AEPD (Spain) - E/09208/2018: Difference between revisions
No edit summary |
|||
Line 25: | Line 25: | ||
|GDPR_Article_1=Article 6 GDPR | |GDPR_Article_1=Article 6 GDPR | ||
|GDPR_Article_Link_1=Article 6 GDPR | |GDPR_Article_Link_1=Article 6 GDPR | ||
|GDPR_Article_2=Article 32 GDPR | |||
|GDPR_Article_Link_2=Article 32 GDPR | |||
|Party_Name_1=Niantic, Inc. | |Party_Name_1=Niantic, Inc. | ||
Line 68: | Line 68: | ||
== Comment == | == Comment == | ||
Even if the facts of the case have a logical connection with other GDPR Articles, such as Article 32 GDPR, about the security of processing, the AEPD did not consider its content, but limited their analysis to Article 6 GDPR and the lawfulness of the processing. | Even if the facts of the case have a logical connection with other GDPR Articles, such as Article 32 GDPR, about the security of processing, the AEPD did not consider its content, but limited their analysis to, and only referred to Article 6 GDPR and the lawfulness of the processing. | ||
== Further Resources == | == Further Resources == |
Latest revision as of 11:02, 4 June 2021
AEPD (Spain) - E/09208/2018 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 6 GDPR Article 32 GDPR |
Type: | Complaint |
Outcome: | Rejected |
Started: | |
Decided: | |
Published: | 18.05.2021 |
Fine: | None |
Parties: | Niantic, Inc. Niantic International Limited |
National Case Number/Name: | E/09208/2018 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | n/a |
The Spanish DPA considered that the software developer of the interactive, real-location game 'Pokemon Go', had implemented adequate measures to mitigate the risks stemming from the fact malicious users could fake their location, and misuse the location data of other users.
English Summary
Facts
A data subject lodged a complaint with the Spanish DPA (AEPD) against Niantic, a software developer, regarding their interactive game "Pokemon Go".
Pokemon GO is a game in which users interact with the real world, so they share their location in order to walk the map. This include sharing their user data with others when they go to specific locations called "gyms", in which they play together with others. For that, a user needs to be at least at 500m from the site. Therefore, their real location is also known.
However, some users fake their real location, so they can access the gyms from further away. Therefore, the location of other users may be also shared not only with regular players but with players that are faking their location.
From this data, that can easily indicate where a person lives or works, malicious users could access this information and also infer the real identity of these subjects, what may lead to harassment or stalking. It is important to note that a big number of players of the game are minors, what increases the risk.
The complainant had asked Niantic to avoid sharing location data with users that were known to be faking their location.
Niantic stated that they have a security policy in place that tries to tackle that problem. Players who are detected to use these methods are warned with a three-strikes mechanism. They have other additional measures, such as information about the data that is shared, a recommendation not to provide your real name, the lack of a chat where users can directly interact, prohibitions on harassing and misuse, limited sharing of data, and different privacy options and information.
Holding
The AEPD considered that the controller had correctly assessed the risks and implemented adequate measures to mitigate them. Their three-strikes mechanism for users that fake their location is deemed to be enough to deal with the alleged risk. Therefore, the DPA decided to archive the case.
