The legal implications for big data, sports analytics and player metrics under the GDPR
Bill Gates reportedly once said:
“We always overestimate the change that will occur in the next two years and underestimate the change that will occur in the next ten. Do not let yourself be lulled into inaction.”
This sentiment has never been truer than when applied to the technology transforming the uses and value of data within sport. Advances in data technology are not only enhancing sport as a consumer entertainment product, but can also be used to improve the performance of its athletes.
This article explores the current trends of data use in sport, specifically looking at:
- The role of big data analytics (BDA);
- How BDA is being used to achieve a deeper understanding of player metrics and performance; and
- The key legal implications of such data use under the impending European General Data Protection Regulation (GDPR)
What trends are we seeing?
Sports data is proliferating inexorably, and in ways that is transforming sport from a fact based consumer product to a fact-based drama - a story telling product that comingles the social and sporting worlds.
At the heart of this transformation is BDA. BDA broadly describes how technology is being used to help us collect and examine large and varied data sets. In the sports industry, BDA enables the profiling of individuals (whether they be sports fans or players) by processing vast amounts of their data, and using complex algorithms to discover trends in that data and ultimately predict future behaviours.
Thus, BDA can enable;
- a deeper understanding of sports customers (the fans);
- a deeper, personal communication with the fans; and
- a deeper understanding of player metrics and performance (which will be the focus of this article).
Data Driving New Athlete Performance and Training Models
Today, the “lifelogging movement” – self-monitoring and knowledge derived from personal data obtained from wearable technology - is very much part of training and performance analysis and is growing quickly.
Wearable tech, at this movement’s core, records many aspects of an individual’s performance - distance, speed, temperature, heart rate, sleep pattern, calorie intake, amongst others.
So, for individuals involved in sport, the latest monitoring technology provides context to raw data. Vast data sets provide an individual with the means not only to quantify his or her actions, but also to assess the quality of them and the reasons behind them. This context can provide coaches with greater strategic insight, and removes the need for time consuming video research. Machine learning, one of the elements of BDA, can analyse historical data for instant answers.
Wearable monitoring equipment also enables predictive, rather than, reactive analysis, such as data revealing the impact of collisions that can be very useful in keeping players injury free.
BDA is supported by the emergence of virtual reality ("VR") and augmented reality (“AR”) technologies, which are helping improve player and team performance.
VR could also be used as a “play logging” technology to analyse plays both during and post-match. It can help fans to understand why a player performed as he or she did in a particular circumstance. It puts the fan on the field in the player’s position, enhancing the fan experience.
AR, on the other hand, can be used to enhance performance in real-time. For example, we may see, in the not so distant future, AR being used to stream, in real time, data to glass visors worn by athletes (such as NFL players or cricketers) during play in a glass like overlay. This would enable them to see the position of other players, the speed of balls, required run rate, and other relevant stats.
What are some of the legal implications of this growing trend?
There are significant legal challenges when dealing with players’ performance data.
- What if the data falls into the wrong hands?
- What if competitors get hold of this information, and use it either to exploit weaknesses in their rivals, or to give them insider knowledge during a transfer window?
- What if players find themselves subject to automated decision making, based on arbitrary or opaque algorithms and/or inaccurate information, but which impacts their lives and careers profoundly?
- What if an individual’s most private information is exploited for commercial profit without their knowledge or consent?
The GDPR, effective throughout Europe from 25 May 2018, is designed to tackle these types of issues. These data protection principles are not new in concept; Europe has had a substantive patchwork of different data protection laws for the last 20 years, although the GDPR will introduce additional, stricter, and more granular, requirements to the existing data protection framework and will aim to harmonise current European laws in this area.
The impact of our existing patchwork of European data protection laws has long been questioned. Not least, because the current level of fines which can be issued by the different data protection authorities for non-compliance with these laws is disproportionately low when compared to the commercial benefit which may be obtained by companies from ignoring them.
This will change on 25 May 2018 when the GDPR introduces significantly increased fines for non-compliance. Companies will now face financial penalties that could reach €20 million or 4% of their annual, global turnover if they fail to comply with the new rules.
The GDPR will constitute the most significant reform in data protection law since its original inception. It will potentially impact every sports body, club and business in the world which holds personal data (whether that be data on its employees, customers, prospects or suppliers) where that company is either established in Europe, offers goods or services to European citizens, or monitors their behaviours. It is likely to have the most significant impact on companies that engage in the monitoring and profiling of individuals in a social or commercial context.
