, but as someone else said it's only enforced at EU member state level, however there is another central oversight to ensure it's enforced. | | |
| ▲ | d1sxeyes 3 days ago | parent | next [-] | | Not if you have no possible way to identify the person to whom it is related (this includes server logs etc). Theoretically, an event sent to a server with some GPS co-ordinates, with no metadata and no logs stored on the server at all could perhaps be found not to be personally identifiable. This is almost certainly a thought experiment though, the amount of engineering effort required to ensure no logs of any kind could result in deriving the IP address of the user would be high, and they’re probably not doing it (even if they are actually not sending any identifying information directly). You might also find that you have to take special care to avoid creating circumstances that allow inference of personal information. For example, sampling every night at 11pm, you’re very likely to be able to determine an address or approximate location of the subscribers home. | | |
| ▲ | PeterStuer 2 days ago | parent [-] | | You realize it is an app on a phone, so the customer is always known, right? | | |
| ▲ | d1sxeyes 2 days ago | parent [-] | | I don’t really understand this comment. What do you mean that the customer “is always known”? To whom? How? | | |
| ▲ | PeterStuer a day ago | parent [-] | | The LALIGA Official App on Android requires permissions to access Personal Information and Device or other IDs to provide services, send notifications, and facilitate registration. It may also involve location data and audio features, though these are not explicitly listed in the permissions. The app also shares your data with third parties and uses your email for the LALIGA Ecosystem. Specific Permissions and Uses Personal Information: The app collects your personal data, such as your email, to allow you to log in, register for services, and provide you with content and information about your favorite teams. Device or other IDs: This type of ID is used to facilitate your registration and access to the app. Location Data: The app may use your phone's location to identify establishments showing football matches, potentially for a piracy detection feature. Audio/Microphone Access: In the past, La Liga has used the official app to remotely activate the microphone to detect audio from football matches, particularly in bars. | | |
| ▲ | d1sxeyes a day ago | parent [-] | | It feels like you perhaps didn't understand my comment. I'm not saying that LALIGA couldn't identify you if they wanted. They certainly could (and probably do). What I'm saying is that it is possible to build a system where the app dispatches some kind of event to a server which does not have any identifying information associated with it. | | |
| ▲ | PeterStuer a day ago | parent [-] | | It is always possible. Even if you do not need any permissions to access the AndroidID, nobody forces you, the app seller, to use it. I have worked as an enterprise integratation architect in highly regulated environments. Sometimes you reuse interfaces that give you tons of info you are not supposed to have access to. You sign contracts that you will never look at this (dump it at the interface layer). This is acceptible in compliance. Chances that in this case the app does not hover up all it can? 0% | | |
| ▲ | d1sxeyes 10 hours ago | parent [-] | | It’s not about “the app”. The app can have two or two million datapoints locally. What matters in terms of processing is how much of it gets sent to LALIGA (or their provider). On a separate note, I am surprised you think you can just promise not to look at something. You can’t, it’s not “acceptable in compliance”, and I’m not even sure what that means—there’s no body that certifies GDPR compliance. | | |
| ▲ | PeterStuer 9 hours ago | parent [-] | | It is acceptible. I have sat many times through compliance meetings and negotiations. I would think compliance officers of very large enterprises know their game. | | |
|
|
|
|
|
|
| |
| ▲ | Fargren 3 days ago | parent | prev [-] | | Yes. Personal data under GDPR is "any information which are related to an identified or identifiable natural person". If it's data about a specific person, it's personal data, it's a very straightforward definition. Businesses need either informed consent or legitimate interest to store or process it. |
|
|
