The article is written by Asif Iqbal, from Centre for Juridical Studies, Dibrugarh University, Assam. This article discusses the protection of data along with reforms to aware athletes about data privacy and Proposed data protection law to defend privacy and promote growth in modern sports in India. 

Introduction

The importance of data has grown in the sector of sports like any other sector of businesses. The involvement of data comes in different purposes like analyzing their performance in a game, availing data about the information of the careers of sportsmen, health, sportsmen who are involved in fixing to earn money or consuming drugs to enhance their performance. Apart from that, the demand for products manufactured by Fitbit, Apple, or Boltt has increased in the second decade of the 21st Century. The reason behind this demand is that it releases heart beeps quickly or the number of steps taken by an individual on a busy day or manner of sleep which a person has taken after a day’s work. These features are some monitoring capabilities of wearable devices. This technology supports stakeholders in sports which includes scouts, coaches, sports federation, and others as they will store the most valuable commodity i.e. data. The foremost aspiration of data protection is to preserve the indispensable erudition from misappropriation, misuse, or corruption but the significance of assurance has increased with the demand for protection. Many nations hold the right to privacy as a fundamental right but the relationship between. A former judge of the Supreme Court headed the committee, Justice B.N. Srikrishna recommended examining the concern of data security and restricting the misuse of data which occurs through an unapproved passage. 

Athlete data

The value of the sports industry expects an increase from 488 billion USD in 2018 to 614 billion USD in 2022. The technology accessed by the present world in sports has sanctioned us to segregate in making computations to give well-defined outlining. The estimates comprise data about physiological to genetic data and infrequently there is an erudition alien to a sportsman. This knowledge and technology have extended the solicitudes of the Sports Federation and others by which they can adjust the method of training and nutrition devoured to improve muscle.

Reforms to aware an athlete of data protection laws

As mentioned in the previous section about the increase in the value of the sports industry and wearable gadgets by 2022, it requires structural reforms to make an athlete aware of the advantages of data protection laws. The awareness should be in terms of the right to access and right to cease the data for processing. These talks cannot spring until and unless we don’t disclose to them about acquiescence and the word is amphibolic. Conceivably, the athlete should increase their perception about where and when their data are taken along with the custom of processing and storage. The structural reforms must consider using lucid language rather than jargon because many athletes aren’t educated about data and storage. 

The General Data Protection Regulation (GDPR)

The European Parliament and Council permitted the legislation of the General Data Protection Regulation (GDPR) which replaced Data Protection Directives (DPD) in 2018. The requirements which are mentioned in the legislation are essential in terms of the privacy and protection of data. The legislation of GDPR is essential because the implementation will be over all the members of the European Union (EU) and prohibited the members of the European Union to write their legislation for data protection and privacy. The legislation has 11 chapters and 91 articles but in these, some articles are important from the preview of data protection and privacy. 

1. Article 23 and 30 mentions the imposition of measures on companies as they will have to protect the data of consumers against the loss of privacy or exposure to a third party.
2. Article 33 and 33(3)(a); the assessment of data protection and its impact on people will be addressed to make an identification on the risk of consumer data. This identification of risk has to be sorted through data protection compliance reviews. 

Companies will have to pay higher penalties in non-compliance to processes as provided in the legislation of GDPR. The fine of companies will be from 2 per cent to 4 per cent of the total turnover at the global level or 10 to 20 million in Euros or whichever is higher. 

There can be over 15 million data sets which can be recorded in a 90 minutes football match. A club provides wearable technology and it is embedded in clothes to monitor the performance of their players. The monitoring happens during the training session or game days by clubs or federation in which they try to collect the metrics like Speed, Heartbeat, fatigue, and hydration. The technology has improved for tracking and contributes recommendations for reform to footballers or any other athletes in their enforcement. The prominent resolutions of clubs of several premier leagues are superimposed on data analysis and monitoring of an athlete will contribute an update on injuries that may occur or advisory on treating the injury. A club must receive consent from athletes to record some aesthetics and it happens through contracts.

Consent should be understandable to dissect the health, genetic and biometric data of a player. The European Data Protection Board 2019 reflected on the Guidelines of 2019; often support isn’t taken by clubs to observe the entire team because a professional may be pressurized to give assent. The quintessential segment of data protection in modern sports should be the encryption and anonymization of data. 

Transparency and limit of consent

The principle of transparency in data protection says that the general public should receive details in a lucid, concise manner and information should be transmitted in an electric form. Transparency, as a word, received attention in this era of post-truth, and Article 5 of GDPR mentions that the data of consumers needs to be processed in the presence of principles. The data will have to be processed in a legal manner which should be fair and transparent in association with the subject. Furthermore, the reason to collect data should be specific and explicit but restrains the incompatible data for processing. The processing of data is allowed for archival purposes which are in the interest of the public; the subject concerns science, history, or research under Article 89(1). The responsibility will be relied upon by authorities to ensure that data which are used are accurate, necessary, updated, and reasonable care are required, whereas, there should not be any delay in erasing or rectifying those data which are inappropriate. 

