Project red card and privacy concerns

PROJECT RED CARD

Project Red Card is an initiative by former Cardiff City and Leyton Orient manager Russell Slade wherein a major lawsuit is being filed by over 400 professional footballers against gaming, betting, and data-processing companies based on the assertion that certain third-party companies are using the players' personal, performance and tracking data without their consent or compensation. The action will seek to recover compensation for players stretching back six years which is the maximum period under the UK statute of limitations.

The group argues that under UK and EU data protection laws, players’ performance data can be considered personal data, and is being exploited for financial gain without their consent.[1]

The lawsuit has laid bare the teeth of the new Data Protection regime brought in by the General Data Protection Regulation( GDPR) in 2018.

DATA IN SPORTS

Data analytics in sports was first popularized by the efforts of Billy Beane during his reign as General manager of the Oaklands Athletics baseball team (also portrayed in the commercial film Moneyball). However, its a common practice now for sporting and athletic organizations today to monitor the performance of their athletes. This could involve collecting data such as information about a player's speed, or how many times the individual passed the ball. In addition, data is being collected from the players during their training sessions and actual matches to better gauge the performances of the players and to determine methods of improving them.

Furthermore, football clubs themselves have been actively covering advanced and detailed medical data such as cardiovascular metrics, body composition, distance covered, respiratory patterns in a game and medical history to assess the physical and athletic conditions of the players.

However, the lawsuit has taken cognizance of the potentially illegal processing of data by betting companies, fantasy sport companies who utilize the information to predict the performances of players and to determine the odds in a game or over a specific player’s performance.

SPORTS DATA AND GDPR

The data collected by these organizations could ostensibly fall within the definition of “personal data” in the GDPR. Some of these statistics may also fall within the definition of “data concerning health” – meaning that they constitute “special categories of personal data” under GDPR, and therefore qualify for extra protections. There are a wide range of entities who are potentially processing this personal data including football clubs, data processing, betting companies, fantasy sports providers and video game developers. Accordingly, the following issues would be of importance when the lawsuit is potentially brought up for trial:

Lack of transparency and fairness: The GDPR requires that the data be processed in a “fair and transparent” manner. If these data processing entities have not clearly informed these footballers how they are using their data, this might be evidence of a lack of transparency and fairness. The strength of such a claim would depend on the factual circumstances basis the entities who are engaging in the processing of data and their privacy agreements with such players.

Legal processing ground: The GDPR requires that the data be processed with a lawful processing ground. The players could argue the correct processing ground should be consent, which must be obtained before organizations can utilize their data.

Processing of Sensitive Data: The GDPR has provided additional protection to individuals whose sensitive data is being processed by any entity. While it may be argued that a large percentage of these statistics are available easily due to the broadcast of the games, medical data, such as energy expenditure or cardiovascular metrics may be considered private to the individual.

Consent: The GDPR has delineated the conditions for a consent to be valid. While it may be argued by the organizations that the player’s consent had been acquired at the stage of the contract signing, it could be an obstacle to demonstrate that the request for consent had been presented in a manner which was clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language[2].

Profiling: The GDPR protects the rights of the profiling data subjects and provides them the right to not be subject of such profiling. Betting companies and fantasy sport entities engage in creation of complete player profiles on which they base their services and products.  Moreover, the medical data of the players also form a vital part of such player profiles and would require the express consent of the players for processing.[3] The players can allege that their data profiles have been developed without their consent and seek erasure of the same under GDPR.

POSSIBLE DEFENSE TAKEN UP BY THE DEFENDANTS

Legitimate interests: The Defendants may use the ‘legitimate interests’ assessment to exhibit that the processing is necessary for the legitimate interest, and this interest is more important than the rights of the footballers.[4] The GDPR allows processing of data if it is necessary for the purpose of the performance of a contract or for the purposes of the legitimate interests of the processing entity or third party. For legitimate interest to be invoked, a three-part test is to be considered - the entity should have a legitimate interest in processing, it should be necessary for that interest and the interest should not be overridden by the individual's interests, rights or freedoms[5]. The assessment however will not provide a blanket defense to all the defendant entities and would be assessed on a case-to-case basis.

While football clubs may argue that they have adequate legitimate interest to even process sensitive data owing to the maintenance of the health and fitness of players[6] [under the Health and Safety at Work etc. Act 1974 ('the 1974 Act'), clubs owe duties to their employees (among others) to maintain a healthy and safe working environment, and so clubs might be able to rely on the 1974 Act to, for example, process medical and biometric data to identify whether an athlete has a high risk of developing cardiovascular problems]; fantasy game providers, video game developers and betting companies could be constrained to explain their usage and commercialization of such medical data.

IMPLICATIONS OF THE LAWSUIT

Video game manufacturers, fantasy sports providers and sports betting companies rely on a vast array of player data on which they base their products and services. Whilst these entities may claim that they have specific licenses in place for the acquisition of the data from the clubs, it could still leave the possibility of a huge compensation payable to the players for the processing of their data without their consent.

In furtherance of the same, the lawsuit could open the Pandora’s Box of data ownership and whether specific licenses need to be acquired from the players too for the processing of their data. The players would be further empowered to stay informed of the purpose of the processing of their data and to object to the same if it is not tenable to them.[7] It is also extremely likely to cross-over with intellectual property rights and the extent to which a player's performance statistics can be argued to form part of their "image rights".[8] There is even a possibility that the players could be permitted to ‘license’ their data in the future, akin to ‘image rights’.

However, even if the players are successful with their litigation, it remains highly unlikely that such a ‘licensing regime’ would be created. The GDPR provides the remedy for a complaint or legal action based on principles of transparency and fairness by imposition of compensatory fines, which may be pecuniary or non-pecuniary in nature[9].

CONCLUSION

It is undeniable that the role of analytics in sports will continue to gain importance with the evolution of sports and technology over time. However, players can now demand accountability from these data processing entities on how their data is being processed and commercialized.

Project Red Card could prove to be a remarkably interesting and monumental initiative as the lawsuit could delve into areas which have been previously left unexamined.  The issue of data ownership and privacy of athletes transcends soccer and could become a common area of discussion for athletes across the globe, in various sports and leagues. The National Football League Players Association had previously joined a partnership with a wearable technology company that would give players the ownership of all data coming from the product they wear.[10]

However, it remains as likely a possibility that the players may not litigate upon the issue and elect to pressurize the data processing entities into agreeing to a licensing scheme for their data. A similar situation had played out in England a few years back when the players were fighting over their image rights over theirs names and likenesses in video games. In recognition of the weak image rights protection regime in England, FIFPRo, the international body which represents players’ image rights, had historically sued video games developers such as EA Sports in Germany which had a robust image rights protection regime.

As a result of the litigations in Germany, video game developers now pay a license fee to use Premier League player names and likenesses, even if it is not required to by UK law.

Project Red Card will bring into focus the nature of agreements signed between football clubs and players, data processing entities and the legality of the same in light of the provisions of GDPR. Project Red Card has also brought negative publicity upon the footballers, who have been accused of trying to mint more money from a sport they have already reaped their millions from. However, there is value in information and athletes deserve adequate protection and compensation for the same if their rights have been violated.

Project Red Card assumes importance for India in view of the impending Personal Data Privacy Bill, which is likely to be tabled in Parliament next month. While there are common issues that could potentially arise in the Indian context as well (given that GDPR has been looked at as a guiding document to formulate the Bill), however, given that a latest report on the much awaited Bill suggests up to 89 amendments having been suggested to the previous draft by the Parliamentary expert committee dealing with the Draft Bill, it would be interesting to watch this space for further comments on this subject.