Data protection changes are on the way for sports clubs and businesses

The UK Government is currently deliberating the latest draft of the Data (Use and Access) Bill (‘Data Bill’), which represents the first significant change to data protection laws since the UK GDPR was adopted in 2018.

Whilst the Bill is still at the report stage in the House of Lords and the finer details are being reviewed, the overarching principles are available to be read and have commercial practices at the heart of their changes. With the sports data analytics market currently estimated to be worth around $4 billion (USD) in 2025 and expected to reach more than triple that sum within the next 5 years, there are clear implications for the sports sector on how data is collected, handled, and processed. With that in mind, sports clubs and sports businesses need to be alert to the incoming changes and start to think how to best address them.

Sports data vs personal data

Sports data is more than just game statistics. As analysis continues to improve and competitive edges are sought, the more detailed the data needs to be for the clubs to make their much-needed marginal gains. Invariably a large proportion of that data is therefore based on the players and their performance, with many details tantamount to players’ medical records, such as personal measurements, previous injuries, and even psychometric profiling. As such, a lot of player data therefore qualifies as sensitive personal data under UK and EU data protection laws and is afforded the tightest protections available according to the letter of the law.

Consent and data management

One of the overarching aims of the Data Bill is to ease the flow of personal data in a business context. Whilst this will clearly suit the sports data sector, there is still the underlying principle of consent required to be given in the first place. 

In recent years we have seen that there have been thousands of professional sportspeople signed up to the Project Red Card movement, which is looking at bringing legal action where players’ consent has not been obtained but their data has been used in business (e.g. betting sites). Whilst the result of Supreme Court’s decision in Lloyd v Google (2021) may have stemmed the possibility of class actions due to the need to evidence actual losses by the claimants (i.e. the players) and not just a loss of control of the data itself, the principle that consent should have been obtained still stands.

In the football world, this issue has been addressed to some extent by creation of FIFPRO’s player performance database, which provides players with more control over their privacy rights and management of their data - a practice that may well be mirrored across multiple sports in the near future.

What the Data Bill introduces is the concept of trust frameworks and data intermediaries, which will be specific to individual sectors. The current drafting of the Data Bill paves the way for secondary legislation to be passed per sector, and it would be logical that a sport-specific framework is provided for, and so clubs and players will need to be aligned with the new requirements.

Cybersecurity

The Data Bill builds upon existing provisions around sharing personal data in the interests of public security, national security, or where it is otherwise vital to the data subject. Whilst those current exceptions may not necessarily impact on sports law (even if you follow the Bill Shankly mantra that football is more important than being a matter of life or death…) the discussions around this in the House of Lords have referenced the need for the provisions to be supplemented by additional laws around cyber security. With players and clubs’ livelihoods at the centre of the sports data, the need to embed those requisite technical and organisational measures of protection must be at the forefront of the minds of those in charge of it. All eyes are therefore on the pending Cyber Security and Resilience Bill, due later this year.

Enforcement

When it comes to enforcing data protection principles, the ICO is expected to receive increased powers and rights in terms of its ability to require disclosure of documents, issue fines, and impose sanctions for non-compliance. It is therefore anticipated that the ICO will scrutinise those sectors with higher levels of data transfer and sensitive personal data, such as sport.

Legitimate interests

One of the headline changes being introduced by the Data Bill is a new category of “recognised legitimate interests”, which are aimed at reducing the need for legitimate interest assessments. Again, these areas are focussed on national security, public security and defence, emergencies, crime, and safeguarding vulnerable individuals – areas that are not particularly aligned to the sports sector, albeit the ability to process data for interests of protecting individuals aged under 18 may therefore impact the way that youth team players’ data is managed.

Automated decision-making

The UK government has recently launched its UK AI Opportunities Action Plan, with a new AI growth zone planned for the Liverpool City Region. It follows therefore that the Data Bill seeks to ease some of the existing restrictions around the use of personal data within automated decision-making. Consent in the first instance will still be key, but with sports data turning to AI-based data analysis, that data is likely to be consumed and used at an increasing rate.

International transfers and special categories of data

The Data Bill grants more discretion to the Secretary of State to facilitate data transfer standards. One key area of change here is the ability for the Secretary of State to designate certain countries as having adequate data protection measures in place. This will involve the application of a data protection assessment of the laws of the relevant third country, with transfer permitted if the recipient country has protections that are “not materially lower” than those of the UK. This could therefore open easier (or less regulated) transfer of sports data out of the UK to businesses operating internationally or partnering with a third-party business abroad.

There is also potential for the Secretary of State to designate new special categories of data to allow more flexibility to adapt to future developments, e.g. AI-driven data processing or business practices. Given the value of sports data, there is therefore scope for the sports sector to benefit from such a designation.

What happens next?

We are at the relatively early stages of the legislation being drafted, with the House of Commons yet to provide input, however the Data Bill has set out the Labour government’s stall on how it wants to protect and simplify data processing. The changes cannot necessarily be too far-reaching, for fear of the UK falling short of the adequacy requirements for remaining complaint with the EU GDPR, however changes are coming.

What is clear is the need for sports business, clubs, and players to all be more vigilant about handling personal data and act sooner rather than later. For players, their contract negotiations need to have more of a personal data focus and manage those consents. For clubs and sports businesses, having the right infrastructures, security measures, and contract provisions will be essential.

For further information, please email Mark Hughes or Philip Bowers or call 0151 906 1000.