How will the GDPR affect companies in the Sports sector?
By way of example, let’s consider a football team that collects performance and health data on its squad, during training and matches, from monitoring devices worn by its players, and then uses this derived data to make certain decisions about a player. These decisions might include whether that player should be substituted in the next game, what that player is worth on the transfer market, and whether that player should be sold at all.
The GDPR will regulate the way sports organisations and bodies undertake this monitoring activity, and process the resulting data, with the risk of big fines, and significant, adverse PR, if they fail to follow the rules.
Assessing impact on a player’s privacy
As a first step, under the GDPR, sports bodies and clubs will likely need to conduct a privacy impact assessment before engaging in player performance monitoring and document their findings internally.
If the impact assessment indicates that the processing would result in a high risk to the rights and freedoms of its players, then the club or body will likely need to consult with their data protection regulator in the relevant jurisdiction before carrying out any such monitoring.
Processing players’ data fairly and legally
In order for sports clubs / bodies to lawfully process their players’ health data they will need to identify a legal basis for processing under the GDPR. More often than not this turns on whether the club / body have obtained their players’ consent to this monitoring activity. While there are certain other legal bases which a club could rely on, in the absence of consent, including, for example, assessment of the working capacity of the employee (e.g. a player’s physical fitness), these would have to be assessed by reference to the specific reason for the processing and the type (and sensitivity) of the personal data being collected.
For consent to be relied upon as the legal basis of processing, it must be freely given, specific, informed and unambiguous, and must be revocable at any time. Where the processing is likely to involve sensitive personal data (for example, health data) explicit, recordable / written (rather than implied) consent is likely to be required.
However, data protection regulators, in certain jurisdictions, have formed the view that consent can never be validly given, for the purposes of data protection law, in the traditional employer / employee relationship (such as the one that normally exists between a football club and its squad). Their view is that such consent would not be freely given where an employee might face termination (or at least discriminatory treatment) if they choose not to consent.
This matter has already been the subject of a data protection investigation in the Netherlands. There the relevant authorities held that employers were not entitled to require employees to use wearable devices to track employee medical data as part of health programmes on the basis of consent alone.
Therefore, for clubs to rely on a player’s consent, in a GDPR sense, they will need to overcome this legal hurdle. Potentially, they may need to demonstrate that the player was presented with a real choice as to whether he or she wished to participate in this surveillance programme, and without negative consequences if he or she choses to opt out.
Even if valid consent is given, sports clubs and bodies will also need to demonstrate that the data is processed fairly. This typically requires such organisations to provide their players with a fair and transparent notice of the proposed processing, and all the purposes for which this data will be used. That begs the question of how this will be communicated to players in practice?
Generally, it will not be possible to use that data for an ulterior, unrelated purpose (for example further commercialisation by selling the data to a broadcast partner or sponsor) without (i) identifying a further legal basis, under the GDPR, which would allow the sports club or body to transfer the data, and the relevant third party to receive it; and (ii) providing the individual with a fair processing notice in respect of such data transfer. If sensitive personal data is being transferred then it is difficult to see what legal basis could be relied on in practice, other than the player’s explicit, written consent. Further, even if there were a basis, likely the sports club or body would still need to ensure that any recipient of the data agrees to handle the data in line with the GDPR requirements.
In practice, this means that either all possible uses of the relevant personal data will need to be considered, and explained to the players upfront, or that further purposes will need to be communicated as and when they arise, with further consents being necessary at that time if no other legal basis for the processing can be relied upon.
Players’ rights to object to the processing of their personal data
There exist limited grounds under GDPR when a club / body could process players' data without consent. However, in certain cases a player will still have a statutory right to object to that processing, which he or she should have already been notified about. In addition, a player will have a right, in certain circumstances, not to be subject to a decision made by the club / body which is based solely on the automated processing of their personal data and which produces legal or significant effects on that player.
At the very least, a player will have the right to be provided with meaningful information about the logic involved in such automated decision making, to obtain human intervention, and/or to contest the decision made by the club / body.
Considering how complex and opaque these sports science algorithms may be (for example, in order to measure the performance of a player) it is unclear how such logic could be properly and meaningfully communicated to the players, and how clubs might provide human intervention to verify any verdict they reach.
In addition, what would be the impact on a team if one of its players raised a legal objection to his/her performance data being monitored? Could a particular player’s performance data be omitted from the team’s performance data? What overall effect would this have on the efficacy of the data set and conclusions drawn?