Comment
Even if the facts of the case have a logical connection with other GDPR Articles, such as Article 32 GDPR, about the security of processing, the AEPD did not consider its content, but limited their analysis to, and only referred to Article 6 GDPR and the lawfulness of the processing.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/7 940-0419 Procedure Nº: E / 09208/2018 RESOLUTION OF ACTION FILE Of the actions carried out by the Spanish Agency for Data Protection and based on the following: FACTS FIRST: The claim filed by D. A.A.A. (hereinafter, the claimant) has entry dated September 18, 2018 in the Spanish Agency for Data Protection. The claim is directed against NIANTIC, INC., With NIF C3815285 (hereinafter, the claimed one). As stated in his claim, he is a player of the Niantic game "pokemon go ". This game allows data about your geographical location (coordinates and hour) that are reflected in the gymnasiums (element of the game located virtually in a real geographic point) are provided to players who should not have access to that information. Well, when they provide a player with data on their geographical location, the game sets a limitation for access of approximately 500 meters, necessary for the development of the game. However, there are players who falsify their geographical location using programs such as fake / fly gps accessing said information from other cities or even other countries. Niantic allows location data to be provided to players without verify whether or not you have falsified your geographical location. In the game all users have a name which in the case of the claimant is "*** USER.1". A part of the game is the raids in which you fight between several players against a pokemon impossible to defeat individually so they must meet in specific points what makes them known, where they work, etc., for this reason providing data about a player gives information to know what natural person he is. Those players may use that information to harass within the game and even in real life (even minors, who are many who play habitually). You have requested Niantic to stop providing your geographic location to players who falsify their situation to which Niantic has not replied. SECOND: The Subdirectorate General for Data Inspection proceeded to carry out of previous investigative actions to clarify the facts that are the object of the of the claim, having knowledge of the following points: 28001 - Madrid 6 sedeagpd.gob.es 2/7 The person responsible for the Treatment for Pokémon GO users in Space European Economic is not Niantic, Inc., but Niantic International Limited, based in UK. As stated in the game's security policy, the data that is collected They are: “By registering for our Services, you voluntarily provide us with Personal Data, for example, when you open an account. We collect and we use such data to authenticate your identity when you open a account and use the Services, to ensure that you can and do collect the requirements to receive the Services and receive the correct version of the themselves. Such data includes the username in the game that you choose to use in our Services and the internal IDs that we assign to your account. You must have an account with a single sign-on service compatible third party to use our Services. Therefore, the Data Personal data that we collect also depend on which third-party accounts you choose to use, of the privacy policies of such third parties and of what that allow us to see the privacy settings that you configure in such services when you use them to access the Niantic Services. If you choose to link your Google account to the Services, we will collect your Google email address and an authentication token provided by Google. If you choose to link your Facebook account to the Services, we will collect a unique user ID provided by Facebook and, if you allow it, your email address registered with Facebook. " Information Provided During User Creation / Login: 1. Request for Permission to Access the Location: Pokémon GO is a location-based gameplay (i.e., gameplay depends on where you the player is in the real world). In this sense, Niantic UK needs collect location data of your players for the operation of the game as directed to players in Niantic's Terms of Service. TO such effects a pop-up window is displayed requesting permission to process data related to the location. 2. Niantic Terms of Service: A window displays Popup that Includes a link to Niantic's Terms of Service. The Player can check the option 'ACCEPT or' DECLINE '. 3. Niantic's Privacy Policy: A pop-up window displays requesting the player to review Niantic's Privacy Policy. The window contains two options that the player can check, 'OK' and "PRIVACY POLICY". 28001 - Madrid 6 sedeagpd.gob.es 3/7 Information Provided During the Game: 1. Niantic's Privacy Policy and Terms of Service: The Policy Niantic's Privacy Policy and Terms of Service to which it is made referenced above are accessible at all times during the game to through the Options section within the app. 2. Friends: If a player decides to add another player as a friend within of the game, you must go to the Friends menu within the application. This menu It contains a link, 'List of friends and friendship levels'. There the following information is provided to the players: "Your friends they'll see your Trainer profile, achievements, and the Pokémon you've caught. Your friends will also know your location when you send them a Gift or trade Pokémon with them. "Players can choose to accept or decline any in-game friend requests they receive, and can delete a friend at any time. 3. Functionality to Import Facebook Friends: