One trend in sport that is becoming increasingly prominent is the capture (and subsequent processing) of athlete data via wearable devices. While this is usually done for medical, training or performance purposes, the desire on the part of sports bodies to identify new revenue streams is strong and there is no doubt that the demand for this kind of data is growing. Alongside the technological difficulties, one of the most significant obstacles to the successful commercialisation of that data is data protection. Nick White, Partner at Couchmans LLP, examines the treatment of athlete personal data gathered via wearable technology and does so through the lens of the recent general approach adopted by the Council of the European Union (‘the Council’) on 15 June 2015 concerning the proposed draft General Data Protection Regulation (‘GDPR’).
While some of the data captured via wearable technology will not even qualify as personal data for the purposes of the European legislation, much of it will, and a good proportion of it is also likely to be categorised as ‘sensitive’ personal data (as it is termed under current laws). At the same time, sweeping changes to the European data protection regime are proposed in order to effect essential updates to the twenty year old ‘Directive 95/46/EC on the protection of individuals with regard to the processing of personal data (‘the Directive’).
What kinds of data are collected?
The types of data collected and the types of processing carried out can take many forms and serve many different functions. Health-related data including heart rate data, blood pressure and temperature, are commonly used by teams and other sports bodies to monitor and improve or protect the health of their athletes. Athlete location data is also commonly recorded, often to produce so-called ’heat maps’ of activity on the field of play or to measure distance covered. Companies like Catapult Sports provide wearable technology to measure other kinds of data such as the size and effect of physical impacts, or ’hits,’ on players. Wearable technology is also used to capture data that is not health related. For example, footage taken from the helmets of racing drivers is already a well-established and compelling part of broadcasters’ armouries. We also saw Channel 4 using jockey helmet cameras in the Grand National this year and Spanish company First V1sion are pushing their ‘chest cams’ as breakthrough sports technology.
The meaning and processing of ‘data concerning health’
One of the most relevant aspects of the draft GDPR for the purposes of this article is the treatment and categorisation of different kinds of data. Article 9 relates to what is broadly currently referred to under the Directive as ‘sensitive personal data.’ That term is set to be abandoned and replaced by a new term and concept: ‘special categories of personal data.’
Among these special categories is ‘data concerning health’ and this category will often be of particular interest and importance to sports bodies. While ‘data concerning health’ will include traditional medical records, including details of injuries, medications and treatments given, our primary interest here is in data gathered by wearable technology and relating specifically to various aspects of the individual’s physiology while engaging in sport or training for it.
The requirements for the processing of ‘special categories of personal data’ under the GDPR are essentially very similar to those for ’sensitive personal data’ under the Directive. In addition to the need to ensure that at least one of the general criteria for processing personal data is met (see Article 6 in the GDPR), a further set of criteria listed in Article 9(2) of the GDPR will apply in relation to the processing of data falling into the ‘special categories.’ Article 9 specifies that processing of such data – including ‘data concerning health’ – is prohibited unless at least one of those criteria is met. The list of criteria is broadly comparable to the list under the Directive.
Interestingly, Article 9(2) of the GDPR – under the draft put forward by the European Parliament on 12 May 2014 – had included processing that is ‘necessary for the performance or execution of a contract to which the data subject is party’ among the criteria for the lawful processing of special categories of personal data. That criterion, for which there is no equivalent provision under current legislation, could have provided quite a powerful and useful tool for sports bodies seeking to process and publish personal data for commercial purposes. As it is, under the Council’s version, that particular provision has been tightened so that it is focused on processing ‘in the field of employment.’ It will be instructive to see the wording that will be finally agreed on this point.
It is well known that data controllers have traditionally sought to rely heavily on the consent as a basis for processing, and for good reason. Consent is an important criterion under the both the Directive and the proposed GDPR. However, the revocable nature of consent in a data protection context is, to a degree ‘baked into’ the proposed GDPR. This may present challenges for sports bodies looking to make public such data.
‘New technology’ and data protection impact assessments
Sports bodies should take note of the fact that the GDPR requires the carrying out of a data protection impact assessment (‘PIA’) where, ‘a type of processing, in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk for the rights and freedoms of individuals’ (Article 33). Where wearable technology is being used to gather personal data, including ‘data concerning health,’ it will be sensible for sports bodies to consider carefully whether this requirement will apply. It is worth also noting that Recital 70 of the GDPR refers, in the context of PIAs, to kinds of processing operations ’which, in particular, involve using new technologies, or are of a new kind and where no data protection impact assessment has been carried out before by the controller.’ So, there is more likely to be a need for a PIA where the data controller, or processor, has not previously carried one out.
Right to erasure and ‘to be forgotten’ (Article 17)
Where personal data have been gathered and then published by a sports body, some very interesting questions arise in the context of the much vaunted ‘right to be forgotten.’
This right remains a powerful and controversial component of the GDPR. Under Article 17, the ’controller shall have the obligation to erase personal data without undue delay […] and the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay,’ where one of a number of grounds are met. One of those grounds is where the data subject withdraws his consent. This can present a challenge for controllers (and processors) of health data that have been published. What happens if an athlete withdraws his consent post-publication and/or demands erasure?
A pertinent provision of the GDPR is Article 17(2a), which says:
‘Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the data, that the data subject has requested the erasure by such controllers of any links to, or copy or replication of that personal data.’
While this wording does impose a level of obligation on the original data controller (for example, a sports body) to take steps regarding third parties, it does not oblige that controller actually to achieve any results in terms of ‘takedowns’ by third parties. In practice though, the commercial market for the data will be severely, if not fatally, undermined if potential purchasers believe that athletes will be able to compel them to take the data down simply by making a request. Almost certainly, part of the consideration paid for the right to publish the data would end up in the pockets of the athlete data subjects; in that context, it seems nonsensical that athletes should be allowed to withdraw their consent. Creative approaches may be required by sports bodies in order to address this problem.
The GDPR is extremely broad in scope and is likely to entail some very significant changes from the current regime. This article touches on only a handful of the issues in the context of some narrow questions concerning the publication and commercialisation of the personal data of athletes.
I believe the essential messages for sports organisations interested in this area are: (i) to understand very clearly the types of personal data they are processing or likely to be processing; (ii) to be aware of the differences between the provisions of current and likely future legislation; and (iii) to plan a holistic data protection programme which entails as seamless a transition as possible from the current regime to the new one.
Meanwhile, formal talks between the European Council, Commission and European Parliament have now begun, with the aim of reaching agreement by the end of 2015. It is in the interests of all that problems are identified and ironed out soon so that the text can be agreed on time. Only when that has happened can data controllers, processors and their advisers properly begin to plan the measures necessary to ensure they are compliant when the Regulation comes into force.