It is common practice for sports clubs to communicate with members using WhatsApp's 'group chat' feature. The collection and further dissemination of personal data in this manner gives rise to concerns from a data protection law compliance perspective. The GAA, which has identified a number of concerns, recently updated its Social Media Policy and Guidelines (the "GAA Policy") to advise its members that WhatsApp groups used for official communications might not be compliant with the EU General Data Protection Regulation (the "GDPR").
The GAA Policy sets out three potential GDPR compliance issues that arise where personal data is shared via WhatsApp groups, each of which we consider below.
1. Lawful Basis
The GDPR mandates that personal data can only be processed where there is a lawful basis for doing so. Examples of lawful bases include that the processing is necessary to perform a contract, for legitimate interests or to comply with a legal obligation.
In many cases, there will be a clear lawful basis for sports clubs to collect personal data from members (e.g. to administer club membership or to comply with child protection laws), however, this would only be lawful to the extent that the data collected is limited to what is necessary to administer membership and that the processing itself is restricted to that purpose alone.
If there is additional processing of club member personal data, for example, numbers and profile pictures being shared with larger WhatsApp groups (who do not need access to the data), it may be necessary to obtain consent from the club members to ensure the processing is lawful. The GDPR mandates that consent is only valid if it is specific, fully informed, freely given, provided by means of a clear affirmative action and as easy to withdraw as it was to provide.
2. Compliance with Subject Access Requests (SARs)
A data subject has the right to obtain a copy of his or her personal data from the controller of the personal data. The controller must respond with a copy of the personal data within one month of receiving the SAR. This right is subject to number of exceptions being applied e.g. withholding data that is privileged or where disclosing the data may adversely affect the rights and interests of others.
Sports clubs which are controllers responding to any such SARs, must locate data across various media, collate the data and, before handing it over to the data subject, must review the personal data to ensure none of the exceptions under the Data Protection Acts 1988-2018 apply and, in particular, that the disclosure of the personal data does not adversely affect the rights and interests of others.
The transmission and storage of personal data across multiple WhatsApp groups creates challenges for sports clubs in seeking to comply with SARs and providing members with a full suite of personal data within a one-month timeframe. This challenge is exacerbated by the fact that WhatsApp does not have an auditing feature which would allow the club to gather all a subject's personal data or to delete it.
3. International Data Transfers
There is also a risk that personal data may be transferred outside the European Economic Area ("EEA") without the additional safeguards required by the GDPR being put in place by the club.
The GDPR mandates that personal data may only be transferred outside the EEA where the country or the recipient in question has provided appropriate safeguards (e.g. by putting certain contractual terms in place with the relevant recipient).
The GAA Policy states that "due to these reasons, the use of WhatsApp in an official capacity is not advisable".
WhatsApp has responded to the GAA Policy emphasising that the messaging service also has a number of built-in tools which put individual users in control of their group interactions. These include 'Group Privacy Setting' which enables users to decide, at a very granular level, who can add them to a group. This feature can be found in the settings section of the service under 'privacy'.
Potential Solutions & Steps for Clubs to Take
As a solution to the GAA's concerns, it has started developing what seeks to be a GDPR compliant messaging service as part of its own app. This messaging service would ensure that: (a) personal data is not shared without consent; (b) clubs would have auditing ability over the personal data processed; and (c) all personal data will be stored within the EEA.
These GDPR concerns need to be considered by all sports clubs that use messaging services for official communications with teams and members. National governing bodies and clubs should develop or use a communication method which complies with the GDPR including by:
- Not sharing club members' names, phone numbers and other personal data without their consent or another lawful basis. This might be achieved by contacting club members individually rather than through a group chat;
- Using a messaging service that allows clubs the ability to compile a member's personal data and delete it if requested to do so by the member; and
- Ensuring the messaging service stores personal data within the EEA, or if transferring data outside the EEA, the service has the required additional safeguards in place.
Governing bodies and clubs should further consolidate these steps by appointing an individual to take responsibility for data protection compliance and putting in place data protection policies, practices and accountability frameworks to comply with the GDPR and the Irish Data Protection Acts 1988-2018.