The Fight for Control of Performance Data: Is Project Red Card Headed for an Early Bath?

September 5, 2023 Reports and White Papers

The world’s most valuable resource is no longer oil, but data. With the ever-increasing commercialisation of sport, sports data has unsurprisingly become valuable not only to players, coaches, clubs and national governing bodies for the purpose of analysing and optimising player performance, but to fans as part of their general consumption of sport (which includes gambling, gaming and playing fantasy sports), as well as the companies exploiting sports data, such as broadcasters and bookmakers.

However, the increased collection and utilisation of sports data has raised the question of who owns such data, whether it can be classified as proprietary and/or ‘confidential’, and whether athletes’ consent is required to use such data.

Most recently, claims have been brought by over a thousand football players, rugby players and cricketers as part of a campaign referred to as ‘Project Red Card’ (discussed further below), which aims to control the processing of players’ personal data without their consent.

What Laws Govern Sports Data?

1. Data Protection Laws

The two main pieces of legislation that govern data protection law in the U.K. are the U.K. General Data Protection Regulation (the U.K. GDPR) and the Data Protection Act 2018 (DPA 2018).

Under the U.K. GDPR, personal data means any information relating to an identified or identifiable natural person. The U.K. GDPR sets out the lawful grounds of processing personal data and any organisation which collects personal data must have a lawful basis for doing so.

The three most applicable grounds for the lawful processing of athlete data under the U.K. GDPR are if:

  1. such athlete has given their clear consent to the processing;
  2. the processing is necessary to meet a contractual obligation (for example, if a football club has entered into an agreement with a player for the processing of his or her performance data); or
  3. there is a legitimate interest, whereby there is a clear benefit to the processing, and the data is used in ways an athlete would reasonably expect, in a way which has minimal impact on the privacy of such athlete.

Athlete performance data is, amongst other purposes, used to assess the physical, mental and technical attributes of an athlete. In a football player’s case, this can range from their weight and height, to their number of match appearances, goals scored, passing/shooting accuracy and fitness statistics. As an example, data shows that in the 2022/23 Premier League season, Liverpool FC player Mohamed Salah averaged 30 passes per match, with a pass completion rate of 79%. On one hand, this data is observable and public, and viewers of the sport may conceivably be able to calculate these statistics themselves. However, players such as Salah may argue that this data is personal to them as it is data they have generated and it distinguishes them from other players, meaning they should own such data and enjoy the right to prevent its use and exploitation by third parties, should they so elect.

The U.K. GDPR also sets out “special category” personal data, which includes biometric data (data relating to the physical/physiological or behavioural characteristics of an individual), as well as health data (data relating to the physical or mental health of a natural person). The wider U.K. GDPR “lawful processing” grounds do not apply to special category data and instead, the processing of such data is prohibited unless one of the narrow conditions of Article 9 of the U.K. GDPR apply. The conditions for processing special category data are as follows:

  1. the data subject has given their explicit consent to the processing;
  2. the processing is necessary for employment, social security and social protection (if authorised by law);
  3. the processing is necessary to protect a person’s vital interests;
  4. the processing is carried out by not-for-profit bodies and is related to its members;
  5. the data has been made public by the data subject;
  6. the processing is necessary for bringing legal claims or judicial acts;
  7. reasons of substantial public interest (with a basis in law);
  8. the processing is necessary for a purpose relating to health or social care (with a basis in law);
  9. the processing is necessary for reasons of public interest relating to public health (with a basis in law); and
  10. the processing is necessary for archiving, research and statistical purposes (with a basis in law).

In the context of performance data, biometric data may include details of a player’s injuries, medical conditions, or even the heart rate of a player about to take a penalty. It follows that details of the injury Salah sustained during the 2022 FA Cup final could, on its face, be classified as biometric data. If that is indeed the case, then the Liverpool forward’s consent may be required for its use/exploitation, as none of the other conditions of Article 9 of the U.K. GDPR would apply.

