AEPD (Spain) - E/09208/2018

From GDPRhub
AEPD (Spain) - E/09208/2018
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6 GDPR
Article 32 GDPR
Type: Complaint
Outcome: Rejected
Decided:
Published: 18.05.2021
Fine: None
Parties: Niantic, Inc.
Niantic International Limited
National Case Number/Name: E/09208/2018
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

The Spanish DPA considered that the software developer of the interactive, real-location game 'Pokemon Go', had implemented adequate measures to mitigate the risks stemming from the fact malicious users could fake their location, and misuse the location data of other users.

English Summary[edit | edit source]

Facts[edit | edit source]

A data subject lodged a complaint with the Spanish DPA (AEPD) against Niantic, a software developer, regarding their interactive game "Pokemon Go".

Pokemon GO is a game in which users interact with the real world, so they share their location in order to walk the map. This include sharing their user data with others when they go to specific locations called "gyms", in which they play together with others. For that, a user needs to be at least at 500m from the site. Therefore, their real location is also known.

However, some users fake their real location, so they can access the gyms from further away. Therefore, the location of other users may be also shared not only with regular players but with players that are faking their location.

From this data, that can easily indicate where a person lives or works, malicious users could access this information and also infer the real identity of these subjects, what may lead to harassment or stalking. It is important to note that a big number of players of the game are minors, what increases the risk.

The complainant had asked Niantic to avoid sharing location data with users that were known to be faking their location.

Niantic stated that they have a security policy in place that tries to tackle that problem. Players who are detected to use these methods are warned with a three-strikes mechanism. They have other additional measures, such as information about the data that is shared, a recommendation not to provide your real name, the lack of a chat where users can directly interact, prohibitions on harassing and misuse, limited sharing of data, and different privacy options and information.

Holding[edit | edit source]

The AEPD considered that the controller had correctly assessed the risks and implemented adequate measures to mitigate them. Their three-strikes mechanism for users that fake their location is deemed to be enough to deal with the alleged risk. Therefore, the DPA decided to archive the case.

Comment[edit | edit source]

Even if the facts of the case have a logical connection with other GDPR Articles, such as Article 32 GDPR, about the security of processing, the AEPD did not consider its content, but limited their analysis to, and only referred to Article 6 GDPR and the lawfulness of the processing.

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                                     1/7



940-0419
        Procedure Nº: E / 09208/2018



                   RESOLUTION OF ACTION FILE



Of the actions carried out by the Spanish Agency for Data Protection and
based on the following:

                                       FACTS

FIRST: The claim filed by D. A.A.A. (hereinafter, the claimant)

has entry dated September 18, 2018 in the Spanish Agency for
Data Protection. The claim is directed against NIANTIC, INC., With NIF
C3815285 (hereinafter, the claimed one).

       As stated in his claim, he is a player of the Niantic game "pokemon

go ". This game allows data about your geographical location (coordinates and
hour) that are reflected in the gymnasiums (element of the game located virtually in a
real geographic point) are provided to players who should not have access to
that information.


       Well, when they provide a player with data on their geographical location, the
game sets a limitation for access of approximately 500 meters,
necessary for the development of the game. However, there are players who falsify their
geographical location using programs such as fake / fly gps accessing said
information from other cities or even other countries.


       Niantic allows location data to be provided to players without
verify whether or not you have falsified your geographical location.

       In the game all users have a name which in the case of the claimant is
"*** USER.1".


       A part of the game is the raids in which you fight between several players against
a pokemon impossible to defeat individually so they must meet in
specific points what makes them known, where they work, etc., for this reason
providing data about a player gives information to know what natural person he is.


       Those players may use that information to harass within the
game and even in real life (even minors, who are many who play
habitually).

       You have requested Niantic to stop providing your geographic location to
players who falsify their situation to which Niantic has not replied.

SECOND: The Subdirectorate General for Data Inspection proceeded to carry out

of previous investigative actions to clarify the facts that are the object of the
of the claim, having knowledge of the following points:


28001 - Madrid 6 sedeagpd.gob.es 2/7





       The person responsible for the Treatment for Pokémon GO users in Space
European Economic is not Niantic, Inc., but Niantic International Limited, based in
UK.



