JACK ANDERSON: The data challenge reaches every corner of sport

Doping is one of the key topics in any sports law course. Students generally want to talk about the excuses athletes resort to in trying to reduce the length of their ban.

Many of us in our daily fitness routine give away considerable personal health data by way of apps.

An interesting example of this took place last week at the Court of Arbitration for Sport (CAS).

Peru captain Paolo Guerrero will miss the World Cup in Russia after a doping ban, which had expired earlier this month, was increased from six to 14 months.

Peru, who last qualified for the World Cup in 1982, will now be without their all-time leading goal scorer. Guerrero, revered in Peru, is in his mid-30s and is unlikely to feature in another World Cup.

All three captains of Peru’s opponents in Group C of the World Cup have written to Fifa to plead Guerrero’s case but to no avail.

Guerrero tested positive for cocaine following a World Cup qualifier in Argentina in October.

He argued that the reason for the positive test was that he had ingested tea infused with coca leaves, one of the raw ingredients in cocaine, and that this tea is popular in Peru where traditionally it has been used for altitude sickness.

Fifa imposed a six-month ban, which is at the lower end of the scale, acknowledging that the substance gave the player little to no performance enhancement.

The World Anti-Doping Agency (WADA) appealed the leniency of Fifa’s sanction to CAS. Although CAS recognised that they could attribute no significant fault to the player, it nevertheless increased the sentence by eight months, which means that Guerrero misses out.

The Guerrero affair has caused disquiet among player representative bodies who noted that this week Fifa also announced that further investigation into doping in Russian football — hinted at in the McLaren report into widespread doping at the Sochi Winter Olympics of 2014 — was to stop on the grounds of insufficient evidence.

Political inconsistencies in how doping is investigated and sanctioned in world sport is interesting but so also are the legalities of the testing process itself.

In teaching anti-doping ‘law’, I always start by taking the class through a sample testing process. On discussing the privacy elements of having to pee into a receptacle in full view of another, the students smirk and guffaw when I ask what ends up in that receptacle.

The point is that the sample contains a huge amount of personal health data on the athlete in question.

What is the nature of the athlete’s consent to the testing process? How is that data analysed and for what exact purpose? Where is it stored? When, in what context and how many times might it be used? How long will it remain with the testing authority? Is the athlete notified if it is destroyed?

These are all data protection-related questions that WADA and other doping authorities have had to cope with over the past two decades.

In 2016, WADA’s doping sample storage system was hacked by an anonymous cyber hacking grouping called Fancy Bears.

Fancy Bears released hundreds of medical documents revealing personal, highly sensitive health information on leading athletes including the Williams sisters, US gymnast Simone Biles, and later Mo Farah, Bradley Wiggins, and Chris Froome.

Fancy Bears is allegedly funded by Russia which, apparently, used it to exact revenge for various doping-related investigations targeting Russian athletes.

Whoever Fancy Bears is, it identified weaknesses in WADA’s data storage, and then weaponised that data to embarrass WADA and even leave it vulnerable to compensation claims by aggrieved athletes.

The Fancy Bears/WADA example is a good case study into what the General Data Protection
Regulation (GDPR) seeks to avoid.

The GDPR’s impact on sports bodies of all sizes has been well flagged over the past year. It clarifies Irish sports bodies’ obligations to keep records of data collected on individuals such as athletes, members, employees, or volunteers.

In obtaining that information the sports body must be careful to obtain the informed consent of the person in question, explaining why, for what purpose and for how long they will retain the information.

In holding the information, the sports body must respect the individual’s right of access to it and their right to have it destroyed or “forgotten”.

The headline figure is that those found in breach could potentially be fined up to €20 million or 4% of turnover.

If, for example, WADA had been found liable, sport’s anti-doping police force would likely have gone bust. And remember, where a breach occurs, sports bodies, irrespective of size, only have a 72-hour window in which to report it.

Data analytics generally is an important part of modern sport. Much of this can be traced to Michael Lewis’ baseball economics book Moneyball recounting the stats-driven success of the Billy Beane at Oakland Athletics.

Beane compiled exhaustive statistics on players’ skills matching them to the team’s needs. Now, most teams have comprehensive biometric data on their players’ athletic capacity, sometimes known as “biological Moneyball”.

This data informs coaches’ decisions on how players train, on-field tactical decisions and even the buying or selling of professional players. In short, data now infuses sport and all of it must be GDPR-compliant.

Many GAA managers, notably Dublin’s Jim Gavin, are fans of data analysis.

The International Football Association Board who administer the ‘laws’ of football recently changed them to permit team officials to use small hand-held devices to relay data on coaching/tactics and player welfare.

Moreover, in football player transfer negotiations, player data has increasingly become central to decision-making by clubs. The scout is being replaced by the spreadsheet.

GDPR provisions on ‘data portability’ now mean that clubs must release such information to want-away players and rival clubs.

Data is often central to disciplinary investigations in sport. Successful investigations on match-fixing in football or race-rigging in horse racing often rely on data harvested from betting accounts, financial, or phone records. The extent to which sports bodies are entitled to access or hold such information will likely to be challenged.

Many of us in our daily fitness routine give away considerable personal health data by way of apps installed on our phones or other wearable technology. Most of the designers of such apps are now aware of their GDPR liabilities if they abuse, harvest, or even sell your data to others.

Again, mistakes happen. Earlier this year, Strava, a popular fitness app, created an interactive map based on 13 trillion GPS points to enable users to avail of running or bike tracks worldwide.

An Australian student found out that the maps included patrol routes surrounding secretive military bases in the Middle East and other conflict zones. The sensitive data was removed quickly; the damage to Strava’s reputation lingered a little longer.

Returning to Ireland, the potential impact of GDPR on, for instance, GAA clubs is pronounced. Future club decisions on expanding the club lotto, installing CCTV cameras around the clubhouse or even the apps team managers use to notify parents and players of upcoming games, will all have to be assessed for data privacy impact.

The administrative burden on sports volunteers in Ireland is already quite high. In clubs throughout the country the “usual suspects” will probably be asked to become the club’s nominated data protection officer.

If, for example, though having to deal with GDPR at work, you become concerned as to whether the usual suspects in your local soccer, rugby, basketball etc club have the skills to deal with data protection; remember, there is one way to alleviate your worry.

And that it is, to volunteer; not just your data but also your time to your club.

Jack Anderson is Professor of Sports Law at the University of Melbourne and Adjunct Professor at University of Limerick.


Related Articles

China link to Marriott hotels data breach

Quora reveals data breach affecting up to 100 million users

Owner of Dublin's Westin Hotel caught up in global data breach affecting up to 500 million customers

1,250 requests to access private data


Lifestyle

Personal trainers and nutritionists reveal their simple secrets to a healthier Christmas

Live the green dream and let plants take root in your home

Sleep tight, baby: A bed system you can use from birth to 10 years old

Wish List: Festive stocking choices for Christmas shoppers

More From The Irish Examiner