It has now been more than three years since the General Data Protection Regulation (GDPR) rules came into effect. Pre-GDPR, a large part of the data privacy debate focused on issues which might, arguably, now be considered to be relatively routine irritations around cookies, spam and cold calling. But in the post-GDPR world, it seems the remit of what counts as data as a valuable commodity is becoming ever broader, with the most recent example in the context of the beautiful game.
According to a BBC News report, some 850 professional footballers were mulling over whether to launch legal proceedings for financial remedy from 17 data organisations for collecting and tracking how they performed on the pitch.
Rules of the game
Data around personal behaviour or performance is nothing new. Many companies, like supermarkets, online marketplaces and other retailers, are notorious for their exhaustive tracking of individual spending habits, with sophisticated algorithms churning out offers and targeted products. There are other examples but the key for organisations which wish to use data that identifies an individual is that, under Article 6 of GDPR, there must be a “lawful basis” for processing the data. The ICO, the UK privacy regulator lays out the six principles, of which at least one must apply:
Consent: the individual has given clear consent for you to process their personal data for a specific and defined purpose.
Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
Vital interests: the processing is necessary to protect someone’s life.
Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
Legitimate interests: the processing is necessary for the legitimate interests of the organisation carrying out the processing or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
Credit agencies would be an example of organisations which can lawfully rely on “legitimate interests” to carry out data processing. They keep detailed records of individual’s personal information – name, address, postcode, salary, marital and family status, whether they rent or own their home, etc – and credit history, so your outstanding debts and loans and repayment history are checked and monitored. Other factors include the volume of enquiries into your credit as well as investigating publicly held records. All potentially private information can be shared with lenders, utilities or employers for the lawful reason of checking a person’s credit score.
The proposed legal action by the footballers, it appears, hinges firstly on the meaning of “personal data” as defined under Article 4 of the GDPR. The rules states that personal data means any information that can reference to an identifier for an individual, such as “a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”. Does data about performance in the game identify an individual, and therefore fall within the ambit of GDPR? The answer is that even if a specific item of data is not identifying of an individual, if coupled with other items of data about that individual, taken together is capable of identifying an individual, GDPR comes into play.
Players’ data has long-been used in video games and betting but the crux of the proposed claim is that players have not given their consent to the use of their personal data in connection with the commoditisation of their performance, and the organisations are not able to rely on one of the other lawful grounds for processing data as listed above. Indeed, these data mining companies are clearly profiting from the collection and selling of such data. What’s more, the data can also be used for other means. A player’s value, contract negotiations or reputation can be severely impacted by the compilation and publication of such data, whether that is their injury record, win-loss ratio or goal scoring record, all can be presented without any context for that information which might otherwise create a rationale for the harsh statistical data. Such data collection is not an exact science either so what if the information is wrong?
By collating huge swathes of personal data about an individual’s performance, companies can combine the information and aggregate it into an exhaustive profile of an individual which the ordinary person could not access other than by piecing together multiple sources.
The footballers’ claim also relies on the lack of consent from them for the use of that data. The GDPR guidance is clear that such personal data requires genuine consent from the individual with a positive and explicit opt-in. In circumstances where it is impossible to obtain consent, GDPR sets out rules on the requirements to notify individuals by other means of the nature and extent of the processing. Practically, it may be hard to stop these companies collecting data on professional athletes’ performance – statistics are usually recorded in real time and published for all to see – but there is a chance that requiring them to seek consent before publishing such extensive data sets could be enforced.
Such a move could be seen as revolutionary within football but the sport has a history of legal quirks that seem to contradict established law. Pre-1995, for example, clubs would receive a fee for a player when they left at the end of their contract. In the real world, of course, anyone out of contract is a free agent but it took the infamous Bosman ruling to bring the sport up to date.
GDPR is not as long-standing as employment law but this proposed case has the potential to usher in similar reforms. Likewise, the grounds on which personal information can be processed is also a central principle of GDPR so, at least in theory, a successful case could revolutionise not just football but professional sport more widely, and any other sector in which data is routinely collected by ever evolving technologies and utilised for profit.
The footballers’ proposed case may grab the headlines while at the same time appearing incredibly technical or even academic, but it taps into the broader point that data protection is a fast-moving topic and has many potential interpretations.
In the ever-digitised world, we have to all be aware of who has our data and how it is being used.