       As stated in the game's security policy, the data that is collected
They are:


       “By registering for our Services, you voluntarily provide us with
       Personal Data, for example, when you open an account. We collect and
       we use such data to authenticate your identity when you open a
       account and use the Services, to ensure that you can and do collect the
       requirements to receive the Services and receive the correct version of the
       themselves. Such data includes the username in the game that you
       choose to use in our Services and the internal IDs that we assign to your
       account.

       You must have an account with a single sign-on service
       compatible third party to use our Services. Therefore, the Data
       Personal data that we collect also depend on which third-party accounts
       you choose to use, of the privacy policies of such third parties and of what

       that allow us to see the privacy settings that you configure in
       such services when you use them to access the Niantic Services.

       If you choose to link your Google account to the Services, we will collect your
       Google email address and an authentication token
       provided by Google.

       If you choose to link your Facebook account to the Services, we will collect
       a unique user ID provided by Facebook and, if you allow it,
       your email address registered with Facebook. "


       Information Provided During User Creation / Login:


        1. Request for Permission to Access the Location: Pokémon GO is a
        location-based gameplay (i.e., gameplay depends on where you
        the player is in the real world). In this sense, Niantic UK needs

        collect location data of your players for the operation of the game
        as directed to players in Niantic's Terms of Service. TO
        such effects a pop-up window is displayed requesting permission to
        process data related to the location.

        2. Niantic Terms of Service: A window displays
        Popup that Includes a link to Niantic's Terms of Service. The
        Player can check the option 'ACCEPT or' DECLINE '.

        3. Niantic's Privacy Policy: A pop-up window displays
        requesting the player to review Niantic's Privacy Policy. The
        window contains two options that the player can check, 'OK' and

        "PRIVACY POLICY".



28001 - Madrid 6 sedeagpd.gob.es 3/7




       Information Provided During the Game:


        1. Niantic's Privacy Policy and Terms of Service: The Policy
        Niantic's Privacy Policy and Terms of Service to which it is made
        referenced above are accessible at all times during the game to
        through the Options section within the app.

        2. Friends: If a player decides to add another player as a friend within
        of the game, you must go to the Friends menu within the application. This menu

        It contains a link, 'List of friends and friendship levels'.
        There the following information is provided to the players: "Your friends
        they'll see your Trainer profile, achievements, and the Pokémon you've caught.

        Your friends will also know your location when you send them a Gift
        or trade Pokémon with them. "Players can choose to accept or
        decline any in-game friend requests they receive, and can
        delete a friend at any time.

        3. Functionality to Import Facebook Friends: This functionality
        it is disabled by default, and requires the player to enable it. That
        player who enables this functionality will see which Facebook friends are
        playing the game (provided they have also proactively decided

        participate in this functionality) and you can send to Facebook friends who
        chosen, in-game friend requests that the other player can
        accept or reject. To activate the functionality, the player must do the
        following:

        4. Adventure Sync functionality (Fitness Mode): This functionality is
        disabled by default, and requires the player to enable it. By enabling it
        Niantic UK is allowed to collect certain information about physical exercise on
        background even when the player is not interacting in a way
        direct with the application.

       Data of a specific player that is provided to third players,
circumstances, purpose and established form to obtain consent prior to the

data communication.
       Certain information about the players is made visible to other players
within the Pokémon GO application. This is necessary to allow

functioning of the multiplayer aspects or modes that are essential for the
playability. These multiplayer features are designed so that players
Players participate and play together in the same physical location in the real world.
Niantic's Privacy Policy outlines the information that is shared with others
players. As part of this multiplayer component, the information remains
visible to other players in the following circumstances:

            Gyms: To participate in multiplayer mode, which is essential
           For gameplay, players can choose to interact with

           in-game locations known as "Gyms". Nickname
           Trainer and the names of the Pokémon located in a Gym by
           part of those players who voluntarily decide to control a
           Gym by positioning your Pokémon on it, they will remain visible inside


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/7



           of the game application for those other players who visit that
           same location within the game.

