In 2017, The Economist declared that “The world’s most valuable resource [was] no longer oil, but data” raising speculation over the need for greater regulation of the rapidly growing data economy. Whilst the shifting data landscape has created huge opportunities in the world of football, questions of consent and ownership have increasingly been raised in relation to players’ personal and performance data and the rights of players, clubs and third-party organisations to use such data for commercial purposes.
Setting the scene
Throughout a footballer’s career, their personal and performance data and statistics is processed, whether this is obtained from watching a football match, media reports from matches or during training analysis conducted by a footballers’ clubs. Such data will typically include a player’s number of starting appearances, goals scored, passing accuracy, GPS data (which includes, distance run, speed and positioning), injuries and even their detailed medical data.
Under UK data protection law, which at its core consists of the UK GDPR (the UK’s post-Brexit, retained version of the EU GDPR) and the Data Protection Act 2018, the data above would fall within the definition of ‘personal data’ as it is data that relates to an identifiable individual. To process this data, the player’s club (and others, such as sponsors, researchers, clinicians, drug testers, sport governing bodies, social networks and the media) must have a legal basis under Article 6 UK GDPR.
UK GDPR provides a menu of six legal bases. Consent is one of them, but the other legal bases are heavily used as well. The legal basis that you choose will depend on precisely what you want to use the personal data for. It’s a good idea to start by making a list of your real-world purposes for using the player’s personal data (and the purposes that the data will be used for if you share it with suppliers so they can provide a service for you). Then work from there and find a legal basis for each purpose.
Furthermore, some of this data could be ‘special category data’ under the UK GDPR. Media reports might touch on the player’s sex life or sexual orientation, political opinions, religious beliefs, race or ethnicity, or health; the player’s club may use any of that data and will have much more details than the media concerning the player’s health, plus perhaps information about the player’s trade union membership (if any), biometric data for accessing buildings or IT facilities, or even genetic data (all of this is ‘special category data’). To process this data, the club (for example) must both have a lawful basis under Article 6 UK GDPR and satisfy one of the ten conditions under Article 9 UK GDPR.
Consent is both a legal basis (under Article 6 of UK GDPR) and an exception under which it’s lawful to use ‘special category data’. So, it’s flexible, but it isn’t easy to use or live with. A player’s consent will only be effective if they have a genuinely free choice to say, ‘yes’ or ‘no’. Do they really have free choice in the context of a sponsorship or endorsement deal, or as an employee of the club? Consent needs to be really specific: “By signing you agree to us using your personal data as we see fit” won’t work. It also needs to be freestanding: you can’t “ask” for consent by burying the request (or the confirmation of consent) in contract terms and conditions. Consent can be withheld; it can also be withdrawn at any time. These factors make it treacherous, and often unsuitable in the context of commercial arrangements and contracts.
At the Mills and Reeve Sports Law Conference last year, Maheta Molango, CEO of the Player’s Football Association emphasised that “we cannot assume consent” when it comes to the exploitation of players’ performance data. With data now being used for multiple purposes, Molango stressed that authorisation cannot be implied “for [data] use that will probably go far beyond what was the initial idea when that player actually signed the contract”. From a legal perspective, there are alternatives to consent, and it can be easier to establish (and keep) those alternative legal bases. But there is no alternative to informing the player about what’s happening to their personal data. They’re entitled to that under UK GDPR, and it’s important to keep updating the ‘story’ for them, as it evolves.
As athletes become more informed about the personal risks of their data being collected, it is arguably a no-brainer that players should have a significant input into how their data is being used.
The Charter
The unveiling of the FIFPRO Charter of Player Data Rights in September 2022 marked a significant development in the protection of football players’ personal data. The Charter does not aim to establish new law or conflict with existing data protection law (either in the UK, EU or other countries or, states that have data protection laws). Instead, it’s aiming to achieve more widespread understanding (amongst players and organisations they work with) about how data protection law applies to football, and to establish some basic standards of good and fair practice in relation to player data. It was launched as the first step of FIFPRO’s collaboration with FIFA to develop global industry standards for the protection, collection, and use of football player data. It is envisioned that the Charter will promote collectively agreed solutions between player unions and football stakeholders and empower these football players to understand how their data is being used, and to make more effective use of their applicable data protection and related rights.