A player’s right to transfer his/her data to third parties
The GDPR also brings in a new data portability right, which gives individuals the right to receive personal data, which they have provided to an organisation, in a structured, commonly used and machine-readable format. This includes enabling the individual to pass this data on to another organisation.
Will a player be deemed to have “provided” its performance data to the club, via the monitoring device, such that it can request this information in a machine readable format? Could the individual then choose to share this information with a third party (for example, a rival club looking to purchase that player)? What commercial impact would that have on the monitoring club, and this potentially sensitive insight into its team performance?
You can see there are a number of, as yet unanswered, issues arising from this new portability right.
Keeping a player’s data safe and secure
Data security is another extremely important area for compliance. The GDPR sets a general threshold for data security, and emphasises the need for sports organisations to implement privacy by design - the idea that privacy should be hot-wired into systems and processes from inception, and not dealt with retrospectively.
Are sports organisations geared up for this in practice? Do they have the necessary tools at their disposal to ensure that data can be collected safely and kept only in the hands of those who it’s intended for? Are they aware of the dangers?
Given the sensitive and intrusive, nature of the data sports governing bodies and teams may hold on their players (particularly from medical monitoring) the attack vectors will be prominent, and the consequences of a database breach, potentially catastrophic. A good illustration of this is the recent, high profile and globally reported leaks of athletes’ medical and doping records.
Therefore, the required security threshold is more than likely to be high.
Processing a player’s data overseas
The GDPR also sets out strict conditions that must be complied with before this data can be transferred and processed outside of the EEA. Given that player data might be disseminated across many continents (especially for international matches), this presents a further set of challenges.
Managing these risks within sports organisations (particularly sports governing bodies and clubs)
It is quite clear that sports organisations, whether based inside or outside of the European Union, who monitor their athletes in the European Union must be intimately acquainted and compliant with the GDPR rules and keep records to document their compliance. Otherwise, they run the risk of a very hefty GDPR sanction.
In practice, sports organisation will likely need to consult with their lawyers and engage in business wide compliance programmes, in a similar fashion to how they might deal with health and safety issues. They will likely need to create or bolster their internal data compliance function.
Larger organisations caught by the GDPR rules may need to create ethics review boards to help undertake the necessary privacy impact assessments.
All organisations will need to decide whether they are legally obliged to appoint a statutory data protection officer for these purposes. Some may decide to do so, even in the absence of a strict legal requirement.
While BDA offers a future of hugely positive, transformational benefits for sports in terms of value, entertainment and performance analysis, its misuse outside of the tight constraints of European data protection and privacy law creates significant legal risk for organisations. Sports clubs and bodies ignore these risks at their peril.
More now than ever, sports businesses, rights owners, governing bodies, federations will need watertight data protection policies and procedures, robust contractual terms with third parties who may process this data for them, clear notice and consent mechanisms with individuals (including their players), best practice technological means to keep this data secure and will need to consider what internal and external compliance function they will need to keep them the right side of the line.
It can never be restated too often - if you fail to comply, you risk a fine of up to €20 million or up to 4% of your annual global turnover.
This work was written for and first published on LawInSport.com (unless otherwise stated) and the copyright is owned by LawInSport Ltd. Permission is granted to make digital or hard copies of this work (or part, or abstracts, of it) for personal use provided copies are not made or distributed for profit or commercial advantage, and provided that all copies bear this notice and full citation on the first page (which should include the URL, company name (LawInSport), article title, author name, date of the publication and date of use) of any copies made. Copyright for components of this work owned by parties other than LawInSport must be honoured.
- Tags: Big Data Analytics | Data Protection Act 1998 | European General Data Protection Regulation (GDPR) | European Union | Football
- The potential of blockchain technology in the sports industry
- Key commercial issues when negotiating a new official kit supplier agreement
- Sports data, betting, governance & the law: Interview with Steven Burton, Genius Sports - Episode 41
- The IAAF blood test data leak - was publishing the data lawful?
Warren Phelops is a lead partner of our Global Sports, Media & Entertainment Practice. Warren has been working as a lawyer in the sports industry for 24 years, having joined K&L Gates from a magic circle firm, where he practiced as a corporate and commercial lawyer.
Andrew Gilchrist is a senior associate in the firm's London office. He concentrates his practice on intellectual property matters, both contentious and non-contentious, and advises regularly on the development, exploitation, infringement and protection of all types of intellectual property, know-how and information technology assets, and on data protection and privacy, in a diverse range of sectors including sport where he acts for many high-profile sports clubs and governing bodies.