It has been reported that pre-action litigation letters have been issued by an organisation called Global Sports Data and Technology Group Limited (GSDT) to seventeen companies who gather and use football players’ data in the betting and gaming sector. GSDT claims to represent about 850 current and former professional footballers. The basis of the claim is that the defendants are processing the footballers’ personal data in breach of data protection laws.
The case doesn’t just affect Football but has the potential to set a precedent for the use of player data in any Sports. That data obviously has value, and many Sports derive substantial revenue from its use in betting and gaming, including in Cricket, Tennis and Rugby. This briefing explains what the GSDT claim is about, its merits, how it might play out and the implications for the Sports sector more generally.
Who is behind these claims?
The claims, dubbed “Project Red Card”, are led by former football manager, Russell Slade, and Jason Dunlop through GSDT. GSDT’s website is here.
As one of the three services it offers, GSDT says it is, “leading the understanding around the governance and incomes associated with sports data. Data is the new oil of the world and we are helping sport to understand and benefit from this. Our first project in this space is Project Red Card.” This indicates that there might be other claims relating to other Sports to follow.
Mr Slade has said that football clubs are not being targeted by the claims. Rather, part of the intention behind the claims is to educate the clubs on data issues. The clubs themselves and the Sport’s governing bodies may not be capable of being defendants anyway, given that the gathering of much of the data is undertaken by third parties licensed to do so by Football DataCo with those third parties then licensing on the data to betting and gaming operators. In other words, the clubs themselves and the Sport’s governing bodies are not controllers of that data in a data protection sense.
How are the claims likely to be structured?
The legal costs of pursuing proceedings will be substantial. It is assumed that the claims are likely to be backed by third party litigation funders looking for an investment return from any compensation awarded to the players. This has been hinted at in statements made by Mr Slade.
Press reports indicate that GSDT believe the claims by the players are worth tens of thousands of pounds individually and tens of millions of pounds collectively. We explore that below in more detail. However, the bottom line is that it does not necessarily follow that if liability is established then any compensation will approach those levels. Therefore, if the case is being funded by third parties, it might rest on shaky foundations and this is likely to be a key area of early focus for the defendants. If they can persuade the funders to withdraw then the cases are likely to collapse.
It is assumed that the players’ claims have either been individually assigned to GSDT or collective litigation will be launched by the players against the various defendants, most likely using a Group Litigation Order (GLO) mechanism. GLOs are opt-in, with individuals deciding to join in the action. There is no indication that this will be a representative claim, where one claimant represents all potentially affected players (which would run into tens of thousands of individuals). In any event, that would prove very difficult to launch given that every player would be unlikely to have the necessary degree of “same interest” in the outcome.
Who are the defendants?
It seems likely that if the claims are being brought against companies who are operating through schemes licensed by the FA Premier League, the Football League and the Scottish Premiership to collect and use the players’ data, then who conducts the defence of those claims will be determined by the contracts under which the data is licensed. This may lead to a consolidation of the grounds of defence rather than each of the defendants acting separately.
Where some of the defendants might be using unlicensed data then the position is different. Those defendants might feel more exposed to liability because they are not within an existing licensing scheme where use of the players data might be more readily expected by the players. Though claims are being brought against seventeen defendants, Project Red Card say they have identified about one hundred and fifty prospective defendants. It is feasible that some of those will be “unlicensed”.
Defendants would need to be caught by the provisions of the UK’s data protection laws. This is likely to be based on their “establishment” (or location) in the UK. It does not matter for these purposes that some of the players might not be UK citizens or located in the UK. Data protection laws benefit individuals regardless of such factors.
The merits of the claims
The claims are reported to be proceeding on the basis that the use of the player data by the betting and gaming defendants contravenes the UK General Data Protection Regulation and UK Data Protection Act 2018.
Claims are made that the data is being used without the players’ consent. In addition, it is claimed that the data is sometimes inaccurate and can be damaging to players in that respect. Compensation is sought for use of the data going back six years, which is the limitation period for bringing such claims.
Analysing the claims, these are likely to be the key considerations:
- Is this personal data? The data typically includes number of appearances, goals scored, assists, tackles made, percentage of accurate passes, distance covered, positioning on the pitch etc. It seems difficult to say that this observed data is not personal data.
- What type of personal data is it? This is an important question because if the data can be said to concern health then the lawful grounds for processing are more limited. The data described above does not seem to concern the health of the players. It is instead data obtained from observing the players performance in a match. There is a suggestion that some of the data might extend to more detailed information gathered by the football clubs about the underlying health of the players. If that is being shared with and used by betting and gaming defendants, this does present more of an issue as we explain below.
- Having determined what the data is, it is then necessary to assess what the basis for using (or “processing”) it, is. The claims seem to be proceeding on the basis that the players need to consent to the use of their data by the betting and gaming defendants. There may well be a factual issue about whether the players have already consented to the use of their data in this way through contracts with their football clubs. However, even that is not straightforward as there is an argument that employees are not in a position to truly consent to the use of their data in an employment context due to the imbalance of power between employers and employees.
- A further ground for argument is that there is a degree of unreality to the proposition that the players cannot be said to have consented when we are dealing with data derived from observing them while playing football matches in public. It is unrealistic to suggest that the players are not aware that this data is being collected and what it will be used for, ie in the betting and gaming sector. That is now so engrained in the financial structure that underpins football (and helps to pay players’ wages) that it is simply part and parcel of appearing on a very public stage. For example, are these arguments about use of players’ data to be extended to asserting greater control over the broadcasting of players’ performance?
