AEPD (Spain) - E/09208/2018
From GDPRhub
| AEPD (Spain) - E/09208/2018 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 6 GDPR Article 32 GDPR |
| Type: | Complaint |
| Outcome: | Rejected |
| Started: | |
| Decided: | |
| Published: | 18.05.2021 |
| Fine: | None |
| Parties: | Niantic, Inc. Niantic International Limited |
| National Case Number/Name: | E/09208/2018 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Spanish |
| Original Source: | AEPD (in ES) |
| Initial Contributor: | n/a |
The Spanish DPA considered that the software developer of the interactive, real-location game 'Pokemon Go', had implemented adequate measures to mitigate the risks stemming from the fact malicious users could fake their location, and misuse the location data of other users.
English Summary
Facts
A data subject lodged a complaint with the Spanish DPA (AEPD) against Niantic, a software developer, regarding their interactive game "Pokemon Go".
Pokemon GO is a game in which users interact with the real world, so they share their location in order to walk the map. This include sharing their user data with others when they go to specific locations called "gyms", in which they play together with others. For that, a user needs to be at least at 500m from the site. Therefore, their real location is also known.
However, some users fake their real location, so they can access the gyms from further away. Therefore, the location of other users may be also shared not only with regular players but with players that are faking their location.
From this data, that can easily indicate where a person lives or works, malicious users could access this information and also infer the real identity of these subjects, what may lead to harassment or stalking. It is important to note that a big number of players of the game are minors, what increases the risk.
The complainant had asked Niantic to avoid sharing location data with users that were known to be faking their location.
Niantic stated that they have a security policy in place that tries to tackle that problem. Players who are detected to use these methods are warned with a three-strikes mechanism. They have other additional measures, such as information about the data that is shared, a recommendation not to provide your real name, the lack of a chat where users can directly interact, prohibitions on harassing and misuse, limited sharing of data, and different privacy options and information.
Holding
The AEPD considered that the controller had correctly assessed the risks and implemented adequate measures to mitigate them. Their three-strikes mechanism for users that fake their location is deemed to be enough to deal with the alleged risk. Therefore, the DPA decided to archive the case.
Comment
Even if the facts of the case have a logical connection with other GDPR Articles, such as Article 32 GDPR, about the security of processing, the AEPD did not consider its content, but limited their analysis to, and only referred to Article 6 GDPR and the lawfulness of the processing.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/7
940-0419
Procedure Nº: E / 09208/2018
RESOLUTION OF ACTION FILE
Of the actions carried out by the Spanish Agency for Data Protection and
based on the following:
FACTS
FIRST: The claim filed by D. A.A.A. (hereinafter, the claimant)
has entry dated September 18, 2018 in the Spanish Agency for
Data Protection. The claim is directed against NIANTIC, INC., With NIF
C3815285 (hereinafter, the claimed one).
As stated in his claim, he is a player of the Niantic game "pokemon
go ". This game allows data about your geographical location (coordinates and
hour) that are reflected in the gymnasiums (element of the game located virtually in a
real geographic point) are provided to players who should not have access to
that information.
Well, when they provide a player with data on their geographical location, the
game sets a limitation for access of approximately 500 meters,
necessary for the development of the game. However, there are players who falsify their
geographical location using programs such as fake / fly gps accessing said
information from other cities or even other countries.
Niantic allows location data to be provided to players without
verify whether or not you have falsified your geographical location.
In the game all users have a name which in the case of the claimant is
"*** USER.1".
A part of the game is the raids in which you fight between several players against
a pokemon impossible to defeat individually so they must meet in
specific points what makes them known, where they work, etc., for this reason
providing data about a player gives information to know what natural person he is.
Those players may use that information to harass within the
game and even in real life (even minors, who are many who play
habitually).
You have requested Niantic to stop providing your geographic location to
players who falsify their situation to which Niantic has not replied.
