Wearable tech in sport: the legal implications of data collection
Published 09 April 2015 By: Jonny Madill
The evolution and expansion of wearable technology in sport together with the ever-increasing reliance on performance analysis software as a coaching tool have reached unprecedented levels throughout the past 12 months.
The wearable tech market, whilst still in its infancy, has quickly become a significant global industry,1 whilst the developments in data analytics software continue to transform the landscape of sport at all levels. But as the innovation continues, so too will the challenges facing clubs, governing bodies, federations, athletes, sponsors, sports technology professionals, agents lawyers, and sport's other stakeholders. This article examines some of the data privacy and other legal issues arising out of recent developments, and ultimately assesses where and how the law will be applied to the challenges posed by sport's digital revolution.
The growth of wearable technology in sports
The growing pursuit of the "quantified self" movement (the idea of "self-monitoring" and "self-knowledge" through the use of technology to track personal data) has resulted in rapid growth in the use of wearable tech devices in sport, enticing users from both ends of the sporting spectrum, from the fitness and health enthusiast to the professional athlete. As the devices have continued to develop and become more and more innovative, their appeal and application have increased primarily due to their potential to deliver greater levels of biometric understanding, which in turn has the potential to translate into improved levels of speed, strength, performance and enjoyment for the wearer.
The growing appeal is reflected in increasing annual sales. Figures provided by the International Data Corporation (IDC) reveal that the total wearable tech market is predicted to enjoy global sales of 111.9 million units by 2018.2 In addition, the industry is expected to be worth over $53 billion by 2019, almost 12 times the total for 2014.3
The breadth of the market is also notable.4 Wearable tech has many different applications (both inside and outside of sports), but perhaps the most prominent application within sports at present comes in the form of fitness and health monitoring devices. More than 70million fitness trackers and health gadgets were sold worldwide in 2014 with a further 68million sales expected in 2015, according to research firm Gartner5 (which may come as no surprise considering over 1 million people run on the streets of the UK alone each week). Most commonly worn as wristbands or clip-on devices, the technology monitors and analyses data relating to the fitness and health levels of the wearer. It recently emerged that Germany's national football team had used such technology in training sessions during the 2014 World Cup, where player-specific data was transmitted from chips attached to players' boots.6 Other similar systems include vests fitted with a device which uses satellite technology to capture data.
Wearable technology that tracks training and performance has also targeted outdoor sports such as hiking, fishing and cycling, with activity trackers, route planners and cameras being increasingly used both as a means of improving performance but also to enhance the sporting experience. There are also rapidly developing markets in wearable personal action cameras which allow for memorable experiences to be recorded.
A final category of emerging wearable technology relates to devices that aid injury prevention through data which enables medical analysis. For example, an English Premiership rugby club recently launched a ground-breaking and innovative data collection system and research programme, designed to measure the effects of concussion on players, the first of its kind in world rugby.7 The impact sensors are worn behind the ear lobe during matches, and produce data which measures the size and direction of impact to the head.8 The initiative is led by leading neurological experts and driven by fears of long-term health risks and increasing public debate and media coverage around concussion and player safety. It took its lead from the National Football League in the United States, where similar devices have been worn inside helmets by players during games, following which data is downloaded and logged.9
Complementing wearable technology devices, performance analysis software is also now playing an increasingly central role in enabling athletes and coaches to better understand performance. No longer the preserve of elite professional clubs, performance analysis is now an intrinsic part of the coaching process at all levels of the sporting spectrum. The data provided by live, in-game analysis ultimately allows athletes from amateur level to the world's leading professionals to maximise their ability, improve performance and gain a competitive edge.
The legal implications of data collection
In light of the above developments, it is prudent to investigate the legal challenges that the wearable technology and data analytics software sectors in sport have recently faced, with a particular focus on data ownership and privacy.
Who owns the data and who can access it?
Wearable devices and performance analysis software are capable of capturing, processing and sharing huge amounts of personal and often sensitive data about athletes and users. An individual's distance, speed, temperature, heart rate, sleep patterns and calorie intake are just some of the metrics recorded by data which is collected, stored and analysed by these devices. The more these innovative technological developments advance, the "easier, more extensive and more intrusive"10 the data collection process will become as a result. Whilst much of the debate around technology in sport focuses on the race to be first to the market with inovative products, the questions around who owns and accesses this data, and the privacy of individuals, represent some of the most significant legal issues of sport's digital revolution.
Case study: impact sensor used by a professional Rugby club
Take the scenario of a technological device being used by a professional club: who has the right to control, process or access the data that it produces? Is it the club or body itself, the athletes who use the device, the league, event organiser, national governing body or federation if the device is part of a wider initiative, or the tech company providing the software? And what are the obligations on those who come into contact with the data?
For our study, let’s imagine the device is an impact sensor similar to the one used by an English Premiership rugby club11 as part of their data collection programme relating to the assessment of concussions. As the sensor produces particularly sensitive medical data, this is a pertinent example, and immediately gives rise to questions such as if a player were to transfer to another club, suffer a serious injury, or be involved in litigation, would his/her new employer, a medical professional or others be entitled to access, store, transmit or even protect the data originally captured by the player's former club's data collection programme?
