The major global challenges in managing data to protect sporting integrity

Published 26 January 2018 By: Nick Fitzpatrick, Ruth Hoy

Betting live on iPad


The author spoke at Sportel in October about data issues in relation to the regulation of sport, particularly in relation to data and betting integrity.

The topic raises a number of knotty issues:

  • "Data" is a technical area of law, both in IP terms, and because of the fresh consideration given to protection issues arising out of the General Data Protection Regulation.

  • In the gambling context, there is still a developing practice as to how the various stakeholders should best collaborate to preserve the integrity of sport (a matter of mutual interest), while preserving their own (often conflicting) commercial positions.

  • On betting integrity, practice is largely built on self-regulation and formal/informal collaboration between stakeholders. It's built around MoU's, contracts, working groups, collaborations and contacts as much as black letter law.

  • There are a series of emerging threats, the importance of which are yet to be fully understood: the integrity of data gathering, fake data (e.g. "ghost games"), use of "socket puppets" and other social media devices to spread misleading information.

This article considers key contemporary issues in managing data to protect sporting integrity, and looks specifically at:

Part 1:

  • The need for better collaboration among stakeholders

  • Self-regulatory models for information sharing

  • The global dimension

  • Obstacles to sharing information - data protection and the impact of GDPR

Part 2:

  • The implications on data in sport in light of improvements in technology

  • The legality of using an unofficial data source


The need for better collaboration among stakeholders

The use of data for betting integrity is important to sports bodies, betting companies who rely on the integrity of sport to maintain trust in their own products and minimise losses through fraud, and increasingly (as the process of opening up gambling markets has continued across Europe and beyond), government regulators. For operators, data is, in any event, at the heart of their business': from setting odds to “Knowing Your Customer”.

Working out where suspicious betting patterns arise - and in particular where "unusual" becomes "suspicious", and taking enforcement action, is not the work of any one group of people. It’s a collaboration, requiring an analytical approach to monitoring betting markets, effective investigative processes, expert knowledge of the relevant sports and markets, and resource commitment from regulators and law enforcement. In this information sharing is key, but there isn’t a single uniform process for managing the process of collaboration to prevent betting integrity issues:

  • Even in Europe, some EU Member States (including the UK, Germany (Schleswig-Holstein), and Italy) put direct obligations on their national "Gambling Authority" to proactively collect and process information on suspicious sports betting activity: often through specific licence conditions imposed on betting operators, but sometimes through more indirect obligations (like imposing general requirements on operators to protect betting integrity).

  • In many EU countries, there is no direct obligation at all for gambling regulators to collect information on suspicious betting patterns or to share information about suspicious betting patterns with the betting regulators. Some jurisdictions have introduced obligations on either the betting regulator to proactively collect information on suspicious betting patterns, or on betting operators to report suspicious betting patterns to the regulator. However, there are differences in the extent to which obligations are direct or indirect and the extent to which reactive or proactive approaches are used.

  • In the UK betting regulators also have to share information with selected sport governing bodies.

  • Generally betting integrity regulation is better dealt with in those countries who have renewed their gambling legislation recently. In the UK, for example, the Gambling Commission (and the Sports Betting Intelligence Unit (SBIU) - the unit within the Gambling Commission which deals with reports of betting-related corruption) form the hub of our regulatory response. The UK's "point of consumption" regime requires all operators who place bets with UK punters to register in the UK. Betting operators are required to report suspicious activity to the Gambling Commission under their licence conditions (Section 15.1 of Licensing Condition and Codes of Practice). Betting operators are also required to provide information to Sport Governing Bodies if betting operators suspect that information in their possession may lead the Gambling Commission to consider making an order to void a bet (the Gambling Commission has powers to void bets), and which relate to a breach of a rule applied by that sport governing body. Sports bodies in the UK are not obliged to inform the Gambling Commission when they detect something suspicious, but in practice are likely to do so.

