A lot of you will be aware that La Liga, organisers of the two Spanish professional football leagues, was fined €250k by the Spanish data protection authority last month.

Just to recap, La Liga had been using its official app to uncover unlicensed broadcasting of games by activating users’ microphones and monitoring their location. The problem as far as the GDPR is concerned is that La Liga failed to adequately inform the app users that they were using their data in this way and did not give them a way to withdraw their consent.

La Liga’s use of the app was a particularly invasive breach, given just how sensitive people are to the access of their location and microphone. Commentary around the decision seems unanimous that the fine was pretty low for what could be seen as “spying” on users, especially considering that La Liga managed to successfully file 600 criminal cases against Spanish bars and restaurants with this technology, helping La Liga combat an estimated €400m per year loss in commercial and IP rights.

For us, the case throws up a number of interesting points.

  1. Is the fine too low? Well, looking at the recent fines of £183m for British Airways and £99m for Marriot, handed out by the ICO, it pales into insignificance on the face of the bare numbers. However, despite the fine appearing low based on a gut reaction, if you remove the ICO decisions and the widely reported €50m fine for Google in France (which are outliers), the La Liga fine is one of the highest handed down since the GDPR came into force.
  2. Does this justify a call for a harmonised approach across Europe given the disparity of the fines and the apparent inconsistency in measuring the impact of breach at a national level?
  3. Given that the financial benefit appeared to outweigh La Liga’s fine, will we see companies undertaking some sort of cost benefit analysis for data breaches? If the fine for this type of breach remains low compared to what was originally feared, who could blame sports organizations for weighing up the cost of committing a data breach against the loss of hundreds of millions in television revenues?