Executive Summaries Nov 6, 2024

Protecting Privacy in Sports – Don’t Wait to be Caught Flat-Footed!

Here is a question for sports organizations: what is your privacy game plan? In Québec, preserving the confidentiality of personal information is a key issue for all businesses, especially since the new Law 25 provisions amending the Act respecting the protection of personal information in the private (RLRQ, ch. P-39.1) came into effect in 2022. 

In light of these new provisions, teams, leagues, players’ agents and all sports organizations that collect the personal information of athletes, coaches or fans must abide by new obligations that cannot be ignored. Some considerations, however, are more specific to organizations that administer medical records, performance results and customer information, among other things. 

Accordingly, this article addresses not only sports organizations operating in Québec, but also those that collect, use, store, and disclose the personal information of Québec athletes, fans, suppliers, and/or employees. 

Extensive Personal Information Collected  

A shared feature of most sports organizations is the variety and great sensitivity of the personal information they collect. As part of their activities, these organizations collect information regarding: 

  • Their employees (date of birth, social insurance number, and more)
  •  
  • Athletes (health, sports performance, biometric measurements, passport number for team travel, and more) 
  • Minors (for instance, information on rookies or young student athletes enrolled in sports activities) 
  • Their customers (financial data collected upon purchase of tickets or promotional items, consumer habits designed to enable marketing activities, and more)

The quantity and sensitivity of this data requires an extra level of caution from sports organizations. 

 

Serious Consequences in the Event of a Confidentiality Incident 

In addition to the general penalties that may apply in the event of non-compliance with Québec legislation, which may amount up to $25 million or 4% of their worldwide turnover, sports organizations are vulnerable to data leaks, the consequences of which may be substantial and costly given the sensitivity of some of the information they hold. For example: 

  • Public disclosure of confidential information regarding an athlete’s physical or mental well-being, which places the athlete at a disadvantage relative to counterparts by potentially reducing the athlete’s market value 
  • Unauthorized access to anti-doping test results with significant reputational consequences
  •  
  • Disclosure of information regarding the salaries or payments made to an athlete by sponsors, which may have significant consequences in contractual negotiations

Overview of Sports Organizations’ Legal Obligations 

In addition to the more general obligations that apply to all private companies subject to Québec privacy laws, sports organizations should pay particular attention to certain key requirements. These include posting online contact details for the person responsible for protecting personal information, keeping a log of privacy incidents and setting retention periods for all personal information that is collected. Enhanced security measures should also be implemented, such as managing access to personal information within the organization, drafting privacy policies and implementing procedures to protect privacy. 

1. Obtaining and Managing Consent for the Disclosure of Personal Information 

It may be in the interest of athletes for one organization to share their personal information with another. For example, sharing performance data may facilitate a transaction or assist in the signing of a contract. In other situations, however, such disclosure may be unfavourable or entail significant negative consequences, for example in cases of doping, drug or alcohol use, or mental health issues. 

Unlike other jurisdictions, the only legal basis for the disclosure of personal information in Québec is consent from the person concerned by such disclosure. Accordingly, sports organizations that wish to disclose athletes’ personal information should ensure, either by contractual or other appropriate means, that all disclosure of athletes’ personal information to third parties (other sports teams, journalists, marketing agencies, and so on) has received prior consent from the athletes. 

Moreover, in certain cases, the law imposes specific conditions on the consent to be obtained. Essentially, consent must be formally stated whenever sensitive information is disclosed. For example, medical records, biometric data or personal information concerning minors under the age of 14, such as young student-athletes or young fans. In light of the substantial financial stakes involved in professional sports, the disclosure of sensitive personal information may trigger serious legal and financial consequences. 

2. Beyond Québec 

Practising a sport is often not limited to a single jurisdiction. Athletes practising their sport elsewhere in Canada or internationally, or spectators who have bought tickets for a game in another jurisdiction may be subject to other laws with extraterritorial scope. For instance, sports organizations that conduct business in Europe and collect personal information from European athletes or clients should consider the requirements of the General Data Protection Regulation (GDPR), along with those imposed by Québec law. 

Besides taking into consideration the obligations arising from applicable laws with extraterritorial scope, sports organizations must also consider the requirement imposed by Québec law to conduct a risk analysis, known as a Privacy Impact Assessment (PIA), before carrying out any disclosure of personal information beyond Québec’s borders. In view of the scope of the various sports leagues, which are often Canada-wide, America-wide, and even international, disclosures of personal information beyond Québec’s borders are likely to occur frequently. Furthermore, besides the exchange of information among organizations, the above obligation also covers the transmission of personal information to any service provider, including the storage of information on a third-party server located abroad. It should be noted that the Commission d’accès à l’information (CAI) may request information on the implementation of a PIA at any time. That is why it is important to document it in a report, which may then be sent to the CAI upon request. 

