Protecting Privacy in Sports – Don’t Wait to be Caught Flat-Footed!

Here is a question for sports organizations: what is your privacy game plan? In Québec, preserving the confidentiality of personal information is a key issue for all businesses, especially since the new Law 25 provisions amending the Act respecting the protection of personal information in the private (RLRQ, ch. P-39.1) came into effect in 2022. 

In light of these new provisions, teams, leagues, players’ agents and all sports organizations that collect the personal information of athletes, coaches or fans must abide by new obligations that cannot be ignored. Some considerations, however, are more specific to organizations that administer medical records, performance results and customer information, among other things. 

Accordingly, this article addresses not only sports organizations operating in Québec, but also those that collect, use, store, and disclose the personal information of Québec athletes, fans, suppliers, and/or employees. 

Extensive Personal Information Collected  

A shared feature of most sports organizations is the variety and great sensitivity of the personal information they collect. As part of their activities, these organizations collect information regarding: 

• Their employees (date of birth, social insurance number, and more)
 
• Athletes (health, sports performance, biometric measurements, passport number for team travel, and more) 
• Minors (for instance, information on rookies or young student athletes enrolled in sports activities) 
• Their customers (financial data collected upon purchase of tickets or promotional items, consumer habits designed to enable marketing activities, and more)

The quantity and sensitivity of this data requires an extra level of caution from sports organizations. 

 

Serious Consequences in the Event of a Confidentiality Incident 

In addition to the general penalties that may apply in the event of non-compliance with Québec legislation, which may amount up to $25 million or 4% of their worldwide turnover, sports organizations are vulnerable to data leaks, the consequences of which may be substantial and costly given the sensitivity of some of the information they hold. For example: 

• Public disclosure of confidential information regarding an athlete’s physical or mental well-being, which places the athlete at a disadvantage relative to counterparts by potentially reducing the athlete’s market value 
• Unauthorized access to anti-doping test results with significant reputational consequences
 
• Disclosure of information regarding the salaries or payments made to an athlete by sponsors, which may have significant consequences in contractual negotiations

Overview of Sports Organizations’ Legal Obligations 

In addition to the more general obligations that apply to all private companies subject to Québec privacy laws, sports organizations should pay particular attention to certain key requirements. These include posting online contact details for the person responsible for protecting personal information, keeping a log of privacy incidents and setting retention periods for all personal information that is collected. Enhanced security measures should also be implemented, such as managing access to personal information within the organization, drafting privacy policies and implementing procedures to protect privacy. 

1. Obtaining and Managing Consent for the Disclosure of Personal Information 

It may be in the interest of athletes for one organization to share their personal information with another. For example, sharing performance data may facilitate a transaction or assist in the signing of a contract. In other situations, however, such disclosure may be unfavourable or entail significant negative consequences, for example in cases of doping, drug or alcohol use, or mental health issues. 

Unlike other jurisdictions, the only legal basis for the disclosure of personal information in Québec is consent from the person concerned by such disclosure. Accordingly, sports organizations that wish to disclose athletes’ personal information should ensure, either by contractual or other appropriate means, that all disclosure of athletes’ personal information to third parties (other sports teams, journalists, marketing agencies, and so on) has received prior consent from the athletes. 

Moreover, in certain cases, the law imposes specific conditions on the consent to be obtained. Essentially, consent must be formally stated whenever sensitive information is disclosed. For example, medical records, biometric data or personal information concerning minors under the age of 14, such as young student-athletes or young fans. In light of the substantial financial stakes involved in professional sports, the disclosure of sensitive personal information may trigger serious legal and financial consequences. 

2. Beyond Québec 

Practising a sport is often not limited to a single jurisdiction. Athletes practising their sport elsewhere in Canada or internationally, or spectators who have bought tickets for a game in another jurisdiction may be subject to other laws with extraterritorial scope. For instance, sports organizations that conduct business in Europe and collect personal information from European athletes or clients should consider the requirements of the General Data Protection Regulation (GDPR), along with those imposed by Québec law. 

Besides taking into consideration the obligations arising from applicable laws with extraterritorial scope, sports organizations must also consider the requirement imposed by Québec law to conduct a risk analysis, known as a Privacy Impact Assessment (PIA), before carrying out any disclosure of personal information beyond Québec’s borders. In view of the scope of the various sports leagues, which are often Canada-wide, America-wide, and even international, disclosures of personal information beyond Québec’s borders are likely to occur frequently. Furthermore, besides the exchange of information among organizations, the above obligation also covers the transmission of personal information to any service provider, including the storage of information on a third-party server located abroad. It should be noted that the Commission d’accès à l’information (CAI) may request information on the implementation of a PIA at any time. That is why it is important to document it in a report, which may then be sent to the CAI upon request. 

3. Use of Athletes’ Health Information and Biometric Data 

Whether recording athletes’ injury history, monitoring their health or measuring their physical performance, health information and biometric data are becoming increasingly important to athletes and sports organizations. By accessing athletes’ biometric data, for example, organizations may observe their performance or their physical wear and tear and make decisions based on the risk of injury rather than focusing only on game results. Athletes may also wish to take advantage of the collection and use of their biometric data to prove recovery from a previous injury or confirm their performance during training sessions. Hence, the use, including the sale, of this data may represent a significant advantage or source of revenue for athletes or sports organizations. 

Since health and biometric data are classified as sensitive by law, they must be handled with particular care by the sports organizations that collect them. As stated above, athletes must give their explicit consent for this data to be disclosed, unless otherwise specified. This information must also be protected by enhanced security measures, and, in the case of biometric data, the creation or use of a biometric database must systematically be reported to the CAI within a specified period. 

 

Conclusion

In closing, the various aforementioned considerations provide only an overview of the important issues that sports organizations must take into account. Bearing in mind data’s increasingly important role in the world of sports, particularly the use of biometrics, and the significant consequences of potential leaks of personal information, sports organizations must be proactive – they may no longer ignore the requirements to which they are now subject. 

If you have any questions regarding the impact of these requirements on your organization, please be sure to contact our team, who will be glad to advise you.