By Anna Soilleux-Mills Partner CMS, London, United Kingdom
Last year, it was widely reported that a group of over 400 professional footballers were bringing legal action against various organisations and companies, including gambling and video gaming companies, over their use of these footballers’ performance data and personal statistics (“Player Data”).
On 12 October 2021, it was reported that the number of footballers has grown to 850 and that “letters before action” have now been sent to 17 betting, entertainment and data companies, with potentially more than 150 more to follow. The players are claiming compensation and an annual fee for the commercial use of their Player Data over the last six years.
This action is known as ‘Project Red Card’ and is an example of the growing use of data protection laws to fill in the gaps left by other laws (such as intellectual property rights and the laws of confidence and misuse of private information). If this reported claim proceeds to a formal court filing and is subsequently successful, the ramifications on the exploitation and use of publicly available information about individuals, including sports persons, will have a significant cross-industry impact.
The reliance on data protection laws
Limited public details are known, but at the heart of the claims in Project Red Card is understood to be the General Data Protection Regulation (“GDPR”, as incorporated into UK law following Brexit) and the Data Protection Act 2018 (“DPA 2018”) (together, the “DP Laws”). These are the key laws regulating the processing of personal data in the UK.
Personal data is defined as any information relating to a natural person who:
Any organisation that is collecting and using personal data must have a “lawful basis” for doing so. The “lawful bases” for the processing of personal data are contained in the GDPR. Where the processing of personal data is without a lawful basis, such processing will be unlawful.
Is personal data being processed?
Russell Slade, the former Cardiff City footballer who is reported to be spearheading Project Red Card, stated that a particular centre back’s height was incorrectly listed on a certain platform as 5ft 7 and claimed that such inaccuracy could affect the player’s ability to get a contract abroad. A player’s height is just one example of personal data under the spotlight in Project Red Card. In practice, there are vast subsets of data and statistics relating to footballers that can be processed whether these are obtained from watching a public match, newspaper reports or during analysis of training sessions that are run by their respective football clubs. Such data includes a player’s number of appearances, goals scored, passing accuracy, distance run, running speeds, injuries or the detailed medical data that is collected by their clubs. This data clearly relates to identifiable players and, therefore, falls within the definition of personal data under the GDPR. Any medical, genetic, biometric or racial data would be classed as “special category” data.
Given that personal data is being processed, the DP Laws will apply to any organisation’s collection and use of this personal data. There are a number of groups and companies processing this data, including football clubs, football leagues, specialist data processing companies, broadcasters, news outlets, betting and gambling companies, fantasy sports companies and video game developers. While some members of this group may be able to rely on the journalistic exemption under the DP Laws, others will need to demonstrate that they are processing personal data lawfully. For non-special category data, the relevant grounds for lawful processing are set out in Article 6 of the GDPR. The two most applicable bases in a situation are likely to be “consent” or “legitimate interests”.
Lawful processing: Consent
In some situations, the player may have consented to the processing of his personal data, for example, through a sponsorship or endorsement agreement. However, if data processing consent is included in a contract that concerns other matters, that consent needs to be presented in a clear and intelligible manner that can be distinguished from the other matters. Consents may also be included in player employment contracts, although the validity of a consent given in an employer-employee context is open to challenge where the employer is considered to be in a position of power. Such arguments are less persuasive where the “employee” is a top sports star.
Lawful processing: Legitimate interests
In the absence of consent, organisations processing the data will typically rely on the grounds that the processing of the data is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party. In order to rely on this ground, the organisation must carry out a legitimate interests’ assessment, which determines whether the organisation is pursuing a legitimate interest, whether the processing is necessary for that interest, and crucially whether the data subjects’ rights and interests override that legitimate interest. This assessment will be different on a case-by-case basis for each and every organisation and will likely depend also on the specific data being processed, including the extent to which it is in the public domain and the likely impact on the player’s career in processing that data.
Special category data: narrower requirements
Where medical data (or other special category data) is being processed, such as data relating to injuries, that constitutes “special category” data. The concept of “lawful processing” does not apply to special category data. Instead, the processing of such data is prohibited unless one of the Article 9(1) conditions applies. These conditions are quite narrow but include the data subject’s explicit consent, as well as “personal data which are manifestly made public by the data subject”. It is uncertain whether that could cover a player’s injury that has been broadcast live and reported on in the media, particularly given that this condition appears to require a high threshold (that is, “manifestly”), and that the data was made public by the footballer, rather than the media, for example.