SECOND: The Subdirectorate General for Data Inspection proceeded to carry out
of previous investigative actions to clarify the facts that are the object of the
of the claim, having knowledge of the following points:
28001 - Madrid 6 sedeagpd.gob.es 2/7
The person responsible for the Treatment for Pokémon GO users in Space
European Economic is not Niantic, Inc., but Niantic International Limited, based in
UK.
As stated in the game's security policy, the data that is collected
They are:
“By registering for our Services, you voluntarily provide us with
Personal Data, for example, when you open an account. We collect and
we use such data to authenticate your identity when you open a
account and use the Services, to ensure that you can and do collect the
requirements to receive the Services and receive the correct version of the
themselves. Such data includes the username in the game that you
choose to use in our Services and the internal IDs that we assign to your
account.
You must have an account with a single sign-on service
compatible third party to use our Services. Therefore, the Data
Personal data that we collect also depend on which third-party accounts
you choose to use, of the privacy policies of such third parties and of what
that allow us to see the privacy settings that you configure in
such services when you use them to access the Niantic Services.
If you choose to link your Google account to the Services, we will collect your
Google email address and an authentication token
provided by Google.
If you choose to link your Facebook account to the Services, we will collect
a unique user ID provided by Facebook and, if you allow it,
your email address registered with Facebook. "
Information Provided During User Creation / Login:
1. Request for Permission to Access the Location: Pokémon GO is a
location-based gameplay (i.e., gameplay depends on where you
the player is in the real world). In this sense, Niantic UK needs
collect location data of your players for the operation of the game
as directed to players in Niantic's Terms of Service. TO
such effects a pop-up window is displayed requesting permission to
process data related to the location.
2. Niantic Terms of Service: A window displays
Popup that Includes a link to Niantic's Terms of Service. The
Player can check the option 'ACCEPT or' DECLINE '.
3. Niantic's Privacy Policy: A pop-up window displays
requesting the player to review Niantic's Privacy Policy. The
window contains two options that the player can check, 'OK' and
"PRIVACY POLICY".
28001 - Madrid 6 sedeagpd.gob.es 3/7
Information Provided During the Game:
1. Niantic's Privacy Policy and Terms of Service: The Policy
Niantic's Privacy Policy and Terms of Service to which it is made
referenced above are accessible at all times during the game to
through the Options section within the app.
2. Friends: If a player decides to add another player as a friend within
of the game, you must go to the Friends menu within the application. This menu
It contains a link, 'List of friends and friendship levels'.
There the following information is provided to the players: "Your friends
they'll see your Trainer profile, achievements, and the Pokémon you've caught.
Your friends will also know your location when you send them a Gift
or trade Pokémon with them. "Players can choose to accept or
decline any in-game friend requests they receive, and can
delete a friend at any time.
3. Functionality to Import Facebook Friends: This functionality
it is disabled by default, and requires the player to enable it. That
player who enables this functionality will see which Facebook friends are
playing the game (provided they have also proactively decided
participate in this functionality) and you can send to Facebook friends who
chosen, in-game friend requests that the other player can
accept or reject. To activate the functionality, the player must do the
following:
4. Adventure Sync functionality (Fitness Mode): This functionality is
disabled by default, and requires the player to enable it. By enabling it
Niantic UK is allowed to collect certain information about physical exercise on
background even when the player is not interacting in a way
direct with the application.
Data of a specific player that is provided to third players,
circumstances, purpose and established form to obtain consent prior to the
data communication.
Certain information about the players is made visible to other players
within the Pokémon GO application. This is necessary to allow
functioning of the multiplayer aspects or modes that are essential for the
playability. These multiplayer features are designed so that players
Players participate and play together in the same physical location in the real world.
Niantic's Privacy Policy outlines the information that is shared with others
players. As part of this multiplayer component, the information remains
visible to other players in the following circumstances:
Gyms: To participate in multiplayer mode, which is essential
For gameplay, players can choose to interact with
in-game locations known as "Gyms". Nickname
Trainer and the names of the Pokémon located in a Gym by
part of those players who voluntarily decide to control a
Gym by positioning your Pokémon on it, they will remain visible inside
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/7
of the game application for those other players who visit that
same location within the game.