            Raids: To participate in multiplayer mode, which is essential
           for gameplay, players can voluntarily choose
           interact in Gyms by choosing to participate in an in-game event
           known as a "raid". In a raid, players unite
           with other players and use a selection of Pokémon to fight

           another more powerful Pokémon. Trainer nicknames, avatars, levels
           of Coach and teams of players who decide to participate in a
           foray into a specific Gym, they will remain visible to others
           players in a "lobby" within the game until the game begins.
           incursion.

            Baits: To participate in multiplayer mode, which is essential for the
           gameplay, players can voluntarily choose to interact with
           in-game locations known as "PokéStops". In a

           PokéStop, a player can choose to drop a known in-game item
           as a "bait module", which attracts Pokémon to the location within the game
           where the bait has been deposited for a limited period of time. The
           Coach name of the players who deposit a bait in a
           PokéStop will remain visible only to those other players

           visit that same location in the game while the bait is active.
            Coaches Combat: To participate in multiplayer mode, you

           is essential for gameplay, players can choose
           voluntarily take part in Coach Matches in which
           a player chooses a team of Pokémon to compete in a battle
           digital against another player's Pokémon. The players who decide
           fight each other can see their respective Trainer names,
           Avatar and Pokémon selected for combat. To participate in a

           Coaches Combat, players must be located in the same
           physical location in the real world (except for Friends within the
           game with a certain level, they can fight remotely).

            Friends: To participate in multiplayer mode, which is essential for the
           gameplay, players can voluntarily choose to add other
           players as friends within the game, through a request for
           In-game friendship that the other player can accept or reject. For
           Please see our responses to Question 2 for more information at

           respect. Players can also voluntarily decide to add
           friends via Facebook Friends import functionality
           described above. In-game Friends can see their
           respective Coach names (in-game username),
           level, team, avatar, Pokémon companions, and limited information about
           of the gameplay. Friends can also send gifts, exchange

           your Pokémon or battle remotely. Players can remove
           a friend at any time.

            Exchange: To participate in multiplayer mode, which is essential
           for gameplay, players can choose to trade,
           voluntarily, Pokémon with another player if they are friends within the game.
           Players can only trade with each other if


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/7


           have reached a certain level of friendship within the game and that they
           are in the same physical location in the real world during the
           exchange,

    In relation to the procedures to falsify the identity or position of a
certain player to whom data of other players can be provided
supposedly close to this, the representatives of the entity state that

Niantic UK is aware that certain players engage in conduct
fraudulent or cheating that includes the falsification of the location (what is
called GPS location spoofing). These behaviors
violate Niantic's Terms of Service.

    Niantic UK is committed to creating a gaming experience
friendly and fair to all players and, as part of that commitment, executes
a three-touch policy against said fraudulent practices or
cheating of players who discover that they are practicing impersonation of

Location.
    In relation to the mechanisms used to prevent harassment of other players,

made based on the information obtained by the Pokémon GO game, the
representatives of the entity state that Niantic UK is committed to
Pokémon GO is a fun and safe experience for all players and for
all those in the real world where this game is played. The Conditions of
Niantic services specifically prohibit harassing others. The Standards of

Pokémon GO trainer encourages players to be respectful of others
players, not to harass others, and to report harassment suffered during the game to
Niantic UK. In addition, they advise players "not to use your real name as a nickname and
avoid publishing your nickname by relating it to your real name. "

    Regarding harassment of players based specifically on information
obtained by third parties using the game, Pokémon GO does not have any
chat or direct communication mechanism between players, and players only
they see limited information about each other during the game.

    Niantic UK implements filtering tools to avoid names of
Inappropriate or offensive coach when players choose their names from

Trainer. Additionally, in the Pokémon GO Trainer Rules, players are encouraged to
players to choose only suitable names (which includes avoiding choosing
Coach names using private information - either yours or others
-).