The Charter sets out standards for the collection, protection and use of player data, namely that all professional footballers should have the rights to be informed about what their data is used for, to access their data, to revoke consent, to data portability (i.e., to move data), to restrict processing, to rectify inaccurate data, to erasure and to complain.
In July 2023, FIFPRO announced their plan to build on the Charter through the development of a centralised player data management platform. Although no launch date has been stated, the intention is for a large-scale platform to be developed to provide players the opportunity to, amongst other things, access their data across their entire playing career and manage and control the application and/or use of their personal data.
FIFPRO anticipate that the standards set by the Charter (together with the centralised data management platform when launched) will enable players to better navigate the world of data, understand and enforce their rights and, will act as a vital reference point for this growing area of the sport on both a domestic and international level.
In a constantly evolving landscape, data is becoming increasingly valuable to all stakeholders in fields such as performance monitoring, contract negotiations, in-game technology and fan engagement. It is unsurprising that tensions have developed between some of football’s stakeholders.
Project Red Card
The question, “who owns and/or has the right to use player performance data?” becomes difficult to answer (and breeds misunderstandings and disputes) if players or stakeholders are not kept fully informed about their data. The claimants in Project Red Card (an ever-growing group of current and former professional footballers and more recently, rugby players and the Professional Cricketers’ Association) have sought to resolve this question before the courts.
The concern of the claimants in Project Red Card reportedly relates to the lack of permission given by players to the commercial use of their performance and personal data by third-party organisations such as gambling and betting companies. The group have apparently sought compensation from these third-party companies for using their personal data without permission and have demanded payment for any future use of the data.
With little progress since 2020 and no material success to date, speculation over the status of Project Red Card has been raised. It may be the case that the Supreme Court’s 2021 ruling in Lloyd v George has disrupted the momentum of the claim. By overturning a Court of Appeal decision, the Supreme Court ruled that data protection legislation does not give a data subject a right to compensation simply due to the fact they had been a subject of a breach. Claimants must show they have suffered distinct loss as a result of the loss of control of their data for any compensation to be payable. With damages assessed on an individual basis, unless Project Red Card claimants can show that all the data subjects suffered the same type of loss, then they may ultimately be unsuccessful (as was the case in Lloyd v Google).
What does this mean?
Although Lloyd v George may be the end of the road (for now) for class actions like Project Red Card, this ruling has not outlawed the potential for individual claims for damages. If the Charter is to be respected, those involved in the exploitation of performance data should thoroughly consider the practical implications of the Charter on their current data exploitation activities. It is hoped that by doing so, those exploiting this data will better understand how greater transparency surrounding their collection and use of data could help mitigate the legal risks the growing data economy presents (e.g., a Project Red Card type action).
Next steps
The Charter presents clubs and organisations with an opportunity to proactively support players with their data rights, encourage greater cooperation between all stakeholders involved in the commercialisation of data, and in turn maximise the potential opportunities for all parties. Clubs and organisations who are involved in the processing of athlete’s personal data and, who may be concerned about the consequences of Project Red Card, may want to consider the following steps to mitigate the risks of processing this personal data:
- Prepare a ‘Privacy Notice’ for your players, informing them about the use of their personal data.
- Revise your policy on requesting consent from players. Should you be asking for consent? Are you asking for it in the right way, and at the right time?
- Check your other legal bases and Article 9 exceptions to make sure they’re correctly documented and justifiable.
- Review the data protection and confidentiality clauses in your player contracts. Are they fair, lawful, and aligned with the Charter?
- Review the data protection and confidentiality clauses in your agreements (including standard terms and templates) for retaining contractors or buying services or collaborating with partner organisations. Do the clauses line up with your player ‘Privacy Notice’ and contract, or are you taking or offering more than the player might expect?
- Carry out a player-specific review of arrangements with sponsors and endorsers, fan clubs, app providers and social networks. Do the arrangements line up with your player ‘Privacy Notice’ and contract, or would be player be surprised or concerned?
Written by Carol Couse, David Hall and Alice Powell.