Sports regulators now commonly incorporate into their rules specific requirements on preserving betting integrity. Uniquely, sports regulators have access (typically contractually enforced) to participants, officials and venues and can effectively gather information. They can use their Rules to investigate and sanction participants and officials where necessary, and impose obligations on participants to yield up data. But at the investigatory stage there is a vast difference between different sports regulators. Some have significant cost and expertise wrapped up in their integrity function - developing in-house expertise and forming partnerships to develop intelligence on suspicious betting activity. Others do not. Inevitably investigations are restricted by available resources.

This in itself raises a few tricky issues:

  • On the one hand, some operators say they want to share information with sports bodies directly when something "does not feel right". On the other, they are concerned to satisfy themselves that the sports body will deal correctly with the information.

  • Discussions on this topic typically quickly end up in the perennial issue of "who pays?". Is it - to borrow the concept from environmental law - that the "polluter should pay", or the sports body?

Self-regulatory models for information sharing

Examples of industry cooperation include:

  • Memorandums of Understanding (MoUs) between betting operators and sport governing bodies, about the exchange of information. MoUs describe how information is to be shared, and may include obligations for how the recipient should deal with personal information. They are typically non legally binding expressions of a willingness to cooperate. Most of the large betting operators have MoUs with several – but not all - sports governing bodies. Some sports have refused to sign them.

  • Cooperation between betting operators to inform each other of suspicious betting activity. As example is European Sports Security Association – ESSA. Its members include a number of larger bookmakers. Members share alerts with other members of the association. If suspicions arise ESSA will share that with regulatory body or sports bodies where MoUs are in place (ESSA has MoUs with over 20 of the larger sports associations and regulatory bodies including the International Olympic Committee (IOC), FIFA, the Tennis Integrity Unit, The Spanish Football Federation, the UK Gambling Commission, and the Malta Lotteries and Gaming Authority etc).

  • Commercial contracts between betting monitoring companies (Sportradar, Perform, Genius etc) and one or more buyers of their surveillance services by monitoring betting markets and report suspicious sport betting activity to their customers.

  • The Sportradar Fraud Detection System, which monitors patterns worldwide and uses algorithms to detect possible match-fixing.

  • The IOC Integrity Betting Intelligence System (IBIS) - The IOC IBIS allows for the exchange of information and intelligence for use by stakeholders of the Olympic Movement.

The global dimension

One complication is that fraud in the gambling market is commonly highly international: often facilitated through Asian betting markets with high liquidity and weak regulation.

Suspicious sport betting activity will often be cross-border: bets are placed with a betting operator in one country, on a match in another country, by punters in a third country. The betting operator or the betting regulator will therefore often be in a situation where the bets might be placed in their country, but on a match in another country, and by punters in another country. In order to share this information with the relevant public authorities and/or sport governing bodies, they must know who to contact and who to share the information with, which in itself can be quite a task.

Global problems require global solutions. One step in this direction is the Council of Europe's Convention on the Manipulation of Sports Competitions1 (the Macolin Convention) which is open for signature to parties outside of the Council of Europe (signatories include Japan, New Zealand and Canada), but is yet to be ratified by the EU.

The Convention is the first legally-binding international tool to fight match-fixing, focusing on key aspects of the fight against match-fixing; prevention, law enforcement, the exchange of information among the various actors and of course international cooperation. The aim is to bring the parties closer together in their efforts to tackle this problem through coordinated "national platforms". The aim is to

"prevent, detect and sanction the manipulation of sports competitions under both criminal law and disciplinary provisions, as well as facilitate information exchange and national and international cooperation between public authorities, sports organisations and sports betting operators".2

Obstacles to sharing information - data protection and the impact of GDPR

Information shared about suspicious sport betting activity will often be personal information and must therefore respect the data protection requirements in that particular country and in that particular situation. This can present a barrier to sharing information.

Betting operators will usually rely on Terms and Conditions under which customers agree upon opening an account, that personal information can be shared with relevant bodies like betting regulators and sport governing bodies with whom the betting operator has an MoU. Betting operators can therefore in principle share information with betting regulators and sport governing bodies. They can also choose to share information with organisations they do not have a MoU with if the recipient is able to handle personal information securely.

In their statutes and regulations, sports federations also typically say that they can share personal information from their members with relevant bodies.