This functionality it is disabled by default, and requires the player to enable it. That player who enables this functionality will see which Facebook friends are playing the game (provided they have also proactively decided participate in this functionality) and you can send to Facebook friends who chosen, in-game friend requests that the other player can accept or reject. To activate the functionality, the player must do the following: 4. Adventure Sync functionality (Fitness Mode): This functionality is disabled by default, and requires the player to enable it. By enabling it Niantic UK is allowed to collect certain information about physical exercise on background even when the player is not interacting in a way direct with the application. Data of a specific player that is provided to third players, circumstances, purpose and established form to obtain consent prior to the data communication. Certain information about the players is made visible to other players within the Pokémon GO application. This is necessary to allow functioning of the multiplayer aspects or modes that are essential for the playability. These multiplayer features are designed so that players Players participate and play together in the same physical location in the real world. Niantic's Privacy Policy outlines the information that is shared with others players. As part of this multiplayer component, the information remains visible to other players in the following circumstances: Gyms: To participate in multiplayer mode, which is essential For gameplay, players can choose to interact with in-game locations known as "Gyms". Nickname Trainer and the names of the Pokémon located in a Gym by part of those players who voluntarily decide to control a Gym by positioning your Pokémon on it, they will remain visible inside C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/7 of the game application for those other players who visit that same location within the game. Raids: To participate in multiplayer mode, which is essential for gameplay, players can voluntarily choose interact in Gyms by choosing to participate in an in-game event known as a "raid". In a raid, players unite with other players and use a selection of Pokémon to fight another more powerful Pokémon. Trainer nicknames, avatars, levels of Coach and teams of players who decide to participate in a foray into a specific Gym, they will remain visible to others players in a "lobby" within the game until the game begins. incursion. Baits: To participate in multiplayer mode, which is essential for the gameplay, players can voluntarily choose to interact with in-game locations known as "PokéStops". In a PokéStop, a player can choose to drop a known in-game item as a "bait module", which attracts Pokémon to the location within the game where the bait has been deposited for a limited period of time. The Coach name of the players who deposit a bait in a PokéStop will remain visible only to those other players visit that same location in the game while the bait is active. Coaches Combat: To participate in multiplayer mode, you is essential for gameplay, players can choose voluntarily take part in Coach Matches in which a player chooses a team of Pokémon to compete in a battle digital against another player's Pokémon. The players who decide fight each other can see their respective Trainer names, Avatar and Pokémon selected for combat. To participate in a Coaches Combat, players must be located in the same physical location in the real world (except for Friends within the game with a certain level, they can fight remotely). Friends: To participate in multiplayer mode, which is essential for the gameplay, players can voluntarily choose to add other players as friends within the game, through a request for In-game friendship that the other player can accept or reject. For Please see our responses to Question 2 for more information at respect. Players can also voluntarily decide to add friends via Facebook Friends import functionality described above. In-game Friends can see their respective Coach names (in-game username), level, team, avatar, Pokémon companions, and limited information about of the gameplay. Friends can also send gifts, exchange your Pokémon or battle remotely. Players can remove a friend at any time. Exchange: To participate in multiplayer mode, which is essential for gameplay, players can choose to trade, voluntarily, Pokémon with another player if they are friends within the game. Players can only trade with each other if C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/7 have reached a certain level of friendship within the game and that they are in the same physical location in the real world during the exchange, In relation to the procedures to falsify the identity or position of a certain player to whom data of other players can be provided supposedly close to this, the representatives of the entity state that Niantic UK is aware that certain players engage in conduct fraudulent or cheating that includes the falsification of the location (what is called GPS location spoofing). These behaviors violate Niantic's Terms of Service. Niantic UK is committed to creating a gaming experience friendly and fair to all players and, as part of that commitment, executes a three-touch policy against said fraudulent practices or cheating of players who discover that they are practicing impersonation of Location. In relation to the mechanisms used to prevent harassment of other players, made based on the information obtained by the Pokémon GO game, the representatives of the entity state that Niantic UK is committed to Pokémon GO is a fun and safe experience for all players and