Data is a commodity, with businesses buying and selling huge amounts of it every day.  Generally, the personal data sold is authorised by the individuals to which it relates (often unwittingly by a waiver never read in a thrice-removed hyperlink alongside “accept cookies” or “I agree to these terms and conditions”).

Russell Slade, however, is now leading a charge by 850 professional footballers to retake control of huge amounts of data about them that is traded and relied upon by betting firms, data collection agencies, and entertainment companies.  For those who don’t know him, Slade is a football manager previously in charge of Cardiff City, Lleyton Orient, and Yeovil Town.

Football statistics have become an important aspect of the game for many fans.  For example, xNPG/90 means “Expected non-penalty goals per 90 minutes” – a statistic itself derived from hundreds of data points gathered by football analytics companies and relied upon by gambling companies to set scoring odds, and fantasy football players (of which there are over eight million in the official game alone) to choose their teams.

Should the ever-growing list of statistics gathered about players be ever-growing?  Slade and his cohort say no.

Article 4 of the UK General Data Protection Regulation (‘UK GDPR’) defines ‘personal data’ as “any information relating to an identified or identifiable natural person (‘data subject’)”, and an identifiable natural person is one who can be identified “directly or indirectly”.

Without having had sight of the letters of claim it is not possible to comment on precisely what bases the claim is advanced, but it is likely that the arguments will be that the data is not processed lawfully contrary to Article 6(1)(a) UK GDPR because the ‘data subjects’ concerned (the players) have not consented to the data being collected, processed, and used or sold.  That seems to be supported by Slade’s statement to the press that consent is the major issue here.

There are likely to be practical implications here too.  It is unknown whether the English Football League’s official data partner, Football DataCo, which authorises StatsPerform (which is the parent company of Opta, a more familiar name to football fans) to collect stats during its football matches, has received a letter from the players.  It will be interesting to see whether official partners have been spared from the opening salvo.

Whether the official partners have been spared or not, there are potentially defences available to the proposed defendants.  The most obvious is the legitimate interest in collecting, storing, and processing the data, especially that portion of the data derived from the agencies’ own observations of football matches, rather than by obtaining personal data that has been collected privately and disseminated without authorisation.  Some data, however, plainly cannot be observed.  While whether a player is “tall” or “really tall” can  be observed, especially when those players are next to one another, precise heights and weights can not be: that data comes from somewhere else (possibly club records published to the league).  It is uncontroversial to say that football fans generally are interested (to some degree) in seeing this data, and so the legitimate interest in processing the data may well be a central pillar of any defence.

While it might appear that the players have consented to their data being collected and processed when contracting to play professional football, knowing that at least some of their matches will be televised and there will be significant scrutiny of them and their statistics, consent in a data processing sense under the UK GDPR must be expressly given: it cannot be implied.  As a result, even though at this stage (as opposed to, say, 30 years ago) the players must have known that their data would be collected to some extent (having no doubt watched football and seen statistics used in the broadcasts before playing professionally) that is highly unlikely to form the basis of a successful defence in this matter.

It is understood that part of the claim relates to the processing of inaccurate personal data.  This type of claim is less controversial.  It is easy to see how inaccurate statistics can cause direct financial damage (reducing a player’s value and potential income) and distress.  On a side note, suing for damages within a class action can be problematic where different parties have suffered different losses.

Where it is accepted the statistics are accurate, a claim for financial loss might be difficult to sustain.  A UK GDPR claim for damages can be pursued where no financial loss is suffered, with compensation available for the mere infringement and distress.  However, in a claim like this there must be some risk that the Court might consider any distress to be de minimis raising the possibility of the claim being struck out on the grounds of triviality.  A potential way around this is for the claim to have a rectification/erasure order as its principal objective (akin to an injunction prohibiting the collection/use of statistics in a specified manner in the future).

On any view, the claim is a novel application of data protection legislation.  If it reaches a judicial determination, media lawyers and data protection specialists will pore over the ensuing judgment.

This post originally on the Brett Wilson Media and Communications Law Blog and is reproduced with permission and thanks