- However, this ground of argument is less convincing perhaps when it comes to “unlicensed” use of players’ data because that does not directly generate income for football (and players’ wages). Therefore, one consequence of these claims may be to support the licensed use of player data, driving greater revenue into football and benefiting players indirectly in that way.
- Even if the players cannot be said to have consented to the use of their data, this is only one basis to lawfully process that data. The defendants are instead likely to rely on the legitimate interests basis for processing. This provides that processing is lawful if it is necessary for the legitimate interests pursued by the user or by someone else, provided that these legitimate interests are not overridden by the interests of the individuals concerned. We can see a good argument that the use of licensed data for betting and gaming is strongly in the interests of the defendants, as well as the football governing bodies and the football clubs, in terms of the revenue it generates. Of course, some of that revenue also filters down to the players directly in terms of wages, but also benefits the players more indirectly in helping to support the infrastructure which underpins the football leagues and gives the players a platform to perform on. The reported suggestion by Project Red Card that players have not benefited from this seems doubtful.
- As highlighted above, more difficult is the situation where health related personal data might be processed. It seems unlikely that information about player injuries and the length of any lay-off will be an issue. That is widely reported and known about (although the fact that information is in the public domain does not mean that data protection law does not apply to it). More to the point, if that was the only basis for complaint, then it seems unlikely any claims would be being made. However, if more sensitive information is being used by the defendants relating to the underlying health of players, then the additional special grounds to process this data set out in Article 9 of UK GDPR are not obvious. The clubs would have a basis to gather and use this data as employers, but it is difficult to see what basis there would be for sharing this data with betting and gaming operators for them to use without the players explicitly consenting to this.
Use of Data Subject Access Requests
We would assume that the players will have ascertained what data is being used by the defendants by issuing them with Data Subject Access Requests (DSARs). That would seem to be an obvious precursor to bringing any claims, and a tactic likely to be used should other Sports be targeted. So this is something that perhaps those using data in Cricket, Rugby, Tennis and other Sports should keep a careful eye on as an indicator that similar claims could be on the horizon.
Are privacy notices an issue?
However, even if the defendants have a lawful basis to process the data, there are requirements to inform individuals about who is processing their data and for what purposes. This is called transparency. The strict position is that when an organisation receives the personal data it is required to inform the individuals concerned, usually by issuing them with a privacy notice. There are exceptions where the individual already has the necessary information, or it is impossible or involves disproportionate effort to let them know.
An example of a privacy notice issued by the Premier League to players and related persons is here. This privacy notice sets out that the Premier League will receive personal data from various organisations involved in the collection and licensing of player data and describes that data as “Tracking Data” consisting of data collected live at matches, eg positioning, distance run or passes made, and “Event Data” consisting of goals scored or fouls made. So, Premier League players will be aware of what data is collected about them.
However, they are not informed through these means about who specifically that data will be shared with in terms of betting and gaming operators. There is a reference in the privacy notice to sharing this data with third parties for commercial purposes, including using it in betting and gaming services, but it may be alleged by the claimants that this is too vague.
In addition, organisations that are processing personal data also have obligations to ensure that the data is accurate. The inaccuracy of some data is another cause for complaint by GSDT. However, that issue is really addressed via the ability of the players to have that data corrected under the right to rectification set out in Article 16 of UK GDPR.
The issue with all of these complaints is how they lead to any substantial compensation for the affected players. Any breaches of obligations in relation to transparency and accuracy of data are really addressed through regulatory enforcement via the Information Commissioner’s Office (ICO). It is suggested that inaccurate data might have led to actual loss to some of the players such as clubs not wishing to look at potential player transfers. However, that seems unlikely to relate to the activities of betting and gaming operators who are using the data in the course of providing their services.
It is in the area of lawful grounds to process data that compensation is a live issue if the players can demonstrate that their consent is needed to process their data. It seems unlikely that substantial compensation would be awarded for past use of their data. In the absence of any actual loss or distress as a result of the unlawful use of data, the players might say that the mere infringement of their rights, or “loss of control” over their data, should lead to some compensation or at least the ability to deprive the defendants of the profits that have been made by the use of their data in the past. Whether such claims can proceed is currently in issue in the Lloyd -v- Google case where a decision is due to be handed down by the UK Supreme Court on 10 November 2021. Even if those claims are valid, the compensation due to 850 players for use of their data in vast data sets consisting of other player’s data might be relatively modest. It seems difficult to think that a case could attract third party funding on this basis.
More promising is the prospective compensation claim based on the future use of the players’ data. In the absence of consent to continued processing then the court (and the ICO) are likely to require that the betting and gaming operators cease processing the players’ data and delete it.
Therefore, we can see how the dynamic might play out that, in return for granting that consent, the players will require payment. Eight hundred and fifty players and former players might not have sufficient clout to push this through, but a successful claim might open the floodgates. Funders and others might therefore receive any share of the proceeds through this route. However, the spectre of some players (and / or their agents) negotiating over consent individually would be likely to represent a major problem for the ecosystem surrounding use of Sports related data in betting and gaming.
Who wins in the end?
There is also a sense in which the claims, if successful, will simply lead to a re-direction of the income from betting and gaming but with no net benefit to players. Yes, players might be paid directly for use of their data, but that might simply reduce the amount of money which finds its way back to the clubs who may consequently face pressure to reduce players’ wages or, more likely, image rights payments. Of course, some of that money is likely to go to the lawyers and funders supporting this claim and, in that sense, reduce the share of the pot that finds its way back into football.
We will be keeping a careful eye on these claims as the outcome may set a key precedent for a range of Sports, not only Football, especially for those Sports where data is an important part of the game and the ancillary betting and gaming industries that take place around them.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, November 2021