Raids: To participate in multiplayer mode, which is essential
for gameplay, players can voluntarily choose
interact in Gyms by choosing to participate in an in-game event
known as a "raid". In a raid, players unite
with other players and use a selection of Pokémon to fight
another more powerful Pokémon. Trainer nicknames, avatars, levels
of Coach and teams of players who decide to participate in a
foray into a specific Gym, they will remain visible to others
players in a "lobby" within the game until the game begins.
incursion.
Baits: To participate in multiplayer mode, which is essential for the
gameplay, players can voluntarily choose to interact with
in-game locations known as "PokéStops". In a
PokéStop, a player can choose to drop a known in-game item
as a "bait module", which attracts Pokémon to the location within the game
where the bait has been deposited for a limited period of time. The
Coach name of the players who deposit a bait in a
PokéStop will remain visible only to those other players
visit that same location in the game while the bait is active.
Coaches Combat: To participate in multiplayer mode, you
is essential for gameplay, players can choose
voluntarily take part in Coach Matches in which
a player chooses a team of Pokémon to compete in a battle
digital against another player's Pokémon. The players who decide
fight each other can see their respective Trainer names,
Avatar and Pokémon selected for combat. To participate in a
Coaches Combat, players must be located in the same
physical location in the real world (except for Friends within the
game with a certain level, they can fight remotely).
Friends: To participate in multiplayer mode, which is essential for the
gameplay, players can voluntarily choose to add other
players as friends within the game, through a request for
In-game friendship that the other player can accept or reject. For
Please see our responses to Question 2 for more information at
respect. Players can also voluntarily decide to add
friends via Facebook Friends import functionality
described above. In-game Friends can see their
respective Coach names (in-game username),
level, team, avatar, Pokémon companions, and limited information about
of the gameplay. Friends can also send gifts, exchange
your Pokémon or battle remotely. Players can remove
a friend at any time.
Exchange: To participate in multiplayer mode, which is essential
for gameplay, players can choose to trade,
voluntarily, Pokémon with another player if they are friends within the game.
Players can only trade with each other if
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/7
have reached a certain level of friendship within the game and that they
are in the same physical location in the real world during the
exchange,
In relation to the procedures to falsify the identity or position of a
certain player to whom data of other players can be provided
supposedly close to this, the representatives of the entity state that
Niantic UK is aware that certain players engage in conduct
fraudulent or cheating that includes the falsification of the location (what is
called GPS location spoofing). These behaviors
violate Niantic's Terms of Service.
Niantic UK is committed to creating a gaming experience
friendly and fair to all players and, as part of that commitment, executes
a three-touch policy against said fraudulent practices or
cheating of players who discover that they are practicing impersonation of
Location.
In relation to the mechanisms used to prevent harassment of other players,
made based on the information obtained by the Pokémon GO game, the
representatives of the entity state that Niantic UK is committed to
Pokémon GO is a fun and safe experience for all players and for
all those in the real world where this game is played. The Conditions of
Niantic services specifically prohibit harassing others. The Standards of
Pokémon GO trainer encourages players to be respectful of others
players, not to harass others, and to report harassment suffered during the game to
Niantic UK. In addition, they advise players "not to use your real name as a nickname and
avoid publishing your nickname by relating it to your real name. "
Regarding harassment of players based specifically on information
obtained by third parties using the game, Pokémon GO does not have any
chat or direct communication mechanism between players, and players only
they see limited information about each other during the game.
Niantic UK implements filtering tools to avoid names of
Inappropriate or offensive coach when players choose their names from
Trainer. Additionally, in the Pokémon GO Trainer Rules, players are encouraged to
players to choose only suitable names (which includes avoiding choosing
Coach names using private information - either yours or others
-).
