IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Footballers seek compensation for "GDPR violating" performance data trading

Letter threatening legal action against 17 firms that use trade player data claims the practice violates EU data protection law

A player chasing the ball mid game

Hundreds of football players have threatened to take legal action against companies that use their performance data, claiming this practice is in violation of GDPR. 

850 players, led by former Leyton Orient manager Russell Slade, have demanded compensation for the trading of their data over the past six years, according to the BBC

The data is a mixture of statistics, such as goals-per-game and physical information like a player's height, all of which is being harvested and used by 17 unnamed data collection, betting and entertainment firms, according to letters sent by Slade and the players. 

Slade has previously expressed concern around the collection of performance data, and his legal team said the fact players do not receive payment for the unlicensed use of their data is actually in violation of GDPR. This could fall under Article 4 of the legislation where "personal data" refers to a range of identifiable information, such as physical attributes, location data or physiological information.

Although the letter has been sent to an initial 17 firms, Slade's Global Sports Data and Technology Group has actually highlighted more than 150 companies it believes have misused this type of data. If legal action is taken and the group is successful, it could herald sweeping changes for a multi-billion pound industry.

Slade's work here seems mostly for the benefit of lower league players - those outside of the lucrative Premier League - with the practice potentially affecting both the men's and women's game.

"It's incredible where it's used," Slade said to the BBC. "On one player, and I'm not talking about a Premier League player or even a Championship player, there were some 7,000 pieces of information on one individual player at a lower league football club.

"There are companies that are taking that data and processing that data without the individual consent of that player. A big part of our journey has been looking at that ecosystem and plotting out where that data starts, who are processing it, where it finishes and that's a real global thing. It's making football - and all sports - aware of the implications and what needs to change."

Regardless of any legal action, footballers should invest in cyber security insurance with additional layers of data protection, according to Niamh Muldoon,  global data protection officer at OneLogin.

"In reality, no footballer should be operating without it," Muldoon told IT Pro. "Along with employing a personal cyber security/data protection advisor who will alert them of the latest threats while they keep focused on playing football. This will help protect their data, as well as digital identity from misuse or abuse. 

"A core component of this is having cyber security and data protection terms outlined in all contracts that their agent puts in front of them, allowing them to see transparently how their data is being collected, protected and used. This will aid them in making informed risk-based decisions when entering into contractual agreements."

This case raises interesting questions over what is personal data and to what extent can the individual protect it, according to Frank Jennings, a lawyer who specialises in cloud and GDPR-related cases. 

"When a player in an organised club scores (or doesn't score), that becomes a statistic and is logged in the annals of the club and, for the more prominent clubs and players, is often reported as news," Jennings explained to IT Pro. "The fact a goal was scored is not of itself personal data, but it is when attributed to the player who scored. Organised clubs are usually played in front of fans and usually anyone can watch a match when they buy a ticket. Just because that personal data is in the public domain doesn't mean that GDPR doesn't apply. But player consent is not the only basis on which data may be processed. It may be possible to rely upon another ground such as legitimate interest or the exception of public interest. Players can usually prevent unauthorised exploitation of their image.

"We await to see whether they can protect statistical information too," Jennings added.

Featured Resources

The state of Salesforce: Future of business

Three articles that look forward into the changing state of Salesforce and the future of business

Free Download

The mighty struggle to migrate SAP to the cloud may be over

A simplified and unified approach to delivering Enterprise Transformation in the cloud

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

The Total Economic Impact™ Of IBM FlashSystem

Cost savings and business benefits enabled by FlashSystem

Free Download

Most Popular

Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022
Microsoft successfully tests emission-free hydrogen fuel cell system for data centres
data centres

Microsoft successfully tests emission-free hydrogen fuel cell system for data centres

29 Jul 2022