It has recently been reported that around 850 professional footballers have threatened legal action arising out of alleged misuse and unlawful trading of their personal performance data over the past six years.
In short, it seems the professional players are seeking compensation and an annual use fee for the trading of their personal data. Whilst no claim has yet been issued, it is reported that letters before action have been sent to data houses and gambling companies stating their intentions. Russell Slade, former Leyton Orient, Yeovil Town and Cardiff City manager, who is leading the action commented that the personal data belongs to footballers from across the pyramid, and this is not an issue specific to Premier League players. This blog will consider the legal stance and the potential ramifications this action may have on the trading of personal data within football.
Has there been any wrongdoing?
It is unclear where these 17 organisations, who are subject to the legal action, have been receiving such personal data from and what cause of action is at the centre of the claim. Understanding whether the personal data is coming from authorised or unauthorised means is important and it could be that the legal claim straddles both.
In considering where some data houses and gambling companies receive the personal data from, there are firm suspicions within the industry that personal data is processed and traded through unauthorised channels. For example, by spectators in the stadium or by individuals viewing through broadcasted streams and collecting personal data that can then be compiled and traded – in practice, actually counting and tallying up the number of shots on target, number of passes etc.
Putting aside whether this would be a breach of ticketing or broadcast terms, any organisation that is facilitating such behaviour, or that is in receipt of such personal data, will need consider whether use of that data would be in breach of data protection laws. Given that there will be no consent to such use, they would need to find an exception or exemption to avoid it being a breach.
It is not difficult to understand the frustration with the covert processing and subsequent trading of personal data in this way. Ultimately, the legitimate stakeholders are losing out and the integrity and accuracy of the personal data could be questionable.
Licensed and authorised means
Data protection laws place obligations on organisations to be transparent as to how they process an individual’s personal data, and it has become commonplace for organisations to do this by putting together privacy policies/notices. The employment/playing contracts signed by professional footballers are of a standard form and include a generic clause regarding personal data which signposts the player to various privacy notices, such as the Premier League’s, the EFL's and the relevant clubs’ own notice as such notices detail how their personal data will be collected, used and shared. When an organisation is sharing (or selling) personal data with a third party, the organisation’s privacy notice must provide details of the sharing (or selling) and, it is best practice to either state the name of the third party the data is being shared with or ensure that this information is readily available if requested.
As well as the requirement to provide transparency, any organisation (no matter its size) has to have a “lawful basis” for processing any individual’s personal data. Receiving explicit consent is only one of the six lawful bases set out under data protection legislation. This means that personal data can be processed without consent provided that one of the other five lawful bases can be relied upon. This is important because it means that the organisations whose privacy notices are referred to in a player’s employment/playing contract can process a player’s personal data without their consent (and therefore do not have to pay any licence fees that a player could potentially demand in return for such consent) provided they have set this out in their privacy notice and they are able to rely on one of the other five lawful bases.
The Premier League’s player specific privacy notice states that the personal data including ‘live on-field tracking and performance (for example, positioning, distance run, passes made) … other match event data (for example, goals scored, or fouls conceded)’ personal data is collected and processed and that it relies on the lawful basis of “legitimate interest” in collecting, processing and sharing such personal data (meaning they do not need to obtain each player’s consent to use the data in this way).
When an organisation seeks to rely on the lawful basis of legitimate interest it must carry out an exercise of weighing the pros of using the personal data in the manner they desire, against the cons of the potential prejudice suffered by the individual to whom the personal data belongs. Presumably the Premier League has decided that the pros of how the personal tracking/performance data can be used to “operate, administer, promote, regulate and govern the Premier League” outweigh any potential prejudice. In short, the Premier League seems to have determined that the revenues generated from the creation and trading of this information to its licensed partners benefits everyone (including the players) financially.
The privacy notice indicates that “Opta” and “Betgenius” are the gatekeepers to this information and presumably they charge a licence fee to interested parties (such as gambling companies) for access to this personal data. Strictly speaking every organisation that receives such personal data should have a privacy notice that details its receipt of such personal data and be doing its utmost to ensure that this is provided to the players to whom the personal data relates. If such an organisation is not doing this then, unless they can rely on an exemption, they are likely to be in breach of data protection legislation.
Will the players win any legal claim/receive any compensation?
It is not possible to state whether the players will “win” any legal claim due to many details being as yet unknown, such as who is the claim actually against and what exact rights have been infringed or laws have been broken. However, in any claim, the players are, even if they are able to prove there has been some “misuse” of their personal data or that some laws have been broken, going to have to set out the loss/damage that they have suffered if they want to receive any compensation. Our view is that this will not be a simple task as any defence is likely to argue that, even if there has been some misuse/breach, the players have not suffered any loss as they indirectly benefit from the trading of their personal data as the increased amount of money in the game causes their salaries to be higher. The players would need to quantify the additional revenues that they consider they have lost out on. It is unlikely they will be able to argue that the use of such data has caused any distress, so it would be solely looking at the damage (i.e. loss) that they have suffered.
Footballers’ contracts do not explicitly state that part of their salary is derived through the trading of their personal data, but it is somewhat simplistic to think that their salary is just for playing football. Ultimately the salary goes beyond just playing football as the clubs (and their partners) want to commercialise the players and maximise extraction of money through different and varied revenue streams.
This action may put these potential illegitimate personal data networks into the spotlight and urge rights holders (such as the Premier League and the EFL) to investigate and shut down those networks.
The trading of personal data through illegitimate networks negatively impacts all stakeholders and appreciation can be given to the frustration of footballers – the networks are in effect a black market for personal data and this means that revenue is not maximised through the official partners.
The high-profile action may cause the Information Commissioner’s Office (the organisation that regulates the use of personal data in the UK) to open an investigation into personal data use, or misuse, within the industry. Such an investigation would consider whether organisations within or linked to the industry are compliant with data protection legislation and specifically, whether the necessary requirements are being met when data is traded (as discussed above). The ICO can issue fines, as part of their enforcement powers, to organisations which could total £17.5 million or 4% of total annual worldwide turnover whichever is higher.
Will anything change?
The action may provide greater clarity and transparency regarding the trading of data within the industry. It may result in the standard Premier League and EFL contract to be amended to include express clauses that state what the salary is made up of and set out that the remuneration is reflective of the commercialisation of the players including their personal data. Ultimately, data is traded as part of football and is a contributing factor to the money involved in the game. We think it is unlikely that this action will significantly change the way data is traded in football through authorised means (i.e. via the Premier League/Football League and their respective partners) but it may cause a spotlight to be shone on the industry to ensure that all parties are acting in compliance with data protection laws and could prove to be a catalyst for tighter regulation on the illegitimate trading of personal data through “black market” networks.
Brabners can advise any affected parties in relation to the issues described above including players, clubs, leagues, data companies, companies processing player data. Please just contact our data/privacy specialists within our Sports Law Team, Morgan Lewis and Colin Bell.