Back in the summer of 2020, a fight began over in the United Kingdom over collecting soccer player data during the course of a game.
The story, which The Athletic first reported, is unprecedented in terms of its scope and its scale. What began as more than 400 players (and has subsequently grown to more than 850 current and former top-level players) displeased with the use of tracking data being used by sports betting and data companies, is continuing to grow and could become an important touchpoint for the future of athlete biometric data use in the United States.
The latest report is that the group behind what they have dubbed Project Red Card is still in pre-litigation stages, but the group is working toward what will ultimately be a lawsuit against companies that have collected personal data in violation of the U.K.’s General Data Protection Regulation (GDPR.) If the players ultimately prevail in their lawsuit, it could change the entire sports data industry.
Who are the parties here?
The group was started by former Cardiff City manager Russell Slade, who has now had more than 850 players sign on. They are both current and former players of the English Premier League, English Football League, National League, and Scottish Premier League.
Since 2020, the group has been working to figure out just how many companies have touched the data without permission or even the players’ knowledge. The count as of October 2021, according to The Athletic, was more than 150 different companies.
Who is on the other side?
The group alleges that these companies are processing players’ data without legal authority to do so.
The list of companies may be as extensive as 150 companies, according to one report; however, a report in The Guardian noted that “letters before action” (sometimes called a letter before claim, or in the U.S. more of the equivalent of a demand letter sent pre-litigation) had been sent to 17 major firms.
What is the claim?
Back in 2018, the U.K. passed one of the most sweeping data privacy protection laws in the world. The GDPR gives individuals significantly more control over their personal data than virtually any other law.
The crux of the law is that before someone can use your data, they need to get your permission to do so. The players believe that they should be entitled to compensation for the use of their data by data companies.
It looks like the critical area of legal contention, according to Wired, is going to center on what is private information versus what is a readily observable fact. For those having flashbacks to the U.S. case NBA v. Motorola, this is in a similar ballpark, although the privacy claims are distinct.
Wait, what kind of data are we talking about?
According to Wired U.K., Project Red Card argues that even though something might be readily observable, such as who scored a goal, that information still relies on personal data and is regulated by the GDPR. It does not immediately appear that biometric data is at issue here. Instead, it seems this centers more on observable performance data.
While some are skeptical about the claims being brought and just how GDPR will be applied to this particular case, one question seems to center on whether the players give consent to data collection by virtue of stepping on the pitch and playing a sport in front of tens of thousands of spectators live and millions more on television. Of course, this would not immediately indicate that the players have consented to the sale of their data, but that may be more of a contractual issue than a data privacy issue.
Even if the players’ main claim is ultimately rejected, U.K. law firm Farrer & Co. observes that other aspects contained within GDPR could still prove relevant to the case, including whether privacy notices sufficiently disclosed how player data would be used. Another element the firm observes is that the GDPR has a “right to rectification,” meaning that inaccurate data must be rectified if the players note the incorrect data to the proper authorities.
What could this mean in US?
While some jurisdictions like Illinois have been passing laws to protect biometric data, the US does not have anything nearly as expansive as the GDPR, nor is it on the horizon.
However, Project Red Card does highlight a critical issue that is relevant on this side of the pond: the desire for athletes to control their own data. While the ship has sailed on Mike Trout controlling whether or not someone knows he hit a home run, the ship is still in port on the sale of biometric data amongst U.S. sports leagues.
What have pro sports leagues done about data?
The NFL‘s latest CBA established a sensor committee to address future issues surrounding tracking. In addition, MLB put a stop to the commercialization of athlete biometric data in its latest CBA, calling it “illegal” (private sports leagues do not make laws, as much as they might like to pretend they do) to sell private medical information or biometric data.
The NBA beat both to the punch but left much of the control of data collected in the hands of the players, though its CBA bans commercialization of the data. This means that it is unlikely we will be seeing any betting on heartbeats for at least a decade, not that it is clear anyone actually wants to do that.
Project Red Card, however, could spark a movement amongst players demanding more control over their information.