Sports data mining: Project Red Card

Published 29 October 2021

Last year, the Global Sports Data and Technology Group made headlines when it launched ‘Project Red Card’ to take legal action on behalf of footballers, seeking to claim compensation for the use of their performance data. Project Red Card now represents over 850 professional players across the Premier League, National League, EFL and the Scottish Premiership.

While no legal proceedings have been issued yet, it is understood that letters of claim (the necessary first step in a legal dispute) are being issued to companies in the sports data analytics sector. So what are Project Red Card’s arguments, and why is this causing a stir?

Under the UK General Data Protection Regulation (the “UK GDPR”) and Data Protection Act 2018 (the “DPA 2018”), personal data is defined as any information relating to a natural person who:
can be identified, directly or indirectly, from that data.

Some of the performance data collected undoubtedly appears to meet the definition of personal data and other elements, such as body composition and heart rate monitoring, strays into special category data territory as it amounts to health data.

Any organisation processing personal data must have a lawful basis for doing so (in accordance with Article 6 of the UK GDPR). Without a lawful basis, the processing of personal data will be unlawful. Where personal data constitutes “special category data” or “criminal offence data”, a processing condition (such as consent) will all be required. In such cases, without both the lawful basis and condition, the processing of special category data or criminal offence data will be unlawful.

Football has a tradition of leveraging data to better understand the game and improve performance of the players. Performance statistics such as ‘shots on goal’ or ‘passes completed’ have been used for decades. However, with the evolution of technology, data analytics has become far more sophisticated and essential for clubs and involves the harvesting of far greater volumes of data. Further, the scale of data sharing has increased and now includes sharing with third parties such as betting companies and video game developers. Project Red Card’s position is that players’ performance data is personal data insofar as it relates to identifiable players, and that the use and sharing of such data without consent means that it is being processed unlawfully. In the absence of such consent, it is understood that Project Red Card asserts that the players should be compensated.

However, as many will be aware, consent is just one potentially applicable lawful basis (and, for special category data, explicit consent is just one potentially applicable condition).

As an alternative to consent, it seems that there is at least an argument that organisations could rely on the ‘legitimate interests’ basis for the processing of personal data. However, to rely on this lawful basis, the organisations utilising players’ performance data would need to carry out a legitimate interests assessment to demonstrate that there is a legitimate interest in the processing, that such processing is necessary in order to achieve that interest and balance that interest against the players’ data protection rights against the perceived benefits to that organisation. Where the data amounts to special category data, an additional condition would be needed. Further, if relying on legitimate interests, organisations would need to allow the players the right to object to such processing. Whether legitimate interest can be relied upon in relation to Project Red Card remains to be seen.

Quantification of damages

If Project Red Card is correct in asserting that the personal data of footballers is being processed unlawfully, then determining the appropriate level of compensation for the footballers is a complex exercise. In the Court of Appeal decision in Lloyd v Google¹, it was held that:

“Even if data is not technically regarded as property in English law, its protection under EU law is clear. It is also clear that a person's [data] has economic value: for example, it can be sold. It is commonplace for EU citizens to obtain free wi-fi at an airport in exchange for providing their personal data. If they decline to do so, they have to pay for their wi-fi usage. The underlying reality of this case is that Google was able to sell [data] collected from numerous individuals to advertisers who wished to target them with their advertising. That confirms that such data, and consent to its use, has an economic value.

Accordingly, in my judgment, a person's control over data […] does have a value, so that the loss of that control must also have a value.”²

Following Lloyd v Google, it seems the players are likely to argue that there has been a loss of control of their personal data given that various organisations processed it for their own purposes. The question then remains what is an appropriate level of damages if there is no pecuniary loss or distress which flows from the processing activities. The Supreme Court has been asked to consider this question in the appeal of Lloyd v Google, for which the judgment is eagerly awaited and expected by the end of 2021.

Irrespective of the outcome of this complex matter, the case represents yet another example of a high-profile challenge to data processing practices, which may have been seen as ‘fair game’ prior to the rapid growth of privacy rights awareness in recent years.

¹Lloyd v Google [2019] EWCA Civ 1599
²Lloyd v Google [2019] EWCA Civ 1599, at paras. 46-47