The main obstacle to date has been national and/or EU data protection legislation. In particular, public prosecutors are either unable to share information with private organisations or unwilling to share information for fear that it might harm their case if information leaks. Although in the UK the Gambling Commission is allowed, by law, to share information with sport governing bodies if certain criteria are fulfilled (see above) typically European sport governing bodies have found it difficult to secure recognition as an entity that has legitimate rights to access and acquire personal data.

Sharing will also be further complicated when the GDPR applies from 25 May 2018. Governing bodies will, like other data controllers, be required to comply with a number of new legal obligations from next May as they process personal data. In the context of betting integrity, their main concern is although they are not public authorities (to whom exemptions are available under the regulations), they clearly perform integrity functions in the public interest.

Some aspects of the GDPR – and in particular the changes to "consent" of the data subject - create risks for sports governing bodies in carrying out those regulatory functions. Relying on "consent" for regulatory functions (always problematic) will clearly be unreliable:

  • Under Recital 42, there is a presumption that consent is not freely given where the data subject has no genuine choice and cannot withdraw consent without detriment: if consent to processing of data is not valid, this leaves bodies with no lawful basis for processing such data under GDPR.

  • The right to be forgotten (Article 17(1)(b)) allows participants to require participating bodies to erase data already collected, clearly an impediment to investigatory and enforcement processes.

If consent is ruled out there are other justifications which sports bodies may rely on, but none are risk free. Article 9(g) of the GDPR, for example, permits the processing of sensitive personal data where it is necessary for reasons of “substantial public interest” as determined by “Union or Member State Law”. Inevitably though, relying on such a broadly framed provision in this context invites challenge.

This has led to lobbying by sports bodies to their domestic governments to introduce specific provisions clarifying the position on issues such as betting integrity. Although the Regulations take direct effect, Article 6(2) of the GDPR does allows Member States to introduce specific provisions to adapt the application of the rules "by determining more precisely specific requirements….". By Article 23, Member States may also introduce exemptions to data subject rights "where this is a proportionate measure to safeguard the "rights and freedoms of others."

In the UK, this has led to a concerted effort to ensure the Data Protection Bill (implementing the GDPR) includes a legal basis for processing sensitive data where that is required to fulfil a regulatory function in the substantial public interest, irrespective of consent. Currently, the Bill is making its way through the Lords, and amendments are being considered on precisely those issues. This would be good news for UK sports bodies, but it also means that sports regulators are likely to be left in the sub-optimal position of dealing with a patchwork of arrangements across Europe.

Part 2: The implications on data in sport in light of improvements in technology

With improvements in technology, more and more data about sporting events is being captured. A number of different groups claim to 'own' such data - the players themselves ("the data wouldn't exist if we didn't participate"), the data companies ("it's our technology which is driving data collection and analytics") and the sports rightsowners themselves ("it's our competition").

The truth is that there is no property right in information itself. Nobody owns the fact that a goal has been scored, or foul has occurred. That is pre-existing, factual data. But, in Europe, there is an ability, through the sui database right, for those who make a substantial investment in obtaining, verifying and presenting data, to obtain an intellectual property right in the resultant database into which the data is stored. Rights in the database can be owned and can be exploited as a valuable asset of the database owner. The sui generis database right enables the database owner to prevent "extraction" and "re-utilisation" of the data. Those terms have broad meanings under European law and include copying and/or distribution to the public of a substantial part of the data in the database (assessed qualitatively, rather than quantitatively). It is also unlawful to copy and/or distribute to the public insubstantial parts of the database on a repeated and systematic basis.

The database right will often belong to the competition or event organisers who make a substantial investment in an "official" data feed. The investment might comprise investment in the technical infrastructure e.g. high speed broadband in stadia to support fast extraction of data. It may also comprise investment in a large team of people or "data scouts" who will watch the live action and record certain data points. The collection of sports data can be a very labour-intensive process. By way of example of the ability to claim and exploit a database right, the English and Scottish football leagues have successfully established (in court proceedings in England, which were subsequently referred to the CJEU) a database right in their database of live match day data (known as "Football Live"). The English Court of Appeal, has ruled that "A sui generis database right subsists in the database consisting of information gathered “live” by the claimants’ (FDC’s) agents from football matches as those matches proceed."3 The reason given by the Court is due to "The considerable investment which goes into Football Live (of the order of £600,000 per annum) [which] clearly justifies Floyd J’s decision that Football Live is a protected database."4

