The Personal Data Protection Bill 2019 (“PDPB”) creates a legal structure to protect the personal data of individuals. Over the past decade, athletes, teams and other sports entities have become increasingly reliant on the use of data. Sports entities collect and process data directly from athletes (through wearable technology or medical processes) and from the field of play during sporting competitions (player statistics, player performance data etc.). When the PDPB comes into force, sports-related entities will be required to demonstrate that they have the athletes’ consent for data collection or that they fall within one of the exceptions under the law. This piece examines how sports-related entities can address this by drawing from the principles and interpretation of the EU General Data Protection Regulation (“GDPR”).
Data collection in sports
In sport, athletes’ personal data is used for registration and record-keeping, to analyse and improve performance, to improve the fan experience and other commercial purposes. Most personal data is directly collected by the athletes’ employers (usually clubs/teams). Personal information such as name, contact details, date of birth and nationality is collected for player registration. Their health data (medical records) and tracking data collected through wearable technology (distance covered, heart-rate, speed, temperature, sleep patterns, calorie intake etc.) is collected by teams to track player performance.[1] In-match performance statistics are collected by both teams and leagues/competition organisers for archiving and consumption by fans. This data is also used for commercial purposes by broadcasters and fantasy sports operators.
Legal basis for data processing under the PDPB & the GDPR
The PDPB regulates the processing of data by “data fiduciaries” and “data processors”. A data fiduciary is any entity or individual who determines the purpose and means of processing of data. A data processor is any entity or individual, who processes data on behalf of a data fiduciary. Under the PDPB, to process any personal data, the relevant entity will have to ensure that it has free, informed, specific and clear consent from the player, but there are certain exceptions.[2] Data can be processed without consent pursuant to a law or a court order, for emergency situations, for purposes related to employment and for ‘reasonable purposes’ specified by the proposed Data Protection Authority (“DPA”).[3] The DPA, while deciding if a purpose is reasonable, will take into consideration – (a) the interest of the data fiduciary in processing for that purpose; (b) whether the data fiduciary can reasonably be expected to obtain the consent of the data principal; (c) any public interest in processing for that purpose; (d) the effect of the processing activity on the rights of the data principal; and (e) the reasonable expectations of the data principal having regard to the context of the processing.[4]
Unlike the PDPB which makes consent the rule with some exceptions, the GDPR treats consent at par with five other grounds for processing data. In addition to the grounds in the PDPB, the GDPR also allows processing of data if it is necessary for the performance of a contract and if it is necessary for the purposes of the legitimate interests of the processing entity or third party. For legitimate interest to be invoked, a three part test is to be considered – the entity should have a legitimate interest in processing, it should be necessary for that interest and the interest should not be overridden by the individual’s interests, rights or freedoms.[5] The key difference between this and the “reasonable purpose” provision in the PDPB is that here the determination is to be made by the entities themselves and not the regulator.
Challenges faced by sports-related entities
Teams/Clubs: In many sports disciplines, athletes are engaged by teams or clubs through an employment contract.[6] For employment purposes, the PDPB contains an exception to the requirement of consent. Consent would not be required for processing non-sensitive data for recruitment or termination, providing any service or benefit sought, verifying attendance or any other activity related to the assessment of performance.[7] This provision, however, does not apply to “sensitive personal data” of the employee.[8] Clubs or teams will be able to use this provision for registration purposes but not for health and performance tracking data which is “sensitive”.
In employment contexts, consent may not always be appropriate due to a perceived power imbalance. Consent can also be withdrawn at any time. Though it is important to obtain the consent of the athlete for processing health data and performance tracking data, it might not be the appropriate legal basis under the PDPB. Under the GDPR, such data collection could be justified as necessary for the performance of the contract between the athlete and the team. It could also potentially be considered a “legitimate interest”. Under the PDPB, the solution would be to seek approval of such use of the athlete’s sensitive personal data as a “reasonable purpose” from the DPA.[9] This data is processed for the purpose of analysing and enhancing the performance of the athlete and consequently, the team. One of the reasons for an athlete joining a particular team might be their data analysis capabilities. In any case, such processing of data is in the best interest of the athlete. This purpose of data processing satisfies the criteria to be considered as per the provisions of the PDPB, to be approved as a “reasonable purpose”.
Leagues/Event Organizers: These entities collect information on age, nationality, work permit status etc. to assess eligibility of the player to participate. They may also collect and process live on-field performance tracking data and match event data (runs/goals/points scored, fouls conceded etc.). This is used for the purpose of creating a record or archive of the events in the competition, for fan engagement or for awarding individual awards to participating athletes.
Under the PDPB, the “processing of publicly available personal data” is a “reasonable purpose” for which data can be processed without obtaining consent.[10] On-field data could fall under this as it is observable from the public field of play. However, this could be contested. In sports, there is currently a global trend of monetizing “official data”.[11] If the league/organizer wishes to monetize the official live match data, then it would be ideal to set up a consent-based structure.[12] However, consent can be withdrawn. Participation of the athlete cannot be made contingent on providing consent in this case as processing of data is “not necessary for that purpose”.[13] If the athlete withdraws her consent without any valid reason, all legal consequences for the effects of such withdrawal will be borne by her.[14]
Governing bodies and anti-doping authorities: Sports governing bodies collect data from athletes for maintenance of records and to determine the eligibility of athletes to represent the country/state. In cases of age fraud, various medical tests are conducted including dental examination, Tanner Whitehouse 3 procedure[15], MRI tests and fingerprint biometrics. In some situations, more invasive data collection is required (such as for athletes with “Differences of Sex Development”).[16]
Anti-doping action is essential to maintaining the integrity of sport and requires collection of sensitive personal data from athletes. The World Anti-Doping Authority Code (“WADA”)[17] also has provisions which require athletes to provide information on their location on a regular basis.[18] WADA assures privacy protection through the International Standard for the Protection of Privacy and Personal Information (“ISPPPI”) developed as part of the Code. National Anti-Doping Organisations (NADO) must comply with the ISPPPI even if its requirements are higher than those of national laws.[19] The ISPPPI was amended in 2018 to comply with the GDPR.Under the GDPR regime, data collection for anti-doping purposes can be justified as necessary for the performance of the athletes’ employment contracts and competition participation obligations.