    Along with this, Niantic UK has implemented mechanisms that players
can be used to report any kind of harassment suffered during the game in
Pokémon GO.


                              FOUNDATIONS OF LAW


                                              I

       In accordance with the investigative and corrective powers that article 58 of the
Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter
RGPD) grants each control authority, and according to the provisions of article 47 of the
Organic Law 3/2018, of December 5, on the Protection of Personal Data and



28001 - Madrid 6 sedeagpd.gob.es 6/7



guarantee of digital rights (hereinafter LOPDGDD), is competent to
resolve these investigative actions by the Director of the Spanish Agency for
Data Protection.


                                                 II


        In accordance with the provisions of article 55 of the RGPD, the Agency
Spanish Data Protection is competent to perform the functions that

are assigned to it in its article 57, among them, that of enforcing the Regulation and
promote the awareness of those responsible and those in charge of the treatment
about their obligations, as well as dealing with claims
submitted by an interested party and investigate the reason for them.


        It is also the responsibility of the Spanish Data Protection Agency to exercise
the powers of investigation regulated in article 58.1 of the same legal text, between
those that include the power to order the controller and the person in charge of the treatment that
provide any information required for the performance of their duties.

        Correlatively, article 31 of the RGPD establishes the obligation of the

data controllers and processors to cooperate with the supervisory authority
that he requests it in the performance of his functions. In the event that these have
appointed a data protection officer, Article 39 of the RGPD attributes to
this the function of cooperating with said authority.


        Similarly, the domestic legal system also provides for the possibility
to open a period of information or previous actions. In this sense, the article
55 of Law 39/2015, of October 1, on the Common Administrative Procedure of the
Public Administrations, grants this power to the competent body in order to
know the circumstances of the specific case and whether or not to start the

process.

                                                 III

        In the present case, the claim submitted has been received at this Agency
by the claimant against the defendant for the alleged violation of article 6 of the

RGPD that guarantees the legality of the treatment.

        In the present case, the claimant has asked the defendant not to provide his
geographical location to players who falsify theirs.


        In accordance with the regulations set forth, prior to admission to
processing this claim, the Subdirectorate General for Data Inspection proceeded to
carrying out preliminary investigation actions to clarify the
facts that are the subject of the claim.

        As a result of the investigations carried out by the Agency, the claimed
states that he is aware that certain players carry out behaviors
fraudulent or cheating that includes the falsification of the location (what is
called GPS location spoofing). These behaviors

violate the Claimed's Terms of Service.


28001 - Madrid 6 sedeagpd.gob.es 7/7

       The complainant is committed to creating a gaming experience
friendly and fair to all players and, as part of that commitment, executes

a three-touch policy against said fraudulent practices or
cheating of players who discover that they are practicing impersonation of
Location.

       For this reason, the Director of the Spanish Agency for Data Protection

agrees to archive these actions, as the specific
claim.

       Therefore, in accordance with the provisions, by the Director of the Agency
Spanish Data Protection,


HE REMEMBERS:

        1. PROCEED WITH THE FILING of these actions.


        2. NOTIFY this resolution to the claimant and claimed.

       In accordance with the provisions of article 50 of the LOPDGDD, the
This Resolution will be made public once it has been notified to the interested parties.


       Against this resolution, which puts an end to the administrative procedure according to
prescribed by art. 114.1.c) of Law 39/2015, of October 1, on the Procedure
Common Administrative of Public Administrations, and in accordance with the
established in arts. 112 and 123 of the aforementioned Law 39/2015, of October 1, the
Interested parties may optionally file an appeal for reconsideration before the

Director of the Spanish Agency for Data Protection within a month to
counting from the day after the notification of this resolution or directly
contentious-administrative appeal before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the

Contentious-Administrative Jurisdiction, within a period of two months from the
day following notification of this act, as provided in article 46.1 of the
referred Law.



Mar Spain Martí
Director of the Spanish Agency for Data Protection
















28001 - Madrid 6 sedeagpd.gob.es