Processing Personal Data Without Consent - Lloyd v. Google (2021)

In Lloyd v. Google, Mr. Lloyd (Lloyd) brought a claim against Google under sections 13(1) and (2) of the 1998 Data Protection Act (DPA 1998; the precursor to the DPA 2018), which provided for a right of compensation where an individual suffered “damage” or “distress” as a result of a data controller breaching a provision of the DPA 1998. Lloyd alleged that Google had breached its duties as data controller to over 4 million iPhone users in England and Wales, due to the use of a browser cookie (which activated upon users visiting certain websites) without their knowledge or consent. This information was used by Google for targeted advertising purposes and generated profit for Google as a result.

The relevant issues the U.K. Supreme Court needed to decide were whether:

  1. damages were recoverable under the DPA 1998 for loss of control of data, without the requirement of identifying pecuniary loss or distress; and
  2. representative actions (i.e. one or more people, in a group of people with the same grievance, taking legal action representing the group) are an appropriate method for bringing such claims.

The Court held that the term “damage” meant something more serious than “distress”, and rather that “damage” meant material damage such as financial loss. It followed that the wording in section 13 of the DPA 1998 did not entitle the parties to be compensated merely for a “loss of control”, which was less serious than distress.

In relation to representative actions, the Court reiterated that these could only proceed if no individualised assessment is needed between those in the represented class. Each class member would need to have the “same interest” in the claim. In this case, it was relevant to consider factors such as how long Google had been monitoring a user’s activity, as well what it had done with the data collected, which varied from user to user. Therefore, individualised assessment was deemed to be necessary, and it was held that all users did not have the same interest in the loss that flowed from the data breach.

If Lloyd’s claim had succeeded, the judgment would have set a major precedent; if businesses were deemed to have caused a loss of control over an individual’s personal data, they could have faced severe financial consequences. The judgment reinforced the idea that not every data breach/unlawful processing of data will entitle affected parties to compensation, and that representative actions may not be suitable for data protection claims.

Project Red Card

Rightsholders in sports, such as clubs and event organisers usually obtain the rights to use players’ image rights and data to promote the relevant club/event as part of their contracts with such players.

In the context of football, the Premier League’s Standard Player’s Contract grants clubs the right to use a player’s image (defined as any characteristics of the player) for a broad range of purposes including in relation to products or services which are endorsed or produced under licence from the club. Certain third parties would then be licenced by the club/event organiser to gather data (for example, Football DataCo in the context of football), and these third parties would then licence the data to betting and gaming operators.

However, athletes have increasingly scrutinised this process and are speaking out against the way their data is being used, as seen in Project Red Card.

In 2020, it was announced that a group of over 850 current and former Premier League, English Football League, National League and Scottish Premier League players, led by ‘Global Sports Data and Technology’ (an organisation co-founded by former Cardiff City manager Russell Slade and Jason Dunlop for the purposes of understanding the governance associated with sports data), planned to bring claims against numerous data collection firms for their violation of data protection legislation in the U.K., on the basis that players’ performance data is being processed unlawfully. The action is now being brought on behalf of over 1400 sportspeople in the U.K., with professional cricketers and rugby players recently joining.

Those involved in Project Red Card claim that they have not consented to the use of their personal performance data for the benefit of data collection, gambling and gaming firms. Whilst they do not oppose the use of such information, they seek to put in place agreements and processes to manage their personal data rights.

The issues raised by Project Red Card are intriguing and include the following key questions:

  1. Is the data processed personal data (as defined in the data protection legislation) or merely observable data derived from viewing players perform in public matches?
  2. If the data is personal data, does it fall into the category of biometric data which can only be processed under limited grounds (including consent)?
  3. What is the basis of processing the data? Although players are claiming they did not consent to the use of their data, the contracts with their clubs will need to be analysed to determine whether this is the case. Further, as football is a heavily commercialised sport, it may be unrealistic to propose that players should not reasonably expect their personal data to be collected and used by betting and gaming operators.