for all those in the real world where this game is played. The Conditions of Niantic services specifically prohibit harassing others. The Standards of Pokémon GO trainer encourages players to be respectful of others players, not to harass others, and to report harassment suffered during the game to Niantic UK. In addition, they advise players "not to use your real name as a nickname and avoid publishing your nickname by relating it to your real name. " Regarding harassment of players based specifically on information obtained by third parties using the game, Pokémon GO does not have any chat or direct communication mechanism between players, and players only they see limited information about each other during the game. Niantic UK implements filtering tools to avoid names of Inappropriate or offensive coach when players choose their names from Trainer. Additionally, in the Pokémon GO Trainer Rules, players are encouraged to players to choose only suitable names (which includes avoiding choosing Coach names using private information - either yours or others -). Along with this, Niantic UK has implemented mechanisms that players can be used to report any kind of harassment suffered during the game in Pokémon GO. FOUNDATIONS OF LAW I In accordance with the investigative and corrective powers that article 58 of the Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD) grants each control authority, and according to the provisions of article 47 of the Organic Law 3/2018, of December 5, on the Protection of Personal Data and 28001 - Madrid 6 sedeagpd.gob.es 6/7 guarantee of digital rights (hereinafter LOPDGDD), is competent to resolve these investigative actions by the Director of the Spanish Agency for Data Protection. II In accordance with the provisions of article 55 of the RGPD, the Agency Spanish Data Protection is competent to perform the functions that are assigned to it in its article 57, among them, that of enforcing the Regulation and promote the awareness of those responsible and those in charge of the treatment about their obligations, as well as dealing with claims submitted by an interested party and investigate the reason for them. It is also the responsibility of the Spanish Data Protection Agency to exercise the powers of investigation regulated in article 58.1 of the same legal text, between those that include the power to order the controller and the person in charge of the treatment that provide any information required for the performance of their duties. Correlatively, article 31 of the RGPD establishes the obligation of the data controllers and processors to cooperate with the supervisory authority that he requests it in the performance of his functions. In the event that these have appointed a data protection officer, Article 39 of the RGPD attributes to this the function of cooperating with said authority. Similarly, the domestic legal system also provides for the possibility to open a period of information or previous actions. In this sense, the article 55 of Law 39/2015, of October 1, on the Common Administrative Procedure of the Public Administrations, grants this power to the competent body in order to know the circumstances of the specific case and whether or not to start the process. III In the present case, the claim submitted has been received at this Agency by the claimant against the defendant for the alleged violation of article 6 of the RGPD that guarantees the legality of the treatment. In the present case, the claimant has asked the defendant not to provide his geographical location to players who falsify theirs. In accordance with the regulations set forth, prior to admission to processing this claim, the Subdirectorate General for Data Inspection proceeded to carrying out preliminary investigation actions to clarify the facts that are the subject of the claim. As a result of the investigations carried out by the Agency, the claimed states that he is aware that certain players carry out behaviors fraudulent or cheating that includes the falsification of the location (what is called GPS location spoofing). These behaviors violate the Claimed's Terms of Service. 28001 - Madrid 6 sedeagpd.gob.es 7/7 The complainant is committed to creating a gaming experience friendly and fair to all players and, as part of that commitment, executes a three-touch policy against said fraudulent practices or cheating of players who discover that they are practicing impersonation of Location. For this reason, the Director of the Spanish Agency for Data Protection agrees to archive these actions, as the specific claim. Therefore, in accordance with the provisions, by the Director of the Agency Spanish Data Protection, HE REMEMBERS: 1. PROCEED WITH THE FILING of these actions. 2. NOTIFY this resolution to the claimant and claimed. In accordance with the provisions of article 50 of the LOPDGDD, the This Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure according to prescribed by art. 114.1.c) of Law 39/2015, of October 1, on the Procedure Common Administrative of Public Administrations, and in accordance with the established in arts. 112 and 123 of the aforementioned Law 39/2015, of October 1, the Interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Agency for Data Protection within a month to counting from the day after the notification of this resolution or directly contentious-administrative appeal before the Contentious-Administrative Chamber of the National High Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following notification of this act, as provided in article 46.1 of the referred Law. Mar Spain Martí Director of the Spanish Agency for Data Protection 28001 - Madrid 6 sedeagpd.gob.es