Key legal issues to consider
While the task of applying the law to these issues is far from straightforward, and each case needs to be considered on its facts, there are a number of factors that key stakeholders (principally clubs, leagues, governing bodies, federations, sponsors, developers, manufacturers, lawyers, agents and athletes) should consider.
The first and formost is to gain a full understanding of any and all obligations and requirements under relevant data protection legislation, and in particular how the legislation governs the collection and processing of data. Within the U.K. – and with the facts of our case study in mind - this includes the following key points:
- In June 2014, the UK Information Commissioner's Office (ICO) blog12 stated that whilst wearable technology used in a personal capacity will not be subject to obligations under the Data Protection Act 1998 ("DPA"),13 where the use is for business purposes or where personal information is processed by organisations (whether by a Premiership rugby club or other sporting organisation), the DPA does apply.
- There is an onus, therefore, on clubs and bodies who are embracing new technology to ensure they are communicating clearly with users as to the data being produced by these devices, how that data is being used, and that appropriate security measures are being taken during storage of data and that it is deleted as soon as it is no longer required. Equally the challenge for athletes is to understand by whom and for what purpose their personal data is being controlled and processed.
- In undertaking this task, the DPA refers to three categories of persons. Firstly, the "data controller" is the person who (either alone or jointly in common with others) determines the purposes for which and the manner in which any personal data is processed.14 Secondly, the "data processor" is the third party who processes the data on behalf of the data controller (where processing covers a wide range of activities including obtaining, holding, retrieving, erasing or even disclosing data to third parties).15 Finally, the "data subject" is the individual who is the subject of the personal data.16
- In our case study, the data controller could be any one of a number of stakeholders, from the club itself, to technology companies manufacturing the devices in question, to national governing bodies overseeing the performance analysis program. The data processor could be any third party responsible for processing the data on behalf of the club, which might include external performance analysts or fantasy sports companies. The data subject is the individual player to which the data relates.
- Any party deemed to be a data controller should be aware that they are required to observe the eight core data protection principles set out in Schedule 117 of the DPA, the first of which is to ensure data is fairly and lawfully processed.18 In order to satisfy this requirement, clubs or governing bodies as data controllers may wish to incorporate suitable consent wording into player contracts prior to the data collection process commencing, or alternatively rely on the legitimate interests exemption (under which processing is deemed to be necessary for the purposes of legitimate interests of the data controller except where unwarranted by reason of prejudice to the rights, freedoms or legitimate interests of the data subject).19
- It should be noted that the DPA contains stricter conditions around "sensitive personal data" that contains information relating to race, political opinion, religious beliefs, trade union membership, health, sex life, and offecnces or criminal proceedings.20 Data should also be adequate, relevant and not excessive in relation to the purposes for which they are processed,21 and should not be kept for longer than is necessary.22 In relation to the latter, clubs should be aware of the possible requirement to remove data relating to, for example, former players. One way to mitigate any risk, however, would be to ensure that all relevant data is fully anonymised. An example of this would be longitudinal data relating to players by position.
- Data controllers should also ensure that all data is secure (in order to protect against unlawful processing and against accidental loss, destruction or damage to the data).23 Clubs and other bodies should therefore seek to ensure that, where necessary, a written agreement is put in place with any third party data processors, committing them to adopt proper security measures and act only on the instructions of the data controller. This is a particularly relevant consideration for clubs who outsource certain functions to third parties. Ultimately it should be clear as to who has access to, and the ability to add to, alter or delete the data, and security should also be backed up with robust policies and procedures in the event of any breach.24
- Finally, clubs and sporting bodies transferring personal data to countries outside the EEA should ensure that the recipient country has an adequate level of protection.25 This principle is particularly relevant to global sporting organisations which may have servers located outside of the EEA.
Stakeholders and individual athletes themselves across all levels of the sporting spectrum (including agents and other advisers), also need to fully understand the legally enforcable rights of the athlete or user as a “data subject” under the DPA. Key points to note include:
- An individual is entitled to request access to his or her personal data which is held by a club, governing body, federation, technology or data analytics company or other entity.
- An athlete has a right under the DPA to require a data controller to correct any inaccurate data held about them. This could potentially arise in a situation where selectors of a sporting body have relied upon the analysis of inaccurate data relating to performance levels.
- A data subject is entitled to be given information about the data controller and a description of the purposes for which his or her personal data is being or will be processed. A club, governing body or federation, therefore, is obliged to disclose to an athlete the reasons for processing that individual's data, if requested (whether performance analysis, injury prevention, marketing or otherwise).
