Personal Data Protection Bill, 2019 and the Sports Industry
Technology has brought us closer to multiple tools and methods to stay in shape and maintain a healthy lifestyle. Various corporations like Apple, Nike Training, Fitbit, Mi, Samsung have launched bespoke devices or applications to help us track our heartbeat, our sleeping patterns or just the number of strides taken in a day. These devices and applications, mostly wearable, have completely revolutionised monitoring of physical activities for us.
Monitoring of physical levels of athletes has become necessary for the stakeholders involved in a sport like federations, clubs/teams, coaches, broadcasters, scouts, league organizers, businesses and more. Such output data collected is a key asset for organizations involved in the Sports industry for their value, growth, and development. The data is also used for training and tracking performances to enhance players’ on field performance. Such organisations are ingeniously seeking to monetize the data collected and for fan engagement. Fantasy gaming has come a long way from Pokemon, Digimon& WWE trading cards to Fantasy Premier League, Dream11 etc.
Obviously these fuel many legal complexities and issues around collection and exploitation of personal data – How is this data collected? Who owns the data so collected? What can and cannot be done with this data? Is the storage of this data secure? Is it protected? Can it be used for contract negotiations and deciding employment? Much of such issues remain to be addressed with appropriate framework safeguarding the personal data so collected by companies or organizations. Sports organizations want to control this data, players want access and control over the data, tournaments and leagues want the data for their broadcasting purposes.
This article will cover the key changes that will affect the Sports industry, rights of an athlete under PDPB, 2019, role of Government bodies and steps that can be taken by Clubs/Organizations to ensure a smooth transitioning.
Right to privacy has been long declared a fundamental right by the Apex Court in Justice K.S. Puttaswamy v Union of India, that informational privacy is a subset of the right to privacy. The jurisprudence on privacy has evolved from being valued as a right that protected other ends to being an end in itself. While deciding the case, though the court listed a long line of jurisprudence, the central deficiency in the existing jurisprudence in the court’s opinion was the lack of a “doctrinal formulation” to secure that privacy is constitutionally protected.
It is necessary to create a collective culture that fosters a free and fair digital economy, respecting the informational privacy of individuals, and ensuring empowerment, progress and innovation through digital governance and inclusion and for matters connected therewith or incidental thereto. The Government on 31st July, 2017 constituted a “Committee of Experts on Data Protection” chaired by Justice B.N. Srikrishna to examine the issues relating to data protection. The Committee examined the issues on data protection and submitted its Report on 27th July, 2018. On the basis of these recommendations and the suggestions received from various stakeholders, it is proposed to enact a legislation i.e. the Personal Data Protection Bill, 2019. The proposed Legislation, like the EU General Data Protection Regulations (“hereinafter referred as “GDPR”), seeks to establish a strong and robust data protection framework for India and set up an Authority for protecting personal data and empowering the citizens’ with rights relating to their personal data ensuring their fundamental right to “privacy and protection of personal data”.
The Personal Data Protection Bill, 2019 (hereinafter referred as “PDPB, 2019”) was tabled in the Indian Parliament by the Minister of Electronics and Information Technology on 11 December 2019. As of March 2020, the Bill is being analysed by a Joint Parliamentary Committee, under the Chairmanship of Mrs. Meenakshi Lekhi, in consultation with experts and stakeholders.
The PDPB 2019, in its present form, regulates ‘processing’ of ‘personal data’ of a ‘data principal’ by ‘data fiduciaries’ and ‘data processors’. Section 3(14) defines “data principal” as “the natural person to whom the personal data relates”, which would be the athlete. Teams/Clubs & League/Event Organizers would come under the definition of “data fiduciary” which means any person, including the State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data. A data processor is any entity or individual, who processes data on behalf of a data fiduciary, or in this case, on behalf of the clubs/leagues.
Some of the key changes that the proposed legislation would bring to the sports industry are:
Consent: Consent from the athlete must be taken by the Clubs/Event Organizers prior to the commencement of processing the personal data. Such consent should be be free, informed, specific, clear and, capable of being withdrawn. The consent shall be obtained after informing her the purpose of the processing in clear terms, after giving her the choice of separately consenting to different purposes. Goods or services, or performance of contract, or enjoyment of any legal rights cannot be conditional on the consent to the processing of personal data. Thus the PDPB, 2019 definition of consent is more flexible than that under the GDPR. Under the PDPB, 2019, the “processing of publicly available personal data” is a “reasonable purpose” for which data can be processed without obtaining consent.