The PDPB allows processing of data without consent for certain State functions.[20] State-recognized sports governing bodies could arguably fall within this exception. But this requires further clarification as these bodies are not State entities. To have complete certainty, both sports governing bodies and the National Anti-Doping Authority may seek approval for processing athletes’ data as a “reasonable purpose” from the DPA.
Commercial entities: Sports data is central to certain sports business. Broadcasters use player performance data and statistics for attractive packaging of their content. The fantasy sports model rewards participants for their choices based on athletes’ on-field performance. This requires the use of player statistics and match event data. Wearable technology companies and sports analytics companies process athlete performance data, on behalf of the athletes’ employers or athletes themselves.
Broadcasters, fantasy sports operators and other such commercial entities can either acquire such data through licensing agreements with leagues/event organisers or take advantage of the “publicly available data” exception.[21] One could attempt to categorise such data processing as “research, archiving or (for) statistical purposes.”[22] The DPA can permit processing of such data without application of the provisions of PDPB provided that it does not subject the athlete to any specific decision or cause significant harm and cannot be undertaken with de-identified information.[23]
In the case of wearable technology and sports analytics companies, depending on who they collect data from they will be classified as data fiduciaries or data processors.[24] If they collect their data from teams or clubs, then they will be “data processors” under the PDPB and they are required to have a valid contract with the data fiduciary (the team). Data processors have to process the data as per the instructions of the data fiduciary and have to maintain confidentiality.[25] If they are directly engaged by the athlete for data processing and analytics, then they will be treated as data fiduciaries and will require specific consent from athletes.
As described above, all processing of personal data of athletes will have to be undertaken subject a specific legal basis once the PDPB comes in to force. However, it is to be seen how certain terms in the Bill will be interpreted and how that will affect data processing in sports.
Authored by Vishakh
Ranjit, Consultant and Sreenidhi Srinivasan, Senior Associate at Ikigai Law
with inputs from Anirudh Rastogi, Managing Partner at Ikigai Law.
[1] Some of this data can fall under the definition of sensitive personal data under Section 3 (36) of the PDPB.
[2] Sections 12 to 15 of the PDPB.
[3] Section 11 read with Sections 12 to 15 of the PDPB.
[4] Section 14 (1) of the PDPB.
[5] What is the ‘legitimate interest’ basis?, available at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/legitimate-interests/what-is-the-legitimate-interests-basis/
[6] If the club or team does not have an employment relationship with the athlete, then data processing will have to be done on the basis of consent.
[7] Section 12 of the PDPB.
[8] Section 3 (36) of the PDPB defines “Sensitive personal data” as that which may reveal, be related to, or constitute financial data, health data, official identifier, sex life, sexual orientation, biometric data, genetic data, transgender status, intersex status, caste or tribe and religious or political belief or affiliation.
[9] As per Section 14 (1) of the PDPB, for approval to be granted under Section 14, the DPA has to consider the interest of the data fiduciary, whether the data fiduciary can reasonably be expected to obtain the consent of the data principal, any public interest, the effect of the processing activity on the rights of the data principal and the reasonable expectations of the data principal.
[10] Section 14 (2) (g) of the PDPB.
[11] When Sports Betting Is Legal, the Value of Game Data Soars, available at https://www.nytimes.com/2018/07/02/sports/sports-betting.html. This discussion has been in the context of legalised sports betting. It could become relevant considering that the Law Commission of India recently recommended the legalisation of betting.
[12] These entities will not be able to satisfy the requirements under 14 (1) to be recognized as a “reasonable purpose”.
[13] Section 11 (4) of the PDPB.
[14] Section 11 (6) of the PDPB.
[15] Age-verification test for Khelo talents before academy entry,available at https://sportstar.thehindu.com/other-sports/tw3-bone-test-khelo-india-youth-games-talents-before-academy-entry/article26211983.ece
[16] IAAF Eligibility Regulations for the Female Classification [Athletes with Differences of Sex Development]
[17] The WADA Code has been adopted by more than 600 sports organizations, including international sports federations, national anti-doping organizations, the International Olympic Committee and the International Paralympic Committee.
[18] Art. 5.6 of the World Anti-Doping Code, 2015.
[19] 4.1 of WADA ISPPPI, June 2018
[20] Section 12 (a) of the PDPB – performance of any function of the State authorised by law for the provision of any service or benefit from the State or the issuance of any certification, licence or permit by the State.
[21] Section 14 (2) (g) of the PDPB.
[22] Section 38 of the PDPB.
[23] Section 38 of the PDPB.
[24] Section 3 (15) of the PDPB.
[25] Section 31 (3) of the PDPB.