AEPD (Spain) - E/09208/2018
|AEPD (Spain) - E/09208/2018|
|Relevant Law:||Article 6 GDPR|
Article 32 GDPR
Niantic International Limited
|National Case Number/Name:||E/09208/2018|
|European Case Law Identifier:||n/a|
|Original Source:||AEPD (in ES)|
The Spanish DPA considered that the software developer of the interactive, real-location game 'Pokemon Go', had implemented adequate measures to mitigate the risks stemming from the fact malicious users could fake their location, and misuse the location data of other users.
English Summary[edit | edit source]
Facts[edit | edit source]
A data subject lodged a complaint with the Spanish DPA (AEPD) against Niantic, a software developer, regarding their interactive game "Pokemon Go".
Pokemon GO is a game in which users interact with the real world, so they share their location in order to walk the map. This include sharing their user data with others when they go to specific locations called "gyms", in which they play together with others. For that, a user needs to be at least at 500m from the site. Therefore, their real location is also known.
However, some users fake their real location, so they can access the gyms from further away. Therefore, the location of other users may be also shared not only with regular players but with players that are faking their location.
From this data, that can easily indicate where a person lives or works, malicious users could access this information and also infer the real identity of these subjects, what may lead to harassment or stalking. It is important to note that a big number of players of the game are minors, what increases the risk.
The complainant had asked Niantic to avoid sharing location data with users that were known to be faking their location.
Niantic stated that they have a security policy in place that tries to tackle that problem. Players who are detected to use these methods are warned with a three-strikes mechanism. They have other additional measures, such as information about the data that is shared, a recommendation not to provide your real name, the lack of a chat where users can directly interact, prohibitions on harassing and misuse, limited sharing of data, and different privacy options and information.
Holding[edit | edit source]
The AEPD considered that the controller had correctly assessed the risks and implemented adequate measures to mitigate them. Their three-strikes mechanism for users that fake their location is deemed to be enough to deal with the alleged risk. Therefore, the DPA decided to archive the case.
Comment[edit | edit source]
Even if the facts of the case have a logical connection with other GDPR Articles, such as Article 32 GDPR, about the security of processing, the AEPD did not consider its content, but limited their analysis to, and only referred to Article 6 GDPR and the lawfulness of the processing.
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.