The commercial exploitation of participants’ personal data is widespread in every sport. In football, data analysis companies record and analyse every player’s every pass, shot and run, alongside other information. This is then sold to, among others, video games developers and bookmakers, generating millions of pounds in revenue. Now football players want a piece of the action.
According to reports from various media outlets recently, 850 players, led by Russell Slade (former manager of Cardiff City), want compensation for the trading of their personal data over the past six years by various companies. They also want an annual fee from the companies for any future use. BBC News reported that 17 major betting, entertainment and data collection firms have been targeted initially, but Slade’s Global Sports Data and Technology Group has highlighted more than 150 targets it believes have ‘misused’ data. His legal team claim that the fact that players receive no payment for the unlicensed use of their data contravenes the General Data Protection Regulation, or the UK GDPR to be more precise. However, the precise legal basis of their claim is unclear. In an interview with the BBC, Slade said: ‘There are companies that are taking that data and processing that data without the individual consent of that player.’
This suggests a claim for breach of the First Data Protection Principle (Lawfulness and Transparency). However, if the players’ personal data is provided by their clubs (for example, height, weight, performance at training sessions and so on) then it may be that players have already consented (and been recompensed for this) as part of their player contract. In any event, data protection professionals will know that consent is only one way in which a data controller, football club, or a data analytics company in this case, can justify the processing of personal data under article 6 of the UK GDPR. Article 6(1)(f) allows processing where it ‘is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data’.
Of course, this requires a balancing exercise considering the interest pursued by the clubs and data companies against the impact on individual players’ privacy. Some would argue that as far as public domain information is concerned, the impact on players’ privacy is minimal. After all anyone can collect the information by watching a football match. However, ‘the interests or fundamental rights and freedoms of the data subject’, referred to in article 6(1)(f) include loss of control and financial loss, both of which could be argued result from the alleged unauthorised use of data.
The BBC article quotes former Wales international Dave Edwards, one of the players behind the move, as saying: ‘The more I’ve looked into it and you see how our data is used, the amount of channels it’s passed through, all the different organisations which use it, I feel as a player we should have a say on who is allowed to use it.’
The above seems to suggest that the players’ argument is also about control of their personal data. The UK GDPR does give players rights over their data which allow them to exercise some element of control, including the right to see what data is held about them, to object to its processing and to ask for it to be deleted. It may be that players are exercising or attempting to exercise these rights to exert pressure on the companies to compensate them. What is clear is that the claim seems to be more about players wanting a fair share of the income generated by the use of the data rather than the protection of their privacy. Many would argue that data protection law is not intended to provide players with a right to income from their data.
The focus on sports players’ data is likely to get more intense with the increasing use of wearable technology that tracks players’ performance in intimate detail. In the US, basketball players wear smart rings, which measure temperature and sleep levels, and some international rugby federations now use RFID chips to help track player performance in training and on the field. Some of this information will be health data, the use of which is restricted by article 9 of the UK GDPR unless strict conditions are met. In fact, it is difficult to see how such data can be processed without the explicit consent of the players as set out in article 9(2).
Without seeing the paperwork, including the letters before action served on the companies, we can only speculate about the legal basis of the players’ claim at this stage. Nonetheless, this is an interesting case and one to watch. If successful, the implications could have effects far beyond football. It could give athletes the power to license the exploitation of their data on a commercial basis, creating the equivalent of image rights in respect of their data. It may even get data protection being talked about on the football terraces and in the golf clubs!
Ibrahim Hasan is the director of Act Now Training and editor of the UK GDPR Handbook