Along with this, Niantic UK has implemented mechanisms that players
can be used to report any kind of harassment suffered during the game in
Pokémon GO.
FOUNDATIONS OF LAW
I
In accordance with the investigative and corrective powers that article 58 of the
Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter
RGPD) grants each control authority, and according to the provisions of article 47 of the
Organic Law 3/2018, of December 5, on the Protection of Personal Data and
28001 - Madrid 6 sedeagpd.gob.es 6/7
guarantee of digital rights (hereinafter LOPDGDD), is competent to
resolve these investigative actions by the Director of the Spanish Agency for
Data Protection.
II
In accordance with the provisions of article 55 of the RGPD, the Agency
Spanish Data Protection is competent to perform the functions that
are assigned to it in its article 57, among them, that of enforcing the Regulation and
promote the awareness of those responsible and those in charge of the treatment
about their obligations, as well as dealing with claims
submitted by an interested party and investigate the reason for them.
It is also the responsibility of the Spanish Data Protection Agency to exercise
the powers of investigation regulated in article 58.1 of the same legal text, between
those that include the power to order the controller and the person in charge of the treatment that
provide any information required for the performance of their duties.
Correlatively, article 31 of the RGPD establishes the obligation of the
data controllers and processors to cooperate with the supervisory authority
that he requests it in the performance of his functions. In the event that these have
appointed a data protection officer, Article 39 of the RGPD attributes to
this the function of cooperating with said authority.
Similarly, the domestic legal system also provides for the possibility
to open a period of information or previous actions. In this sense, the article
55 of Law 39/2015, of October 1, on the Common Administrative Procedure of the
Public Administrations, grants this power to the competent body in order to
know the circumstances of the specific case and whether or not to start the
process.
III
In the present case, the claim submitted has been received at this Agency
by the claimant against the defendant for the alleged violation of article 6 of the
RGPD that guarantees the legality of the treatment.
In the present case, the claimant has asked the defendant not to provide his
geographical location to players who falsify theirs.
In accordance with the regulations set forth, prior to admission to
processing this claim, the Subdirectorate General for Data Inspection proceeded to
carrying out preliminary investigation actions to clarify the
facts that are the subject of the claim.
As a result of the investigations carried out by the Agency, the claimed
states that he is aware that certain players carry out behaviors
fraudulent or cheating that includes the falsification of the location (what is
called GPS location spoofing). These behaviors
violate the Claimed's Terms of Service.
28001 - Madrid 6 sedeagpd.gob.es 7/7
The complainant is committed to creating a gaming experience
friendly and fair to all players and, as part of that commitment, executes
a three-touch policy against said fraudulent practices or
cheating of players who discover that they are practicing impersonation of
Location.
For this reason, the Director of the Spanish Agency for Data Protection
agrees to archive these actions, as the specific
claim.
Therefore, in accordance with the provisions, by the Director of the Agency
Spanish Data Protection,
HE REMEMBERS:
1. PROCEED WITH THE FILING of these actions.
2. NOTIFY this resolution to the claimant and claimed.
In accordance with the provisions of article 50 of the LOPDGDD, the
This Resolution will be made public once it has been notified to the interested parties.
Against this resolution, which puts an end to the administrative procedure according to
prescribed by art. 114.1.c) of Law 39/2015, of October 1, on the Procedure
Common Administrative of Public Administrations, and in accordance with the
established in arts. 112 and 123 of the aforementioned Law 39/2015, of October 1, the
Interested parties may optionally file an appeal for reconsideration before the
Director of the Spanish Agency for Data Protection within a month to
counting from the day after the notification of this resolution or directly
contentious-administrative appeal before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-Administrative Jurisdiction, within a period of two months from the
day following notification of this act, as provided in article 46.1 of the
referred Law.
Mar Spain Martí
Director of the Spanish Agency for Data Protection
28001 - Madrid 6 sedeagpd.gob.es