2. The Law of Confidence

For information to be deemed “confidential” according to common law, the information:

  1. must have the necessary quality of confidence – it should not be generally known by the public, or to persons who are skilled/have extensive knowledge of the relevant sport;
  2. must be shared in circumstances conveying an obligation of confidence – the reasonable person must realise that the information was given to them in confidence; and
  3. must have been used without authorisation, to the detriment of the party communicating it.

In recent case law, the issue of whether exclusive live sports data may be protected by a right of confidentiality has arisen.

The Racing Partnership Limited & Ors v. Sports Information Services Limited (2020)

This case involved The Racing Partnership (TRP) entering into an agreement that granted it the exclusive right to collect and supply horseracing data from certain racecourses to bookmakers. This was a lucrative opportunity for which TRP was willing to pay substantial amounts.

TRP discovered that Sports Information Services (SIS) had been supplying similar data from the same racecourses, and one of the sources of this data was from The Tote, a well-established betting operator in the U.K. TRP argued that The Tote was not permitted to collect such data and provide it to SIS, as this right belonged exclusively to TRP.

TRP advanced a breach of confidence claim, arguing that SIS’s use of information relating to the course and the relevant races constituted misuse of confidential information.

In the court of first instance, SIS was found to have acted in breach of confidence, as TRP had the right to impose restrictions on the use of the data which was of commercial value. It was also found that a reasonable person in SIS’s place would have acknowledged that The Tote acquired the data in circumstances importing an obligation of confidentiality.

However, the Court of Appeal decision overturned the court of first instance judgment and held that, because the key racing data was broadcast immediately to the public, it was difficult to conclude that the data had the necessary quality of confidentiality about it, despite it being of high commercial value. It was left open as to whether other conditions could be created in which a right of confidence may exist. There was also no basis for a finding that a reasonable person in SIS’s position should have known that the information it obtained from The Tote was confidential.

The Supreme Court granted permission to appeal the Court of Appeal’s judgment, but the case is reported to have settled.

Genius v. Sportradar (2022)

In 2019, Football Data Co (FDC) granted Betgenius (now Genius Sports) (Betgenius) an exclusive five-year license to collect live data from all English and Scottish professional football matches to distribute to bookmakers internationally. As part of this exclusive arrangement, Betgenius and FDC actively attempted to stop other data analytics organisations from collecting live data in stadiums.

As FDC was the sole provider of official live data in the Premier League, English Football League and Scottish Professional Football League, Sportsradar, a competitor of Betgenius, brought a competition law claim against it. The claim challenged the legality of granting the exclusive licence to Betgenius, which, it was alleged, restricted competition and access to the market for live football data in the U.K. Sportsradar continued to collect data to licence to betting operators in competition with Betgenius.

In response, FDC and Betgenius filed a High Court claim against Sportsradar claiming that the data collected was confidential information and/or a trade secret and that Sportsradar’s activities therefore constituted a breach of confidence. They argued that the live match data was confidential as the right to collect data from inside clubs’ stadia was more advantageous than collecting such data on TV, which is slightly delayed. Even though the delay from a TV broadcast is relatively brief (a matter of seconds), they argued that this margin created the commercial value for betting operators, and therefore the information has the necessary quality of confidence.

Unfortunately, for legal practitioners, the case settled, which leaves the questions surrounding confidentiality in live sports data and the position post-TRP v. SIS unanswered.

Looking Ahead

The claims being brought in Project Red Card remain untested in the U.K., but if the action progresses, it has the potential to fundamentally change the way in which athletes are able to control the utilisation of their own performance data.

