Privacy warnings for football fans worldwide as World Cup kicks off in Qatar
21 November 2022
As thousands of football fans make their way to the 2022 FIFA World Cup in Qatar, significant concerns have been raised by privacy experts about two mobile apps that fans have been told they will require during their visit.
Data protection regulators across Europe have been reviewing the Ehteraz and Hayya apps with alarm. The Norwegian data protection regulator has voiced concerns that Qatari authorities may use the apps to monitor visitors to the country. The German and French data protection regulators have advised fans to take extreme measures to protect their privacy if using the apps, including by erasing all personal data from devices before installing the apps or purchasing cheap “burner” phones solely for the purpose of installing the apps in favour of downloading them to their usual mobile devices.
According to the UK Government’s foreign travel advice*, visitors to Qatar between 1 November and 23 December 2022 are required by the Qatari Ministry of Interior to apply for a Hayya Card which is enabled by the Hayya app. Hayya provides access to free public transport, discounts on local services and is necessary for entry into stadium grounds. Once installed, the app constantly tracks user location. Additionally, its permissions have been analysed by digital security professionals across Europe who have confirmed that it has unrestricted access to personal data held on user devices.
Until recently, travellers were also required to install the Ehteraz app, a Covid-19 tracking system, in order to enter Qatar. However, in recent weeks the Ministry has conceded that it is only necessary for those needing to access healthcare during their visit. The app initially caused international controversy after its launch in 2020, prompting the Qatari Ministry of Public Health to speak out against allegations that the app collected excessive data from users’ devices and made it available to the authorities**.
Recent analysis of the app confirms that user privacy implications do still exist. The app runs in the background of its user’s device and this cannot be disabled while the app is installed. In addition it continually maps its users’ location particularly in relation to other app users, a function initially used to establish whether users had been in a public place and within two metres of each other. Of primary concern is the fact that personal data contained within a device’s photo and video gallery and contacts lists appears to be made available to unidentified third parties.
Neither the purpose for the extensive access of each app to device data nor the potential audience of such data is explained in the privacy information made available to those downloading them. In any event it is difficult to determine any reasonable purpose for such access or the potential sharing of the data with third parties.
Critically, it would simply not occur to fans from the UK or the EU that these apps would allow such broad access to their personal information. We are used to the high levels of protection and transparency required under UK and EU data protection laws. This is a stark reminder of just why our laws are considered to set the standard for data protection.
If you would like further information on the issues raised in this article please contact a member of the Commercial & Technology Team.
The content of this article is for general information only. It is not, and should not be taken as, legal advice. If you require any further information in relation to this article please contact the author in the first instance. Law covered as at November 2022.