Potential practical implications
These legal issues that are being brought to the fore by Project Red Card are largely untested in the courts in the UK and the outcome is likely to have significant effects within the sports industry and beyond.
If the consent of the players has not been obtained, and it is found that there is no legitimate interest for one of the organisations concerned to be processing the Player Data, then this will be a breach of the DP Laws. The issue of damages and how these might be assessed is a key question in actions such as Project Red Card, given that the players are effectively seeking to use the rights granted by the DP Laws as valuable quasi-IP rights that can be commercially licensed.
Under the DP Laws, data subjects can claim compensation where there has been a breach and the data subject has suffered damage as a consequence. Accordingly, the players bringing the action would have to demonstrate that a loss has been suffered. Historically for such breaches under the DP Laws (and the previous data protection legislation), damages have included financial loss or distress.
At first glance, given the publicly available nature of much of the Player Data and the considerable passage of time that the organisations have been processing this data without complaint, the footballers may find it difficult to argue that they have suffered either financial loss or distress. As such, the court may deem it appropriate to only award nominal damages in recognition of the breach.
However, the case of Lloyd v Google in the Supreme Court will be critical in how the courts address this issue and may open the door to greater damages in actions such as Project Red Card. The Court of Appeal’s decision (which is being appealed) held that a claim for damages under DP Laws can include a claim for the “loss of control” of data, even where there is no pecuniary loss and no distress. To claim “loss of control” damages, the data subjects would therefore not need to show damage, only that they had lost the right to control their data. The players could argue that they lost the ability to control their personal data when the various organisations processed it for their own purposes.
Given that the Player Data being collected and processed by the organisations has an economic value, demonstrated by the organisations’ ability to monetise the Player Data when offering products and services, then a loss of control over that data will equally have value. Lloyd v Google will also be key in determining the value of such a loss of data. One of the key issues that the Supreme Court is set to opine on is whether damages should be awarded as “compensation damages” (in which case the quantum still may not be equivalent to IP licensing fees) or “negotiation damages” (in which case the quantum would be more akin to a “user licence” fee). This case was heard by the Supreme Court in April of this year and judgment should be handed down towards the end of this year.
What can be done to mitigate the risk?
Organisations involved in the processing of Player Data and concerned about the consequences of Project Red Card could consider the following steps to mitigate the risks of processing this personal data:
Project Red Card was first reported in July 2020, and, at the time of writing, it appears no formal court proceedings have yet been issued. If the reported claims under Project Red Card materialise, we are unlikely to see the resolution of any court proceedings until late 2022 - at the earliest.
To succeed, Project Red Card needs to establish that these companies have been using footballers’ personal data in breach of data protection legislation. Much of the reporting around Project Red Card incorrectly implies that the only way that these companies can lawfully use the footballers’ data is if the footballers have given their consent. Consent is one of the legal grounds that can be relied upon to use personal information lawfully – but that is not the only one. It is entirely possible that some of the companies, that have received letters before action from Project Red Card, are capable of using the footballers’ data lawfully and without breaching GDPR.
In the author’s view, there is unlikely to be a landslide victory for the footballers, but equally there will likely be a number of companies that have not properly thought through their use of this data and how to do so compliantly and so, therefore, may technically be in breach of GDPR. In many cases though, it is likely to be fixable going forward.
It should also be noted that Project Red Card is just one example of athletes attempting to assert an array of legal rights to extract a greater share of the revenues generated from the exploitation of their images and data. Consequently, if Project Red Card does not materialise in its expected form, it is unlikely to be the last legal challenge of this nature that we will see.
Stakeholders in the data collection and analytics, gambling and videogame industries, in addition to sports teams and governing bodies, will be watching any Project Red Card developments with great interest, given the significant impact the outcome could have on their ways of doing business and their profitability.
This is illustrated by Genius Sports Group’s recent US SEC filing, where it notes Project Red Card as a risk stating that:
“If the request (named “Project Red Card”) develops into legal action, it could significantly alter the way we collect and use sports data relating to players, and could materially affect the sports data industry as a whole… Under the terms of our existing contractual arrangements, any adverse judgements could impact the validity of such contractual arrangements and/or our ability to rely on intellectual property rights to prevent third party infringement, which may force us to alter our business strategy and have an adverse effect on our business.”