Footballers seek compensation for "GDPR violating" performance data trading
Letter threatening legal action against 17 firms that use trade player data claims the practice violates EU data protection law
Hundreds of football players have threatened to take legal action against companies that use their performance data, claiming this practice is in violation of GDPR.
850 players, led by former Leyton Orient manager Russell Slade, have demanded compensation for the trading of their data over the past six years, according to the BBC.
The data is a mixture of statistics, such as goals-per-game and physical information like a player's height, all of which is being harvested and used by 17 unnamed data collection, betting and entertainment firms, according to letters sent by Slade and the players.
Slade has previously expressed concern around the collection of performance data, and his legal team said the fact players do not receive payment for the unlicensed use of their data is actually in violation of GDPR. This could fall under Article 4 of the legislation where "personal data" refers to a range of identifiable information, such as physical attributes, location data or physiological information.
Although the letter has been sent to an initial 17 firms, Slade's Global Sports Data and Technology Group has actually highlighted more than 150 companies it believes have misused this type of data. If legal action is taken and the group is successful, it could herald sweeping changes for a multi-billion pound industry.
Slade's work here seems mostly for the benefit of lower league players - those outside of the lucrative Premier League - with the practice potentially affecting both the men's and women's game.
"It's incredible where it's used," Slade said to the BBC. "On one player, and I'm not talking about a Premier League player or even a Championship player, there were some 7,000 pieces of information on one individual player at a lower league football club.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
"There are companies that are taking that data and processing that data without the individual consent of that player. A big part of our journey has been looking at that ecosystem and plotting out where that data starts, who are processing it, where it finishes and that's a real global thing. It's making football - and all sports - aware of the implications and what needs to change."
Regardless of any legal action, footballers should invest in cyber security insurance with additional layers of data protection, according to Niamh Muldoon, global data protection officer at OneLogin.
"In reality, no footballer should be operating without it," Muldoon told IT Pro. "Along with employing a personal cyber security/data protection advisor who will alert them of the latest threats while they keep focused on playing football. This will help protect their data, as well as digital identity from misuse or abuse.
"A core component of this is having cyber security and data protection terms outlined in all contracts that their agent puts in front of them, allowing them to see transparently how their data is being collected, protected and used. This will aid them in making informed risk-based decisions when entering into contractual agreements."
This case raises interesting questions over what is personal data and to what extent can the individual protect it, according to Frank Jennings, a lawyer who specialises in cloud and GDPR-related cases.
"When a player in an organised club scores (or doesn't score), that becomes a statistic and is logged in the annals of the club and, for the more prominent clubs and players, is often reported as news," Jennings explained to IT Pro. "The fact a goal was scored is not of itself personal data, but it is when attributed to the player who scored. Organised clubs are usually played in front of fans and usually anyone can watch a match when they buy a ticket. Just because that personal data is in the public domain doesn't mean that GDPR doesn't apply. But player consent is not the only basis on which data may be processed. It may be possible to rely upon another ground such as legitimate interest or the exception of public interest. Players can usually prevent unauthorised exploitation of their image.
"We await to see whether they can protect statistical information too," Jennings added.
Bobby Hellard is ITPro's Reviews Editor and has worked on CloudPro and ChannelPro since 2018. In his time at ITPro, Bobby has covered stories for all the major technology companies, such as Apple, Microsoft, Amazon and Facebook, and regularly attends industry-leading events such as AWS Re:Invent and Google Cloud Next.
Bobby mainly covers hardware reviews, but you will also recognize him as the face of many of our video reviews of laptops and smartphones.