Project Red Card

Background of Project Red Card It has been reported that hundreds of professional football players and managers have initiated claims regarding the use of their personal data in breach of data protection legislation against several companies in the sports betting and gaming sector. Following on from data subject access requests made last year, the group of 850 individuals, led by former Cardiff City manager Russell Slade and his Global Sports Data and Technology Group, have reportedly now sent ‘letters before action’ to 17 companies alleging that their data has been used without consent and they should have control over how it is being commercialised. There were fears that Project Red Card could open the floodgates for claims across the sporting world and potentially have a drastic impact on how data is used in the sector. The recent ruling in Lloyd v Google has, to a certain extent, calmed some of these concerns by providing valuable insight into the potential success of group claims. The outcome of Project Red Card will impact all sports and the wider data economy and should be followed closely. Basis of the claims The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 are the legal foundations of the Project Red Card claims. In the UK, both of these laws regulate how personal data can be used. The data in question mainly concerns player stats such as goals, number of appearances, distances covered etc. although there is some suggestion that more sensitive health data may also be included. Personal Data may only be collected and used by an organisation if there is a ‘lawful basis’ for doing so.  Based on comments made by Slade, the main thrust of the claims is that the targeted organisations do not have an appropriate basis for the data processing they are doing as the players never consented to the use of their data. It is not necessarily correct that player consent is required as this is just one lawful basis of processing. An organisation may be able to rely on processing based on their, or a third party’s, legitimate interests. The organisation would have to demonstrate that the processing they are undertaking is necessary for the interests being pursued and that these interests are not outweighed by the rights of the players as data subjects. There is no simple test for this as it is a subjective decision depending upon each situation. It is plausible that gaming and betting companies who licence data directly from clubs and leagues will meet this threshold. If the claimants are successful in demonstrating that there has been a breach of data protection laws, the question of damages arises. Mass claims based on data protection breaches have the potential to create huge liabilities as even a small individual payment can amount to a significant amount where the data subjects number thousands or even millions. Some of these fears will have been reduced due to the recent decision in Lloyd v Google. This case concerned a group action on the basis that Google had unlawfully processed the data of millions without a lawful basis. In a move that will relieve many organisations, the Supreme Court was unanimous in its decision that the claimant should not be successful in bringing the representative action against Google. The Court held that it was incorrect that every data subject affected by a breach of data protection law should be awarded damages simply because of the mere fact that they had been the subject of a breach. To be awarded compensation, the claimants must show that they had suffered actual damage as a result of the breach i.e., the fact of the breach and the damage suffered are distinct. Additionally, the judgment has now made it potentially more difficult for mass claims of this kind to be brought by a single representative individual. In order to bring a claim as a representative of a class of individuals, those individuals all need to have the same interests and have suffered the same type of damage. The very nature of a breach of the type that is the subject of Project Red Card means that the individuals concerned will have been affected in different ways. Whilst they may have common ground in the fact that their data was processed unlawfully, an individual assessment would need to be made as to exactly how it was processed and thus what damages they are entitled to. This need for individual assessment makes claims for this type of breach unsuitable for group claims. Lloyd v Google is a decision that was made in relation to activity that took place prior to the implementation of the GDPR but it is still relevant. There remains a need for individuals to demonstrate that they have suffered damage distinct from a breach. Whilst the GDPR does reference simple ‘loss of control’ to be a type of damage that may be suffered, it is untested as to whether this alone would give rise to any actual damage payable. The rules regarding group claims will remain directly relevant.  The Court suggested that claims could be brought in two stages, using an individual as a test case, followed by a mass group claim if that case were successful. Whilst this option may seem like a solution in theory, in practice it suffers from the same problem of requiring individual assessment to establish a right to damages. It is also unappealing to individuals and litigation funders as the ‘trial’ claimant would have to cover costs and suffer lengthy trial procedures on behalf of the group which may never succeed. Practical advice Whilst the decision in Lloyd v Google should provide some comfort to controllers of data, Project Red Card should not be ignored. Whilst a group action may no longer be as viable, there is still the potential that individual claims can succeed where they can demonstrate loss. Anyone who has received a letter alleging any sort of data breach should seek legal advice. Additional steps that can be taken to protect against this and similar claims include:

• Ensuring internal compliance programmes are in place and up to date. Organisations should make sure that they have robust procedures in place to ensure they have an appropriate basis for processing and that risk assessments have been undertaken and recorded. Any consents obtained should also be recorded.
• Consider checking privacy notices and other information provided to data subjects to ensure it is as clear and accurate as possible to help meet transparency requirements.
• Review any data sharing contracts, particularly contracts that deal with the receipt of large databases or data feeds to determine the current liability position in the event that a claim like Red Card is successful and / or the provision of data needs to change. To the extent practicable, consider whether any elements of contracts should be renegotiated.

  Authors: Roisín Cregan & Flora Peel