3. Use of Athletes’ Health Information and Biometric Data 

Whether recording athletes’ injury history, monitoring their health or measuring their physical performance, health information and biometric data are becoming increasingly important to athletes and sports organizations. By accessing athletes’ biometric data, for example, organizations may observe their performance or their physical wear and tear and make decisions based on the risk of injury rather than focusing only on game results. Athletes may also wish to take advantage of the collection and use of their biometric data to prove recovery from a previous injury or confirm their performance during training sessions. Hence, the use, including the sale, of this data may represent a significant advantage or source of revenue for athletes or sports organizations. 

Since health and biometric data are classified as sensitive by law, they must be handled with particular care by the sports organizations that collect them. As stated above, athletes must give their explicit consent for this data to be disclosed, unless otherwise specified. This information must also be protected by enhanced security measures, and, in the case of biometric data, the creation or use of a biometric database must systematically be reported to the CAI within a specified period. 

 

Conclusion

In closing, the various aforementioned considerations provide only an overview of the important issues that sports organizations must take into account. Bearing in mind data’s increasingly important role in the world of sports, particularly the use of biometrics, and the significant consequences of potential leaks of personal information, sports organizations must be proactive – they may no longer ignore the requirements to which they are now subject. 

If you have any questions regarding the impact of these requirements on your organization, please be sure to contact our team, who will be glad to advise you. 

 

 

 

 

You would also like

Rencontre au Sommet

Rencontre au Sommet: Turning Economic Challenges into Collective Opportunities

lexpert

27 BCF Professionals Stand Out in the Canadian Legal Lexpert Directory 2025

Canada US flags

Customs Tariff Uncertainty: Impacts on Quebec Businesses

Analyse statistique - tarifs douaniers

Statistical analysis of the impact of U.S. tariffs on Quebec economy

Contrats commerciaux et echanges

Assessing and Mitigating the Impact of New U.S. Tariffs on Your Contractual Relationships

Data-Privacy

Bill 82: One Step Closer to a National Digital Identity (and Modifications to Other Provisions!)

Entrepreneurship forum

Entrepreneurship Forum: Vision 2025

data-protection

Obligation to Report Information Security Incidents: The Autorité des Marchés Financiers Catches the Wave and Publishes a New Regulation

Right to Data Portability: Is your Organization Ready?

Tech Forum 360

Tech 360 Forum: Growth and Inflection Points

Prospera: Québec’s Economic Barometer

Canada's Best Managed Companies: BCF Recognized for 17th Consecutive Year

paul et misha

BCF Strengthens its Expertise in Artificial Intelligence

new-partners-2024

BCF Has Appointed Three New Partners

Who’s Who Legal : 5 BCF Professionals Stand Out

BCF extends its Partnership with the Canadian Association of Black Lawyers to a Third Year

Demystifying Privacy Impact Assessments (PIAs)

The Data Processing Agreement: An Essential Resource to Implement

camera-on-a-wall

The Incident Response Plan: the Cornerstone of Effective Crisis Management

forum-privacy-en

Strategic Forum on Enterprise Data Protection

Chambers Canada Ranking: Five of our Lawyers Recognized

Photo of Julie Doré

Julie Doré Takes Over Management of The BCF Business Law Firm

BCF Welcomes Five New Up-and-Coming Lawyers

Prospera – Quebec Economic Barometer

Julien Tricart, Member of the Meritas Sports Law Group

Pride Month: Let’s Create an Inclusive Future

Canada’s Best Managed Companies: BCF Recognized for 16th Consecutive Year

New Privacy Requirements: Is Your Business Compliant?

Every Woman Counts

Strategic Forum on the Role Played by Businesses in the Fight Against Climate Change

BCF Partners with the Canadian Association of Black Lawyers to Promote Diversity in Québec Law Faculties

BCF's More Inclusive Approach: Improved Parental Leave

Shaun E. Finn Appointed to the Superior Court of Québec

How to Ensure a Business Succession?

Business black folders on table

Adoption of Bill 78 on Transparency Business: Are You Ready?

Strategic Forum on Market Consolidation and Business Succession

BCF Partners with the Clinique Juridique de Saint-Michel to Promote Access to Legal Studies for Young People from Diverse Communities

BCF Welcomes Two New Lawyers

What Are the Best Practices for Managing Privacy Incidents?