Article 13 of GDPR provides that the identity details of the controller should be provided to consumers, and wherever possible the details of the representative must be shared with consumers. The details about the data protection officer, purpose to process the data of a person need to be informed to the necessary person. Paragraph 2 highlights the insurance which needs to be given for transparent processing of personal data should be obtained from the controller. The information about the period for which the data will be stored to be shared with the consumer and there is an availability of the right to request to the controller which allows access or rectifying or restraining the processing of personal data and complaints can be lodged to the supervisory authority. 

The model which has been constructed by the European Parliament for data protection provides active consent and wherever it is possible the permission to process the data should be explicit rather than implicit. The consent to data processing should be valid; otherwise, the bodies will not have a lawful basis to process the data. Moreover, the right to be forgotten is provided in Article 17(1) which allows the participants to make their data erased by the participating bodies.

Sport clubs and organizations prepare for the new General Data Protection Regulation (the “GDPR”)

Football clubs store the personal data of their fans, employees, and others. Football clubs need to have data which is an asset for them to ensure progress and engagement as per the market for endorsements. The assent to the General Data Protection Regulation by the European Parliament and Council has radically transformed the manner of data protection performed by professional clubs of their players. The regulation which was passed in the European Parliament applies to a person who controls the data and processors; a person who collects the information of players and their employees and others. A controller is a person who decides how and where to use the processed data. Processors are individuals who process the data on behalf of the Controller. 

As per the guidelines of data protection:

1. The organization will have to keep the records of data provided to them for processing and legal usage.
2. If an act of an organisation affects the privacy of a consumer or player, then they can make a complaint in the office of the data protection commissioner. Fine shall be imposed on failure to report the breach.
3. A structured, readable format will be provided to an individual but the situation will arise in rare circumstances. Data portability is essential for those athletes who are transferred from one club to another.
4. Employees and players playing for a club should be ensured about the holding of their sensitive data from the management of the club.

There are steps which sports club can take to protect the data of professional players:

1. Privacy policies need reviewing.
2. Processing of notices of clubs needs to be fair to ensure the specifications for transparency supplied. 
3. Instalment of an appropriate system that can deal with the request for data access or right of erasure which can be dealt with adequately. 
4. A relevant system that can deal with the situation of breach of data protection. 
5. Auditing of data and analyzing the reason why the club was holding it and determining the lawful purpose.
6. The manner to get consent from players or employees and whether the process of consent is as per Article 7 of GDPR. 
7. Ensuring the system is there to safeguard the sensitive data and how the club processes it.
8. Data protection governance needs to be reviewed.
9. Data security measures to be reviewed for ensuring the security of personal data. Clubs need to make employees aware of complaints about their breach of information along with the information of players to be updated. The electronic documents of players encrypted and passwords are protected. 

Processing of special categories of data

Processing of special categories of data is required because the personal data is at stake and the protection of sensitive data is essential. The processing of sensitive data needs to be performed lawfully as per Article 6 and 9 of GDPR as the latter mentions separate conditions for processing. 

Special categories distinguished in GDPR in the following ways:

1. Racial or ethnic origin
2. Political opinion
3. Membership of trade unions
4. Biometric data
5. Health reports
6. Sex life
7. Sexual orientation

The rules for processing the data need to be transparent, lawful, fair and complies with the principles provided in GDPR. The conditions provided in Article 9 of GDP for special categories are:

1. Interests
2. Consent needs to be explicit
3. Social protection
4. Bodies working in a non for profit manner 
5. Claims in a legal way
6. Public health
7. Research by keeping the public in mind. 

Proposed data protection law to defend privacy and promote growth in modern sports in India

The revolution of privacy and technology in India originated in the late 1990s. The case of K.S Puttaswamy vs. Union of India addressed the content of Privacy to embellish as there have been cases resolved by the same court in instances like telephone tapping (PUCL), Customer relationship (Canara Bank), disclosure of HIV patient status (Mr X vs. Hospital Z), rights of transgender in NALSA case and others. The judges highlighted whether privacy is constitutional. The leagues in India are developing and management requires players who are less prone to injuries and could repay the money paid through their performances. The Indian Premier League receives endorsements from different enterprises and to make it more successful it also requires the involvement of fans, which had drastically increased after India had won the Twenty-20 World Cup in 2007 held in South Africa. In a decade, various leagues introduced facilities to make their players fit, and these have been implemented during the training for international games. 

