UK: GDPR And Sport: Make Sure That You're On The Ball!

Introduction

All but a slim minority of sporting bodies will be affected by the General Data Protection Regulation ("GDPR") on some level. Whether a governing body holding performance data, an anti-doping agency processing sensitive health records or a local club storing the addresses of junior members, sports organisations will have to comply with significantly altered obligations in respect of personal data.

And the stakes are high: the increased fines under the GDPR have been well-publicised; but perhaps less obviously, under the Code for Sports Governance sports organisations risk losing their public funding for non-compliance with applicable regulations (and Tier 3 funding requires governing bodies to demonstrate that they have appropriate policies and procedures for compliance).

In this article, we highlight some of the principal enforcement risks facing sporting bodies under the new regime described by the ICO as a "game-changer". We also consider how the GDPR might feed into existing facets of sports dispute resolution.

Enforcement risks

The scope for sporting bodies to become the subject of data protection enforcement is of course as wide as the obligations under the GDPR; and enforcement action against data processing organisations operating in the sports industry is just as likely to be driven by complaints from members, fans and athletes as on the initiative of the ICO.

The GDPR's principle of accountability places the burden on sporting bodies to demonstrate compliance. This will be of particular concern to international and national governing bodies who process personal data on an industrial scale. The message is clear that the ICO will have little sympathy for well-resourced data processors who, for example, fail to carry out data audits and risk registers to the requisite standard. And the new requirement to report data breaches within 72 hours could trip up sports organisations of any size.

International governing bodies may find themselves embroiled in EU data protection enforcement for the first time: the territorial scope of the GDPR extends to data controllers and processors monitoring the behaviour of data subjects within the EU irrespective of whether the controllers and processors are also established in member states.

The plethora of sporting bodies which hold special category data (formerly "sensitive personal data") are also at increased risk. For example, anti-doping agencies processing test results will need to ensure transparency as to their legal basis for doing so.

Finally, the significant proportion of sports organisations reliant on charitable fundraising are well-advised to proceed with care. The GDPR implements a wider definition of direct marketing and makes it more difficult for charities to rely on "opt-out" consent to the use of data for advertising purposes. The fine for nuisance emails imposed by the ICO on Royal Mail in April 2018 is a pre-GDPR warning shot to all organisations contacting the public directly.

The GDPR in sports dispute resolution

The GDPR is likely to create opportunities and headaches across dispute resolution, sports included.

Data access requests have long been weaponised in litigation (see the article in this series looking at solicitors' potential responses to such enquiries). But following the implementation of the GDPR, subject access requests are likely to become more common. In the sports context, athletes appealing selection decisions might use Article 15 of the regulation to seek more transparency as to the data set available to selectors.

When it comes to obtaining information from third parties for the purposes of disciplinary cases, under the GDPR sports governing bodies will continue to be at the mercy of the attitude of the relevant third party. For certain types of offence, such as doping violations and match-fixing, transferring potential evidence would be justified on the legitimate interests basis (protecting the integrity of sport being in the interests of the organisation and participants)¹, even if specific consent to a transfer of information has not been obtained. However, it is not clear whether third parties, in weighing up the rights of individuals, will consider that the legitimate interests basis justifies transfers of data in all disciplinary cases: for example, what about the case where an individual has bet on their own sport using a third party's account rather than fixing a match? The sharing of information between betting operators and governing bodies about suspect sports betting (e.g. under a Memorandum of Understanding), which is a useful tool in the fight against corruption in sport, could therefore become more complex and open to challenge.²

Governing bodies and betting operators and regulators will, however, have been keeping a close eye on the progress of the Data Protection Bill (which will give effect to the GDPR) as it has meandered its way through Parliament³; and they will obviously be scrutinising the Bill when it finally becomes law, particularly those provisions specifically relating to the processing of special category data where it is required for regulatory and integrity reasons and is in the "substantial public interest".

In the context of disciplinary processes, the Data Protection Bill (in its present form) identifies two helpful "substantial public interest conditions" that are likely to be of assistance when processing special category data: "anti-doping in sport" and "standards of behaviour in sport". These allow processing: (i) "for the purposes of measures designed to eliminate doping which are undertaken by or under the responsibility of a body or association that is responsible for eliminating doping in a sport, at a sporting event or in sport generally"; and (ii) "where necessary for the purposes of measures designed to protect the integrity of a sport or a sporting event" provided that the processing must be carried out without consent in order not to prejudice the ultimate purpose and it is "necessary for reasons of substantial public interest". These conditions could prove to be a key tool in the investigation and prosecution of disciplinary offences, and it will be interesting to see how broadly they are applied.

Alternatively, third parties might continue to rely on having obtained the consent of the individual to the transfer. However, whilst consent has been broadly relied on in the past, given the more stringent requirements regarding "informed" consent, third parties relying on consent could find themselves unable to transfer relevant information in the future and, in any event, the individual could exercise the specific right to withdraw their consent.

The new right to erasure (or "right to be forgotten") under the GDPR may also work to frustrate governing bodies engaging in regulatory investigations and enforcement processes, particularly in the field of suspicious sports betting. The public interest in these processors obtaining and monitoring gambling data over significant periods will likely come into conflict with individuals' (caveated) rights under Article 17 to have personal data erased.

Further, there may be challenges to the information sporting bodies publish about data subjects. Under the GDPR, dissemination of personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is disseminated. Further, personal data must be kept in a form which permits identification of data subjects for no longer than is necessary. In the circumstances, there will be scope for argument as to precisely what information anti-doping agencies and governing bodies can publish about athletes and members (e.g. following a positive test result or allegation of misconduct) and for how long.

Conclusion

With the precise shape of the GDPR as it will apply in the UK currently before Parliament as the Data Protection Bill, sports organisations and lawyers will have a wealth of new data protection law to consider over the coming months. The new regime's emphasis on individual rights means that litigators acting for athletes and members will have more opportunities than most to use the GDPR to their clients' advantage. But whatever hat you are wearing, you will certainly need to be on the ball!

Footnotes

1. Subject to specific provisions relating to special category data and international transfers of data.

2. See also the recent "Information Note 2018" from the Gambling Commission headed "Gambling regulation and the [GDPR]" at http://www.gamblingcommission.gov.uk/PDF/Gambling-regulation-and-GDPR.pdf, which is intended to provide some assistance to gambling businesses. The Gambling Commission also provides their view that that the GDPR is not intended to prevent operators from taking steps which are necessary in the public interest, or are necessary to comply with regulatory requirements under a gambling licence.

3. The Public Bill Committee has now completed its work and has reported the Bill with amendments to the House, and is no longer able to receive written evidence: https://publications.parliament.uk/pa/bills/cbill/2017-2019/0190/18190.pdf The Bill was considered at Report Stage on Wednesday 9 May 2018.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.