Written by Zeeshan Ahmad Abbasi
A. Introduction:
The technology has leaped ahead, where data now drives nearly every aspect of performance, management, entertainment, broadcasting, and fan engagement. The Strategic Market Research report suggests that the global sports analytics market, valued at $2.1 billion, is expected to surge to $16.5 billion by 2030. The impetus for this growth is largely ascribed to integrating and strategically utilizingthe real-time data within the sports industry. Given the economic stakes with sports data and the impact on professional careers of athletes, robust data privacy measures are imperative.
The consequences of the data leak can be dire at many times. Let us suppose if a confidential information about an athlete’s injuries is revealed, the athlete is at a disadvantage when competing against non-injured peers. Such disclosure might undermine the athlete’s position in the trade-off, potentially diminishing their market value and associated benefits. Similarly, if sensitive financial data about a team is leaked, the team could face adverse consequences such as loss of sponsorships or penalties imposed by the league.
The 2016 WADA data breach, which exposed medical information of athletes like Serena Williams and Simone Biles, and the 2021 cyberattack on the Houston Rockets by the Babuk ransomware group, which leaked over 500 GB of confidential data including player contracts and financial details, underscore the urgent need for comprehensive data protection.
B. Impacts of Sports Data Exposure:
Modern sports have witnessed significant shifts, inter alia, the increasing reliance on an array of smart devices—watches, trackers, garments, and patches. This growing demand has empowered sports entities to collect a broad spectrum of physiological and performance data using sensors, including heart rate, VO2 max, body fat composition, hydration status, blood glucose levels, and sleep and movement patterns.
The data collected from these devices is typically analyzed by sports management and stored using Software as a Service (SaaS) platforms. These platforms, hosted on the cloud and accessed via internet connections through applications or web browsers, are vulnerable to data breaches. A breach of the cloud platform could result in the unauthorized access of sensitive data by competitive teams or even its sale for betting purposes. In the event of such a breach, critical information—such as a player's weak foot, number of take-ons, or other performance metrics—could fall into the hands of rival teams, providing them with a strategic advantage in the league. This type of breach could be termed as strategic breach.
Another type of breach that can occur is identity theft, which poses a significant risk, especially for high-profile sports personalities. Given their popularity and public visibility, a simple act of identity theft can have far-reaching consequences. Unauthorized individuals could impersonate the athlete, potentially engaging in fraudulent activities, damaging the athlete’s reputation, or accessing sensitive financial and personal information. This not only compromises the athlete's privacy but also threatens their professional and personal life.
Â
C. Who owns the data?
Ownership of sports data typically resides with the sportsperson, as the primary subject of the data. However, through mutual agreements, data rights may be assigned or licensed to franchises for the purpose of performance analysis. The extent of data collection is often unregulated, leaving discretion largely in the hands of the parties involved. An alternative framework could involve Collective Bargaining Agreements (CBAs) between players and their clubs, leagues, or associations, which delineate the specific types of personal data that can be collected and shared, particularly with broadcasters or other entities.
In certain instances, broadcasters may assert ownership over specific data, such as slow-motion footage captured using various cameras on the playing field. The broadcasting rights are purchased by companies which at some instances also gets breached. The case of Star India v. Akuate Internet Services (2013) raised critical questions regarding the ownership of event data. In 2012, Star India secured exclusive broadcasting rights from the BCCI and subsequently sued companies such as Cricbuzz and Idea Cellular. Star alleged that these companies were unfairly profiting from live score updates through SMS, which, according to Star, were their exclusive property under the ‘hot-news doctrine.’ This doctrine posits that certain information, like match scores, holds commercial value only temporarily. Star argued that these companies were exploiting this valuable data and gaining an unfair advantage.
The Delhi High Court initially sided with Star, imposing a 15-minute delay on live score updates. However, this decision was overturned on appeal. The division bench reasoned that the 'hot news' doctrine, initially applied in INS case, had evolved to apply only when parties are direct competitors. Since BCCI and Star did not provide SMS services directly to consumers, they were not considered direct competitors.
D. Worldwide Standards for Sports Data Protection:
Worldwide standards for sports data protection vary significantly across regions. In the U.S., for instance, that is known for its prominence in sports, bolstered by significant achievements such as hosting the Super Bowl and winning numerous Olympic gold medals. This fame is supported by stringent regulations like the Health Insurance Portability and Accountability Act (HIPAA), which ensures the protection of sensitive athletic health data.
The athlete’s personal medical information is protected under the Health Insurance Portability and Accountability Act (HIPAA) of 1996, which establishes national standards to safeguard sensitive health data. The HIPAA Privacy Rule, issued by the Department of Health and Human Services (HHS), ensures the proper protection of health information while allowing its flow for high-quality care and public health. The HIPAA Security Rule, a subset of the Privacy Rule, specifically protects electronic protected health information (e-PHI) by mandating covered entities to ensure its confidentiality, integrity, and availability, and to guard against anticipated threats. The Office for Civil Rights within HHS enforces these regulations, upholding the principle of custodia of personal data.