Children’s Consent: Clubs & Event Organizers shall verify the child’s age and obtain consent of his parent or guardian, prior to the processing of personal data of the child. Proper care should be taken to prevent any possibility of harm to child arising out of the processing. A data fiduciary can be classified as ‘guardian data’ by the Data Protection Authority (hereinafter referred as “DPA”), who operate commercial websites or online services directed at children or process large volumes of personal data of children. The guardian data fiduciary, except the ones offering counselling or child protection services, shall be barred from profiling, tracking or behaviourally monitoring of, or targeted advertising directed at, children and undertaking any other processing of personal data that can cause significant harm to the child. A guardian data fiduciary providing exclusive counselling or child protection services to a child shall not be required to obtain the consent of parent or guardian of the child. The ban on profiling of children for guardian data fiduciaries is broader than any similar restrictions under the GDPR as it is not limited to significant automated decisions.
Record Keeping: Clubs & Event Organizers would be required to maintain accurate and up-to-date records of important operations in the data life cycle, periodic review of security safeguards, data protection impact assessments. The PDPB, 2019 record of processing requirements are more flexible than those under the GDPR and will likely apply to a small proportion of companies subject to the framework.
Privacy by Design Policy: Such policy will be needed by Clubs & Event Organizers, containing managerial, organisational, busines practices and technical systems designed to anticipate, identify and avoid harm to the athlete; the obligations of the Clubs & Event Organizers, the technology used in the processing of personal data is in accordance with commercially accepted or certified standards; the legitimate interests of businesses including any innovation is achieved without compromising privacy interests; the protection of privacy throughout processing from the point of collection to deletion of personal data; the processing of personal data in a transparent manner; and the interest of the player is accounted for at every stage of processing of personal data. This policy needs to be certified by the authority, and then published on the website of the club/organizations and the Authority.
Transparency: Every Club & Event Organizer are required to maintain transparency and processing personal data and shall make vital information available like the purposes for which personal data is generally processed, the right of athlete to file complaint against the club/organizers to the Authority, any rating in the form of a data trust score that may be accorded, information regarding cross-border transfers of personal data that the data fiduciary generally carries out etc.
Notification of Breach: In the event of a breach of any personal data of an athlete processed by the Club/organizer, the club or organizer is required to inform the Authority by notice about the breach, where such breach is likely to cause harm to the athlete. Upon receipt of a notice, the Authority shall determine whether such breach should be reported by the club/organizer to the athlete, taking into account the severity of the harm that may be caused to such athlete or whether some action is required on the part of the club/organizer to mitigate such harm.
Sensitive Data: Sensitive data means such personal data which may reveal or be related to- financial status, health data, official identifier, sex life, sexual orientation, biometric and genetic data, transgender status, intersex status, caste or tribe etc. Consent of an athlete is required to be explicitly obtained after informing her the purpose of, or operation in, processing which is likely to cause significant harm to the athlete, in clear terms without recourse to inference from conduct in a context and after giving her the choice of separately consenting to the purposes of, operations in, the use of different categories of, sensitive personal data relevant to processing.
Third Party Processors: Sports analytics companies and businesses providing wearable technology are also covered under the definition of either ‘data fiduciaries’ or ‘data processors’, depending on their process of collection of data. They will be data processors if they collect data from the Clubs & Event Organizers (data fiduciaries) whereas if they are engaged directly by the athlete, then they will come under the definition of a data fiduciary. There should be a valid contract between the Clubs & Event Organizers and the third-party processors.
Role of Government bodies and National Anti-Doping Organisations (NADO)
To determine eligibility of athletes to represent state/country, Sports governing bodies/federations collect personal data of athletes. Various medical tests are done in cases of age fraud and for athletes with “Differences of Sex Development”. The WADA Code plays a prominent role in this domain and all Member States have, one way or another, adopted the Code in their legal system. The majority of Member States follow the WADA privacy and protection of personal information rules, either by implementing art. 6 of International Standard for the Protection of Privacy and Personal Information (hereinafter referred as “ISPPPI”) as is, or by referencing the provision in their national anti-doping law. The regulation at the level of the Member States is mostly silent about the legal foundation for the processing of personal data in the context of anti-doping. The general provisions (based on/referring to art. 7 DPD and art. 6 WADA IPPPI) are often mentioned, but which concrete processing ground is deemed appropriate or legitimate for the processing of personal data regarding athletes is lacking in most cases. In Portugal, the DPA has issued an authorisation regarding the processing of personal data for the purposes of an ‘authorisation of therapeutic treatment’. The DPA found that consent from the athlete, although present, was not necessary as the Anti-Doping Law already provided sufficient legal basis for the processing of such personal data. In Hungary, in a Supreme Court decision in a case concerning an athlete’s doping use, the judge underlined the importance of data processing being in line with data protection rules.