However, Project Red Card faces a number of obstacles, particularly as a result of the U.K. Supreme Court ruling in Lloyd v. Google, which held that a claim for damages for the unlawful processing of data under the data protection legislation in the U.K. can only be made if the data subject has suffered some form of material damage, such as financial loss. For example, it may be difficult for football players to claim that they suffer financially as a result of their performance data being processed. In fact, it is arguable that the value of a player’s performance data (as is the case with their image rights) is already reflected in their contract with their club.  It is still unclear if Project Red Card will be brought as a representative claim, but the Lloyd v. Google judgment will also present a further obstacle to this, as every player will not have “same interest” in the claim.

Regardless of the outcome of Project Red Card, stakeholders in the sports industry should be mindful of how they seek to exploit sports data in light of the recent breach of confidentiality claims brought in TRP v. SIS and Genius v. Sportsradar, as well as the lawful bases they intend to rely on to process personal performance data, as it becomes increasingly valuable and as its ownership becomes a point of contention.

Our Sports, Media and Entertainment team will continue to look for developments on this matter and share additional insight as things progress.

Contact Us
  • Worldwide
  • Boston, MA
  • Chicago, IL
  • Denver, CO
  • Dublin, Ireland
  • Edwardsville, IL
  • Jefferson City, MO
  • Kansas City, MO
  • Las Vegas, NV
  • London, England
  • Miami, FL
  • New York, NY
  • Orange County, CA
  • Philadelphia, PA
  • Princeton, NJ
  • Salt Lake City, UT
  • St. Louis, MO
  • Washington, D.C.
  • Wilmington, DE
abstract image of world map
Boston, MA
800 Boylston St.
30th Floor
Boston, MA 02199
Google Maps
Boston, Massachusetts
Chicago, IL
100 North Riverside Plaza
Suite 1500
Chicago, IL 60606-1520
Google Maps
Chicago, Illinois
Denver, CO
4643 S. Ulster St.
Suite 800
Denver, CO 80237
Google Maps
Denver, Colorado
Dublin, Ireland
Fitzwilliam Hall, Fitzwilliam Place
Dublin 2, Ireland
Google Maps
Edwardsville, IL
115 N. Second St.
Edwardsville, IL 62025
Google Maps
Edwardsville, Illinois
Jefferson City, MO
101 E. High St.
First Floor
Jefferson City, MO 65101
Google Maps
Jefferson City, Missouri
Kansas City, MO
2345 Grand Blvd.
Suite 1500
Kansas City, MO 64108
Google Maps
Kansas City, Missouri
Las Vegas, NV
7160 Rafael Rivera Way
Suite 320
Las Vegas, NV 89113
Google Maps
Las Vegas, Nevada
London, England
Royal College of Surgeons of England
38-43 Lincoln’s Inn Fields
London, WC2A 3PE
Google Maps
Miami, FL
355 Alhambra Circle
Suite 1200
Coral Gables, FL 33134
Google Maps
Photo of Miami, Florida
New York, NY
7 Times Square, 44th Floor
New York, NY 10036
Google Maps
New York City skyline
Orange County, CA
19800 MacArthur Boulevard
Suite 300
Irvine, CA 92612
Google Maps
Philadelphia, PA
2005 Market Street
29th Floor, One Commerce Square
Philadelphia, PA 19103
Google Maps
Philadelphia, Pennsylvania
Princeton, NJ
100 Overlook Center
Second Floor
Princeton, NJ 08540
Google Maps
Princeton, New Jersey
Salt Lake City, UT
222 South Main St.
Suite 1830
Salt Lake City, UT 84101
Google Maps
Salt Lake City, Utah
St. Louis, MO
7700 Forsyth Blvd.
Suite 1800
St. Louis, MO 63105
Google Maps
St. Louis, Missouri
Washington, D.C.
1717 Pennsylvania Avenue NW
Suite 400
Washington, DC 20006
Google Maps
Photo of Washington, D.C. with the Capitol in the foreground and Washington Monument in the background.
Wilmington, DE
1007 North Market Street
Wilmington, DE 19801
Google Maps
Wilmington, Delaware