- Athletes as data subjects should be aware of what constitutes consent for the purpose of processing personal data. Consent ultimately requires some form of positive act by the athlete in question. This might consist of, for example, a clause in a player agreement, but could also include a simple signature on a form or the click of an online icon. Where sensitive personal data is being processed (such as a rugby player's medical data first produced by a technological device), explicit consent from the player will generally be required.26 Such a request for explicit consent should cover the specific details and purpose of the processing, the particular type of data to be processed and any disclosures that might be made of the data. A player should therefore be clearly informed as to what personal data is involved and the nature of its use (e.g. performance analysis or medical assessment).
As well as considering and understanding the DPA's principles and their applicable interpretative provisions in light of the collection, processing and use of an athletes personal data, how contractual arrangements are drafted is also likely to be a significant consideration for stakeholders:
- The drafting of key provisions in employment contracts or indeed any third party agreements relating to use of the data entered into with device manufacturers, sponsors, broadcasters, fantasy sports companies or other rights holders will ultimately determine the rights and obligations of the parties involved should be carefully considered.
- Clubs and bodies should seek to establish that in contracts with third parties, where performance analysis data is being outsourced (the growth of the fantasy sports industry being a pertinent example), the intellectual property rights in the data remain with the club or body itself.A licence of the IP rights in the data from the club or body to the third party would be typical in such circumstances.
The future: emerging trends and related legal issues
Going forwards the trend of ground-breaking and fast-growing technologies entering the market is likely to continue. Technology that enhances fan experience is one area expected to grow, and there is increasing debate around the notion of smartclothing replacing smartwatches as the most popular means of tracking performance.27 The idea of devices such as chips being physically implanted in athletes' bodies is another exciting yet real possibility.28
There is also an increasing privacy concern arising out of the use of wearable technology in sport, as reflected by the EU's Data Protection Working Party opinion29 which was released in September 2014. With personal data being used not only to increase the value or profitability of a device, but also to connect to other personal devices as well as external networks such as social media, this is becoming an increasingly topical area of debate. The implications of data being uploaded to the cloud and being accessed and distributed without an individual's knowledge or consent raises further concern. GPS location functionality, in particular, allows devices to capture vast amounts of personal and sensitive data about users.
Another emerging trend is data generated by sports wearable technology being used in litigation. In November 2014, the first such case was reported,30 after data from a fitness tracker was willingly provided by a plaintiff in a personal injury lawsuit in Canada. Another area of potential litigation is product liability. Following reports in October 2014 of complaints by users of a fitness wristband that the device's materials had caused skin irritation, the manufacturer decided to voluntarily recall31 its product from the market. There is a growing belief that "it is only a matter of time before the use of [wearable technology] data is commonplace in litigation".32
A further area of increasing importance is the issue of data privacy and medical records in the context of anti-doping. The World Anti-Doping Agency (WADA) has carried out substantial work in recent years to clarify the data protection rights and obligations of all those involved in the fight against doping in sport. The International Standard for the Protection of Privacy and Personal Information (ISPPPI) was designed to ensure that minimum privacy protections are adhered to when collecting and using the personal data of athletes (such as information relating to doping controls, whereabouts and Therapeutic Use exemptions). The relationship between this most recent WADA guidance and applicable national and European laws is likely to be the source of future debate.
Application of data protection and privacy laws to wearable technology in sport is by no means a straight-forward process, which makes this area hugely significant as the industry continues to grow. Ultimately the legal challenges for manufacturers and designers are to ensure that a device's collection of personal data remains within the reasonable expectation of users, as well as making sure that as the technology continues to evolve and develop, the privacy rights of the data subject remain a priority. The challenge for those at all levels of sport who are embracing these devices is to understand how, when and by whom personal data is being accessed and used, as well as their rights and obligations under relevant data protection law.
Wearable technology in sport is a "tantalizing and lucrative market"33 which, together with other performance analysis technology is likely to further grow and evolve throughout 2015. As the next batch of devices is brought to the market, fresh legal challenges will inevitably arise. Sport's changing technological landscape means the disputes which have surfaced throughout the past 12 months represent only a fraction of technology in sport's potential involvement in the law. The chances of further disputes ending up in the courtroom are therefore undoubtedly high.
Within the data analytics and wearable technology sectors in sport lies great potential balanced with a degree of uncertainty. The challenge, therefore, for everyone from athletes, clubs, governing bodies and federations, to developers, manufacturers, sports data analytics professionals, sponsors, agents and lawyers, is to fully understand the data privacy and legal challenges brought about by sport's continuing digital revolution.
This work was written for and first published on LawInSport.com (unless otherwise stated) and the copyright is owned by LawInSport Ltd. Permission is granted to make digital or hard copies of this work (or part, or abstracts, of it) for personal use provided copies are not made or distributed for profit or commercial advantage, and provided that all copies bear this notice and full citation on the first page (which should include the URL, company name (LawInSport), article title, author name, date of the publication and date of use) of any copies made. Copyright for components of this work owned by parties other than LawInSport must be honoured.
- Tags: American Football | Data Protection | Data Protection Act 1998 | English Premiership Rugby | Football | Information Commissioners Office (ICO) | International Data Corporation (IDC) | National Football League (NFL) | Rugby