PDPB, 2019 permits processing of data without consent for specified State functions under Section 12. Sports governing bodies recognized by the State could fall under these bodies, but it needs further clarification. NADA and the sports governing bodies may seek approval for collecting and processing personal data of the athletes from the DPA under “reasonable purposes”.
Rights of Athletes under PDPB, 2019.
Right to confirmation and access: An athlete has the right to obtain confirmation from the clubs/organizers on whether the personal data is being processed, access the personal data processed or a summary thereof or a brief summary of processing activities taken by the Clubs & Event organizers with respect to the athlete, in a clear and concise manner. The athlete shall have the right to access in one place the identities of the Clubs & Event organizers with whom his personal data has been shared by any Clubs & Event organizers together with the categories of personal data shared with them, in such manner as may be specified by regulations.
Right to correction and erasure: An athlete has the right to correction of inaccurate or misleading personal data, the completion of incomplete personal data, the updating of personal data that is out-of-date and the erasure of personal data which is no longer necessary for the purpose for which it was processed. Where the Club & Event organizer corrects, completes, updates or erases any personal data on request of the athlete, such Club & Event organizer shall also take necessary steps to notify all relevant entities or individuals to whom such personal data may have been disclosed regarding the relevant correction, completion, updation or erasure, particularly where such action may have an impact on the rights and interests of the athletes or on decisions made regarding them.
Right to data portability: An athlete also has the right to receive personal data processed or data generated during performance or training, or data which forms part of any profile of the athlete or which the Club & Event organizer has otherwise obtained.
Right to be forgotten: An athlete shall have to right to restrict or prevent the continuing disclosure of her personal data by a Club & Event organizer where such disclosure has served the purpose for which it was collected or is no longer necessary for the purpose, consent has been withdrawn by the athlete or such disclosure was made contrary to the Act or any other law for the time being in force.
A Consent manageris defined in the Act as a data fiduciary which enables a data principal(athlete) to gain, withdraw, review and manage her consent through an accessible, transparent and interoperable platform. The athlete may give or withdraw her consent to the Club/Event Organizer through a consent manager, where such consent shall be deemed to have been communicated directly by the athlete. The consent manager shall be registered with the Authority in such manner and subject to such technical, operational, financial, and other conditions as may be specified by regulations.
The balance of power between individuals and organisations is constantly shifting. Through PDPB, individuals have been given greater control of their data. Once the bill has been enacted into an act, there are several compliances that the Clubs/Event Managers will have to follow while processing personal data of athletes to ensure due protection of privacy of athletes. Privacy terms/policies will have to be reviewed in addition to strictly following the process of obtaining consent from the athletes.
 (2017) 10 SCC 1
 “Personal Data Protection bill, 2019,” Pub. L. No. 373 of 2019, accessed 5th July, 2020., 2019, http://184.108.40.206/BillsTexts/LSBillTexts/Asintroduced/373_2019_LS_Eng.pdf
 Section 3(13)
 Section 3(15)
 Section 11
 Section 14(2)(g)
 Section 16
 Section 28
 Section 22
 Section 23
 Section 25
 Section 3(36)
 Section 11(3)
 IAAF Eligibility Regulations for the Female Classification [Athletes with Differences of Sex Development]
 Anti-Doping & Data Protection : An Evaluation Of The Anti-Doping Laws And Practices In The EU Member States In Light Of The General Data Protection Regulation, https://library.olympic.org/Default/doc/SYRACUSE/184971/anti-doping-data-protection-an-evaluation-of-the-anti-doping-laws-and-practices-in-the-eu-member-sta?_lg=fr-FR
 Section 14(2)
 Section 17
 Section 19
 Section 23(3)