By Tom Barnard, Ted Powell and Douglas Kitchen

Last year, a group of 850 players headed by former Cardiff City manager, Russel Slade, threatened legal action against large gaming, betting and sports data companies for misuse of their personal data under the General Data Protection Regulation (GDPR). The action dubbed ‘Project Red Card’ alleges that these firms have profited from the use of player’s personal information and performance statistics without their consent. ‘Letters before action’ have been sent to 17 major firms; while another 150 potential targets have been identified.

The individuals involved include current and former players and managers from the Premier League all the way down the football pyramid to the National League, as well as the Scottish Premiership. It’s estimated that even a lower league player would have 7,000 pieces of information relating to their performance statistics that were being used and monetised by firms, for purposes such as calculating betting odds.[1] 

It was also announced that up to 50 Scottish footballers were threatening action against the Scottish Premier Football League as part of ‘Project Red Card’. The aim is to receive compensation for the profits the league has made by selling their data.

Is there “personal data”?

Under Article 4 of the GDPR, “personal data” means any information relating to an identified, or identifiable natural person. Therefore data clearly linked to an individual’s activities may be “personal data”. In light of this, Global Sports Data and Technology Group (GSDT), the action group representing the players, has argued that “personal data” extends to a player’s performance statistics including goals scored, distance covered and passing accuracy, as well as player’s physiological attributes such as height and weight. 

Interestingly, the GDPR rules still apply to personal data that is already in the public domain. This means that the firms collecting the performance statistics could still be in breach of the GDPR, notwithstanding the fact that the viewing public may be able to find and understand many of the performance statistics themselves.

If a player’s performance statistics amount to “personal data”, the firms will have to show that one of the six lawful grounds for processing personal data applies. If not, there is a risk the firm’s activities will be in breach of the GDPR.

What lawful grounds might apply?

In order for the collection of this data to be lawful, firms will have to show that they fall under one the six lawful grounds for processing personal data under Article 6(1) of the GDPR. The grounds most suitable in this instance are likely to be:

  • where the individual has given consent to the processing of their personal data for one or more specific purposes;
  • where processing is necessary for the performance of a contract to which the individual is a party; and/or
  • where processing is necessary for the performance of a task carried out in the public interest  or legitimate interests.

GSDT has argued that the processing took place without the players knowledge. As a result, firms may struggle to show evidence of consent and alternative grounds may therefore need to be considered.

In relation to the contract ground, image rights deals have been used in contracts for decades and firms could seek to assert that these rights extend to performance and tracking data, meaning that the “performance of a contract” ground applies.

The legitimate interests is most likely to be an appropriate basis where the data is used in ways that people would reasonably expect and in a way which has minimal impact on the privacy of the individuals whose data is being collected. It could be argued that professional players should expect their statistics to be collected and processed, due to the public and commercial interests in their performances. In addition, the processing of this data is likely to have minimal interest on their privacy, as long as the statistics relate to information in the public domain (such as minutes played and goals scored).

What about special categories of data?

Article 9 of the GDPR sets out special categories of personal data, this includes data concerning health which may cover information about a player’s injury record, underlying health issues, surgeries, prescriptions and mental health.

In order to lawfully process special categories of personal data, firms would have to satisfy one of the additional, narrower, specific conditions outlined under Article 9 of the GDPR. These conditions are specific and detailed, meaning that firms should consult the precise wording of Article 9 when seeking to rely on one the conditions. In light of this, firms should take extra caution of collecting data relating to a player’s health.

The impact 

‘Project Red Card’ has the potential to have wide-ranging consequences in football and many other sports. It’s likely to increase awareness of GDPR issues in sport which could lead to a sport-wide reshaping of how data is collected, traded and used.

As a result, any firms collecting, trading and dealing with data relating to athletes should reassess their processing activities to ensure they are lawful. This might involve seeking consent from athletes to use their data and/or renegotiating image rights deal to properly address data protection issues.

Governing bodies, leagues and clubs should also reconsider the commercial deals they enter into, so they reflect the fact that they involve the use of personal data of the athletes they represent.

Athletes across all sports should also take time to understand their rights under GDPR and consider whether their personal data is being misused. They should also ensure that their interests are properly protected when negotiating agreements relating to the use of their personal data and/or consenting to their personal data being used.


If you’d like further information on GDPR issues in sport, please contact Tom Barnard, Ted Powell or Douglas Kitchen.


[1] https://www.bbc.co.uk/news/uk-wales-58873132.amp