Shaun E. Finn, Co-Author of In the Public Eye: Privacy, Personal Information, and High Stakes Litigation in the Canadian Public Sector

Should Using Personal Information Obtained Without Consent Be Grounds for Class Action Authorization?

Five of our Lawyers Stand out in the 2023 Edition of the Chambers Canada Ranking

Cybersecurity and Privacy in Canada: What You Need to Know About Bill C-27

Is the Loss of Personal Information Sufficient to Justify the Success of a Class Action on the Merits?

Bill C-26: The Federal Government Takes a Closer Look at Cybersecurity and Privacy

Jocelyn Poirier, BCF’s Chief Privacy Officer

43 BCF Professionals Stand Out with 78 Nominations in the 2023 Editions of Best Lawyers in Canada and Ones to Watch

Seven New Lawyers Join BCF

Adoption of Bill 96: Be Ready

Bill 96 is Passed: How Will It Affect Your Relations with Customers and Suppliers?

Pride Month: The Value of Diversity

BCF, the 3rd Largest Law Firm in Québec

Canada’s Best Managed Companies: BCF Recognized for 15th Consecutive Year

BCF Welcomes Isabelle Métivier as a Real Estate Partner

BCF Recognized by the Globe and Mail as one of Canada’s top Law Firms

BCF Welcomes Julien Lefebvre as a Partner in its Business Law Team

Chambers Canada 2022: BCF Earned Band 1 Ranking in Québec for Corporate and Commercial Law

Seven New Lawyers Join BCF

Privacy and Data Protection Class Actions: Trends, Challenges and Best Practices

A First in Canada: Privacy Class Action Dismissed on the Merits

escalier

BCF Welcomes Seven New Lawyers

Supreme Court of Canada Takes Another Step towards the Guiding Principle of Good Faith in Contract Performance

Collaboration in the Time of COVID-19: Legal Considerations for Successful AI and Healthcare Partnerships

Economic Recovery Strategic Forum

Adoption of Bill 42: Mandatory Disclosure of Nominee Agreement with Tax Consequences

Shaun E. Finn and Danielle Miller Olofsson Publish a Unique Practical Handbook on Privacy and Data-Protection Class Actions

23 BCF Partners Ranked in the Canadian Legal Lexpert Directory

36 Lawyers of BCF Stand Out with 52 Nominations in the 2021 Edition of Best Lawyers in Canada

What Are the Implications of the End of EU-U.S. Privacy Shield Framework for Your Business?

Investigation on Tim Hortons’ Application

Québec’s Bill 64 to Amend Data Protection Legislation: A Bill with Teeth?

Does the Use of Thermal Imaging Cameras in Stores Comply with Privacy Laws?

COVID-19: Solutions to Address this Situation

COVID-19: Finally a Toolbox for Developers of Geolocalisation Applications

Tracking the COVID-19 Pandemic with Cellphones

COVID-19: Will the Pandemic Really Have an Impact on Your Contracts?

COVID-19: Contractual and Practical Measures to Be Taken

COVID-19: Don’t Forget Data Protection When Designing a Response Strategy

Terranova Security Partners with Microsoft

COVID-19: When to Invoke Superior Force?

BCF once again ranks as one of Montreal's Top Employers

BCF Names 16 New Partners for Its 25th Anniversary

Joint Controllership or the Risks of using Website Plugins

Sundial and Crescita Sign Exclusive Partnership to Develop Cannabis and Hemp Topicals

Are You a Leader or a Follower?Results of the Innovation Survey

Infrastructure and Major Projects: Dare to Think Big

Chambers Canada 2020: BCF Recognised in Corporate and Commercial Law

Strategic Forum on Innovation

Different Legislative Approaches to 5G

Innovating to Survive: Are You a Leader or a Follower?

Is Your Company Implementing a New Technology System? Remember to Protect Your Data

5G Technology Is Coming: Legal Questions Abound

Legal Issues Surrounding the Industrial Revolution 4.0

Where Does Québec Stand in Terms of Privacy Class Actions?

André Ryan: The Grand Prix Lawyer

Health Canada Is Changing its Cannabis Licensing Process

16 BCF Partners Recognized in the Prestigious Canadian Legal Lexpert Directory

De-fogging the Cloud Act

fenetres

Google and CNIL: a Case of Inappropriately Obtained Consent

Best Practices for Québec Companies Receiving European Data

Anonymization? Think Again

The Deep Web and Dark Web Demystified for Businesses

The GDPR is Coming: How to Get Ready

Protection of Personal Data: New Measures Put in Place by the European Union

Is Your Organisation Collecting Too Much Data and Is It Well Protected?

Get the latest thought leadership