To attend the championship this year, fans must use a digital ticket provided through UEFA’s Ticket application. According to Heise, this app requires access to personal data, including name, email, phone number, and GPS permissions. While app store descriptions note the collection of personal information and activity data for analysis purposes, they omit any mention of location sharing.
That can’t possibly be legal in Europe. The article suggests it doesn’t technically violate GDPR, but that still can’t be legal, can it?
You seem to be operating on a mistaken understanding of the EU. While the EU works to protect citizens within the EU from being monitored, tracked, and monetized by foreign entities and private EU companies, they have no concept of personal privacy of citizens within the EU from the EU governments themselves. If the data is being sent to the police, it is legal. See the EU Councils position on encryption and what level of access law enforcement within EU nations should have.
The UEFA ticket app doesn’t even have location functions. They’re talking about the Euro 2024 app, which I also checked and it doesn’t take location data, and it doesn’t share data at all.
I don’t know if they changed it or if users were talking about another app.
Oddly enough when I searched for the apps in the store, another unrelated football app showed at the top and it did exactly what the article is claiming.
When and how did you check this? The following quotes are taken from the posted article, emphasis mine.
UEFA told us that all location data is anonymized and only tracked on match days, starting six hours before kick-off and ending six hours after the match. The data aids in managing fan flow and ensuring timely updates via push notifications. UEFA’s spokesperson said this location data is “an invaluable tool” in maintaining safety.
For starters, we are reluctant to believe that both Bayerischer Rundfunk (who made the video in collaboration with the actual people involved in the monitoring process) and Heise would have mislabeled the UEFA Ticket app instead of saying it is the EURO 2024 app.
As it stands, Stack Diary cannot independently verify what the insides of the Ticket app look like because the tickets have been sold out since early June, and you are required a QR code to see what the app looks like. If you have more information to give, please get in touch with us.
According to Heise, the app requires explicit GPS permissions, which are not disclosed on the Android or iOS privacy pages for the UEFA Mobile Tickets application. When checking with Exodus, both the Tickets and the EURO app require “ACCESS_FINE_LOCATION” and “ACCESS_COARSE_LOCATION” permissions, which allow an app to access precise location data using GPS, Wi-Fi, and mobile networks.
The entire point of this story is that the UEFA ticket app requires access to location functions without telling the user. Have you either used a tool like exodus or extracted the source code of the ticket app from the apk and manually reviewed it?
Also, you sound like you’re under the assumption that users reported this. You realize that this was originally reported by the German IT news outlet heise.de and not by complaints from random users right?
If there’s one thing I’ve learned about Europeans is they’ll put up with ANY level of corruption if it involves their glorious football