There are a few things to note about the database right and its applicability to sports data:

  • The database right does not apply to data which the database owner creates, where the investment is in the creation (as opposed to collection) of data. This is why British Horseracing Board (the then governing authority for horseracing in the UK) was unable to establish a database right in their "runners and riders" pre-race information; and why English football was unable to obtain a database right in its fixture lists. By contrast, events on the field are clearly pre-existing, rather than created data, so the database right can subsist. Factual data which is collected and recorded at a live event such as a football match about events outside the control of the person doing the collection and recording, is not created by that person, but merely obtained by him

    • "if the referee says the ball was over the line (not “back of the net” – does a net have a back?) and signals a goal has been scored, it has. Any spectator who tells someone that it has been scored is not creating data. If he adds his opinion that it could be the goal of the month, that is his creation."5

This raises some interesting questions for data gatherers who are collecting more subjective data eg. "man of the match" data, for which the collector is unlikely to obtain a database right.

  • The database right lasts for a lot shorter period than other intellectual property rights, and is only available for 15 years from first making available of the database. This may not be so much of an issue in relation to sports where the value of data is exponentially more valuable in the 'live' environment

  • The laws relating to IP protection of data and databases vary significantly between different jurisdictions, which naturally poses a challenge to sports businesses which are often looking to protect and exploit data on an international basis. For example, in the USA, there is no equivalent protection to the European sui generis database right. Because it is factual, the data cannot be copyrighted as a matter of both US constitutional law (see Feist Publications, Inc. v. Rural Telephone Service Co.) and statutory copyright law (federal Copyright Act 17 U.S.C. § 102(b)). However, other laws (other than intellectual property laws) have come to the rescue of US sports, with the organiser of a sporting event being able to protect the commercial value of that event from misappropriation by a third party.6

The legality of using an unofficial data source

So what about the legality of using an unofficial data source? Typically, sports event organisers will seek to protect their investment in the official data not only through the database right, but also by layering on top of that certain contractual protections seeking to prevent unofficial data gatherers from entering the stadium to collect unofficial data. This is generally done through ticketing terms and conditions which may contain express conditions of entry that include a ban on commercial activity, or a ban on the use of mobile phones save for private/ personal use. Ticketing terms and conditions may also contain terms which assign to the event organiser any rights in data which has been collected in breach of contract. Additionally, they may include a provision deeming anyone in who is in breach of the ticketing terms and conditions to be a trespasser, entitling event organiser to eject any such person from the stadium.

This is all perfectly permissible, as a landowner (that is, in the sporting context, the owner of the stadium) has the right to exclude anyone from his land and to impose whatever conditions he sees fit on anyone whom he permits to enter it. A spectator who purchases a ticket to watch an event in the stadium is a contractual licensee. Provided he complies with the terms of his licence, he is entitled to remain in the stadium and remain there during the game.

"The effect of a licence by A. to permit B. to enter upon A.'s land or to use his premises for some purpose is in effect an authority which prevents B. from being regarded as a trespasser when he avails himself of the licence…Such a licence may fall into one of various classes…There is yet a third variant of a licence for value which constantly occurs, as in the sale of a ticket to enter premises and witness a particular event, such as a ticket for a seat at a particular performance at a theatre or for entering private ground to witness a day's sport. In this last class of case, the implication of the arrangement, however it may be classified in law, plainly is that the ticket entitles the purchaser to enter and, if he behaves himself, to remain on the premises until the end of the event which he has paid his money to witness. … The licence in such a case is granted under contractual conditions, one of which is that a well-behaved licensee shall not be treated as a trespasser until the event which he has paid to see is over, and until he has reasonable time thereafter to depart…"7

However, a licensee who does not comply with the terms and conditions on which he is allowed to enter the stadium becomes a trespasser and is liable to eviction from the ground:

"... in my opinion this duty to an invitee only extends so long as and so far as the invitee is making what can reasonably be contemplated as an ordinary and reasonable use of the premises by the invitee for the purposes for which he has been invited. He is not invited to use any part of the premises for purposes which he knows are wrongfully dangerous and constitute an improper use. As Scrutton L.J. has pointedly said: "When you invite a person into your house to use the staircase you do not invite him to slide down the banisters….So far as he sets foot on so much of the premises as lie outside the invitation or uses them for purposes which are alien to the invitation he is not an invitee but a trespasser, and his rights must be determined accordingly.8

Whilst the person primarily liable for the trespass would be the scout in the stadium who breaches the ticket conditions, there are grounds to suggest that others who assist and/or actively co-operate in the trespass could also be legally liable as joint tortfeasors (wrongdoers). The pool of people liable could include the unauthorised data company which sends the scout into the grounds, or perhaps even a sports broadcaster that commissions or requests such activity.

There have been numerous examples of sports events operators ejecting unauthorised data gatherers from their grounds under these principles. For example, the England and Wales Cricket Board have publicised the fact that spectators have been ejected from their grounds. Similarly, at the US Open in 2016, 20 spectators who were caught courtsiding were placed under bans that prohibited them from attending the tournament for next 20 years. One of those individuals was subsequently arrested for trespassing after being spotted at the same tournament a year later in 2017. 9

In addition to contractual remedies, other sports organisations have attempted to use specifically enacted “courtsiding” criminal offences to tackle the problem. There was a high-profile arrest in 2014 at the Australian Tennis open when a 22-year-old British man, Daniel Dobson, was arrested for court siding. He had an electronic device sewn into his shorts and was relaying scores to his employers, a company called Sporting Data. He was arrested and subsequently charged with engaging in conduct to corrupt a betting outcome, an offence under the Victorian State Integrity in Sports Act 2013. However, in the end the prosecution did not proceed, and the case was subsequently withdrawn in March 2014.

There is a similar offence in the UK's gambling legislation, namely section 42 of the Gambling Act 2005 which makes it an office is a person "cheats at gambling" or "does anything for the purpose of enabling or assisting another person to cheat at gambling".10

But the difficulty with these offences is that it can be hard to prove to the criminal standard (ie. beyond reasonable doubt) that the unofficial data gatherer is acting in a corrupt manner to assist with cheating. Unofficial data gatherers cannot be said (in a number of cases) to have such an intention.

Alternatively, there is precedent in the film industry where there are numerous examples of case law in the UK confirming that the illegal recording with a video camera or other recording equipment by a member of the public in the cinema (who has paid for entry, on conditions) can constitute a criminal offence contrary to sections 6 and 7 of the UK's Fraud Act 2006. By analogy, could it be possible that offences of fraud by false representation (because in entering the sports ground, the 'data scout' impliedly represents that he will not breach the ticketing T&Cs), and fraud by possession of articles for use in fraud (because the "data scout" has a ticket, a mobile device for use in transmitting the data and the data itself)? Similarly, if this has been done in concert with the unauthorised data company which sends their scouts into the grounds, or perhaps even a sports broadcaster that commissions such activity, then are there grounds to pursue conspiracy offences?


What is very clear is that the value attaching to live data from sporting events is increasing. It is important for sports organisations to do what they can to protect and enforce their investment in data collection. It is also important for consumers of data to understand where the data they are using is coming from, and whether any liability attaches to them as a result of such use.

No ambitious sports business can afford to live without a strategy in relation to the acquisition, protection and exploitation of its data.

Related Articles


Nick Fitzpatrick

Nick Fitzpatrick

Nick is a media and sport lawyer with 20 years' experience, including substantial experience of negotiating and structuring complex arrangements for the exploitation of media rights across all platforms, brand exploitation, event organisation, sports administration, copyright, gambling and advertising.

  • This email address is being protected from spambots. You need JavaScript enabled to view it.
Ruth Hoy

Ruth Hoy

Ruth Hoy has great experience in media and intellectual property litigation, mainly acting for media and sporting clients.

Ruth has knowledge in contract, copyright, trademarks, passing off, confidential information, defamation and privacy.