Under the EU’s GDPR Article 30, organizations must create and maintain a record of processing activities, often known as a data inventory. This inventory documents the types of personal data collected, their storage locations, the organization’s use of the data, the protection measures in place, and any data transfers. While U.S. privacy laws do not currently mandate the creation of a data inventory, many organizations aiming for compliance with data privacy regulations prioritize developing one. This serves as a crucial step in understanding and managing the personal data within their operations.
Similarly, Australia faces challenges in safeguarding sports data, highlighted by a recent Football Australia data breach that exposed player contracts and fan details. Under Australia’s Privacy Act 1988, sports entities don’t ‘own’ the data they collect but must handle it in compliance with strict guidelines, including obtaining specific consent for sensitive data collection. Breaches can result in severe penalties, with fines for corporations reaching up to $50 million. The increasing use of smart devices and cloud-based platforms for data collection makes it imperative for sports organizations to implement robust security measures and up-to-date privacy policies to mitigate risks and comply with evolving data protection standards.
E. The case of India:
The Puttaswamy judgment unanimously affirmed that the right to privacy is constitutionally protected in India. The National Anti-Doping Agency (NADA) has been actively involved in regulating drug use in Indian sports and promoting anti-doping awareness. However, the agency's current framework falls short in safeguarding athletes' personal data. NADA's Anti-Doping Rules permit the collection, storage, and processing of personal data without explicit consent, raising concerns about data protection. The Information Technology Act, 2000, under Section 43A, mandates reasonable security for sensitive personal data, yet it remains unclear whether NADA qualifies as a body corporate under this provision.
The DPDP Act aims to address these gaps by introducing stricter data protection measures, including explicit consent requirements for processing athletes' sensitive information. Despite these advancements, the bill allows exceptions for government agencies processing data for "reasonable purposes," potentially undermining privacy protections. The proposed Data Protection Authority (DPA) is intended to oversee compliance but faces challenges due to its dependency on government-appointed members. Key principles in the PDPB, such as data minimization and accuracy, align with international standards but lack the specificity found in the General Data Protection Regulation (GDPR). The absence of an independent oversight authority may weaken the effectiveness of data protection enforcement, impacting athletes' rights and the security of their personal information.
F. Conclusion:
To effectively navigate the evolving data privacy landscape, sports organizations must develop a robust privacy compliance roadmap. Many regional sports entities, lacking exposure to stringent regulations like the EU’s GDPR, should commence by assessing relevant privacy laws, including emerging state and national statutes. A crucial first step is establishing a data inventory, detailing the types of personal data collected, its storage, usage, protection, and transfers. This inventory is foundational for crafting a comprehensive privacy program, facilitating responses to data access requests, and formulating accurate privacy notices. Evaluating access controls and conducting Privacy Impact Assessments (PIAs) are essential to manage high-risk processing activities, such as handling athlete performance data.
Moreover, modernizing vendor risk management is imperative, given that sports organizations often share personal data with third parties. Implementing rigorous third-party management processes and contractual data sharing restrictions can mitigate privacy and security risks. Adhering to the principle of data minimization and ensuring compliance with legitimate interests under frameworks like the GDPR is crucial. Establishing an independent oversight body to monitor data protection, especially in anti-doping processes, alongside updating privacy policies and enhancing security measures, will fortify the privacy framework. Sports teams and clubs must remain vigilant, upskill their staff, and maintain a comprehensive approach to data protection to align with evolving standards and safeguard athlete information, ensuring compliance with the principle of caveat emptor.
Â
(The image used here is only for representative purposes only)
Â
References:
1. Anthony, A. (2024, August 26 ). Athlete Data Privacy and Performance. Retrieved from Sports Lawyers: https://www.sportslawyer.com.au/athlete-data-privacy-and-performance/
2. Kumar, S. (2024, August 30). Sports Analytics Market, a $16.5 billion Industry by 2030 with a CAGR of 22.9 % - Strategic Market Research. Retrieved from Strategic Market Research: https://www.globenewswire.com/en/news-release/2022/05/27/2452062/0/en/Sports-Analytics-Market-a-16-5-billion-Industry-by-2030-with-a-CAGR-of-22-9-Strategic-Market-Research.html
3. Meena, D. (2024, August 25). Data Protection in Sports Medicine: A Comparative Global Analysis of Players’ Privacy. Retrieved from AM Legals: https://amlegals.com/data-protection-in-sports-medicine-a-comparative-global-analysis-of-players-privacy/#
4. Michael Cossetto, R. L. (2024, August 24). Data and sport - big data means big privacy protections. Retrieved from Bartier Perry Lawyers: https://www.bartier.com.au/insights/articles/data-and-sport-big-data-means-big-privacy-protections
5. Powell, O. (2024, August 25). JD Sports data breach affects 10 million customers. Retrieved from Cyber Security Hub: https://www.cshub.com/attacks/news/jd-sports-data-breach-affects-10-million-customers
6. Snape, J. (2024, August 30). Football Australia data leak exposes players’ contracts, fans’ personal details. Retrieved from The Guardian: https://www.theguardian.com/sport/2024/feb/01/football-australia-data-leak-breach-exposes-players-contracts-fans-personal-details
Comments