First fine by the Spanish Data Protection Agency for a pirate website

The Spanish Data Protection Agency (AEPD) has imposed a EUR 5,000 fine on the owners of site Lolabits.es for the infringement of Article 22.2, related to rights of users, of Law 34/2002 on Information Society Services and Electronic Commerce (Spanish LSSI).

In its resolution, the AEPD details that website Lolabits.es, managed by its owners through a Cyprus-based company, used DARD (Data Recovery Storage Device) for the purpose of “web analytics of third party” and “social networks management”, including “an information system, on a first layer where the purpose of DARDs used is not specified; and on a second layer, with no reference to the local storage related to social networks”.

“Therefore –adds the AEPD– it cannot be understood that the website provided the user with enough information to grant informed consent, to allow the use of DARD”, what means “non-compliance with the obligations of information or with putting in place a procedure for refusing data treatment, established in sub-paragraph 2 of article 22 LSSI.

Personal data collection is one of the most common ways of funding pirate websites, as the Piracy observatory confirms when stating that 36.4% of users of these sites have to sign up and grant personal data, facilitating the creation of databases that reach a high price in the market.

Digital piracy keeps being a most serious problem in Spain: for the last five years, according to details from the Piracy observatory carried out every year by GfK, cultural and content industries have been suffering an accumulated lost profit of 5,915 million euros.

Besides, AEPD’s resolution recalls that, in spite of the claimed allegation against, the European Union Court of Justice (sentence C-582/2014) has declared that “IP addresses, even dynamic, constitute personal data, and therefore they must be treated as such by people in charge of websites”.

AEPD concludes with the statement that “by means of the joint assessment of the proceedings carried out and the documents included in the file, it has been proven that […] the complained website did not offered information regarding the installation of storage devices and data recovery“, despite that “the EU and national legislation establish the need to obtain informed consent for the purpose of guaranteeing that they can know the use of their details and the purposes they are used for”.

A presumed storage site that worked as a huge piracy repository

In February 2016, members of the Coalition AGEDI, AIE, CEDRO, EGEDA, FEDICINE and SGAE filed complaints before the AEPD against Lolabits.es for infringements of the LOPD (Data protection law) and the LSSI (IP Law), and have very positively received this resolution, as further than the amount of the fine imposed, the strong message on the consequences of failing to comply with our country’s data protection regulations opens a new horizon against digital content piracy and lay siege to pirate sites, reducing their impunity sphere.

Lolabits.es, the complained site, was advertised as a file storage service supposedly competing with services such as Dropbox or Google Drive, and even approached the mobile device segment by means of an Android app that allowed uploading, downloading, managing and sharing all the files stored in the user’s account.

However, in fact Lolabits.es was one of more active digital piracy sites, as the files uploaded by users were public, including whole folders and even with a search engine feature to find content. Shortly before its closure, its home “last seen” section offered folders full of music, films, books and other intellectual property rights protected contents.

All of it being indeed a free site offering unlimited storage, which facilitated it to become one of the most popular sites to access pirate content, with traffic data that, according to Similar Web, accounted for 2.9 million users monthly as per February 2016, when the complaint was filed. Thus, the associations and right owners of contents that constantly and fraudulently were accessed, suffering enormous losses, place in value the AEPD’s action.