The Personal Data Protection bill, 2019 proposed by the government in Parliament didn’t bring the issue concerning impairment to privacy in the data economy of India. The proposal framed is precautionary and oversupplies invasion; grants fervour by which the government can monitor over the activities of people. Moreover, it will not critical personal data to different countries will not be shared; there will be certain criteria that would be necessary to share with third parties. If it was legislated then it could have increased; the acquiescence expenses for businesses beyond the economy and privacy go diluted. The power is in the hands of the government to bypass the provision of the bill and adds about personal, sensitive, and critical personal data. The information about the health of sportsmen stored as sensitive personal data and the said provision will be implemented. The data of a sportsman collected termed as data principal and clubs or organization which collects or stores such data are data fiduciaries. Section 11 of the bill mentions that the processing of personal data of data principals is not allowed until and unless they do not make the consent; the meaning of consent is the same as provided in the Indian Contract Act 1872, informed, specific, clear, and capable of withdrawal.

The bill mentions rights that can be used by the Sportsmen to protect and decide how their data is used by fiduciaries. The rights include:

1. Data portability
2. Right to be forgotten
3. Right to correction and Erasure
4. Right to confirmation and access to personal data.

The sportsmen can approach the data protection authority if there is a breach of data protection by clubs or sports federations. The bill will incur the rights of sportsmen but the difficulty may arise for exceptions given to the government. 

Legal framework for data protection to balance the imperatives of protecting the privacy 

There is a requirement to sort out the problems added in the bill for data protection as there is an undue power given to the government and doesn’t require permission to accumulate data from consumers. The government can allow their agencies to opt-out of the requirements as provided in the bill. The primary reason is that the data has grown exponentially and will be growing. The government and Data Protection Act (DPA) to prioritize the aim needs, the power mentioned in the framework gives DPA to create substantive additional requirements, clarify legal obligations, and impose penalties upon defaulters. The powers and functions rendered to DPA are broad; the institutional structure needs to ensure that the custom of functioning is translucent and should not misuse their discretion. The regulatory framing power of government and the respective authority should pass through adequate checks and balances. A state should have a general administrative framework which will make the agencies of government to consult the stakeholders. 

The addition of notice and consent to collect data in the bill along with significant obligations to process data. Although, these may not protect a consumer from data infringement but increases a moral hazard and overestimates the benefits of privacy regulation. The bill should not miss trade-off users along with understanding the subject of empirical study. The definition of word harm should be explicit. The probable points in the framework to ensure productivity growth and innovation should be:

1. No processing of data without consent
2. Reduction in the uncertainty for regulation.
3. An obligation is imposed upon those who don’t process-intensive data or sensitive personal data. 
4. Power to exempt and safeguard agencies of government shouldn’t be enumerated with the government or superior authority. 
5. The authority should not determine the right to access or forget and others along with destination restrictions. 

                  

Issues of data protection before testing athletes for COVID-19

At the outbreak of Coronavirus, the World Health Organisation (WHO) propounded the slogan “Tracking, Testing, and Tracing to combat”. This initiative requires collecting and sharing data but the privacy regulation of Europe and USA disallows without consent of data principal. The policies on privacy which are existing may not be appropriate for the current purpose. It is mandatory for the Council in Europe or any other place to structure a supplementary notice to protect the infringement of data. A group of senators representing Republican raised their voice to discuss on COVID-19 Consumer Data Protection Act highlighting, Privacy of an individual during a crisis remains critical. The bill adds about protecting personal health information as well as data for proximity and geo-location. The Government at various levels has decided to reopen stores, businesses, and others which will increase the probability to collect the health data and its sharing to various third parties. There are questions which should be kept in mind while dealing with privacy or data sharing as principal:

1. Context of data collection.
2. Purpose of testing or monitoring of health
3. In the context of data collection, what are the legal requirements and exceptions applicable to this pandemic or not.
4. What are the guidelines provided by the government on data collection?
5. What data is being recorded?
6. Is there any impact on retention policy due to data collection?
7. The data collected from a patient for testing is informed about the use and how will the DPA test of that patient be retained.
8. Guidelines to share the results of patients
9. How secure is the process of data collection?
10. Is the data processing infringes the sensitive data of a patient after sharing with a third party?

Conclusion

The government and DPA to prioritize the aim needs, the power mentioned in the framework gives DPA to create substantive additional requirements, clarify legal obligations, and impose penalties upon defaulters. The rights include:

1. Data portability

2. Right to be forgotten

3. Right to correction and erasure

4. Right to confirmation and access to personal data.

The sportsmen can approach the data protection authority if there is a breach of data protection by clubs or sports federations. The quintessential segment of data protection in modern sports should be the encryption and anonymization of data. The right to be forgotten is provided in Article 17(1) which allows the participants to make their data erased by the participating bodies.

References

• https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/special-category-data/#:~:text=Special%20category%20data%20is%20personal,not%20have%20to%20be%20linked.
• https://iapp.org/news/a/privacy-questions-for-covid-19-testing-and-health-monitoring/
• https://carnegieendowment.org/files/Burman_Data_Privacy.pdf

---

LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join: