Data is becoming an increasingly important asset to those operating in the sports industry. For now, the key point for sports-related organisations to note over the past 100 days has been that the EU GDPR no longer directly applies in the UK, but the UK has introduced its own (largely similar) "UK GDPR". Most businesses in the UK will be subject to the UK GDPR, and may also be subject to the EU GDPR. It will be important to monitor whether divergence between EU GDPR and UK GDPR begins to happen – if it does, this could have important economic and legal implications. Watch this space.
EU GDPR and UK GDPR:
- If a sports organisation (for example, a football club) is established in an EU member state, but holds or otherwise processes individuals' data (e.g. players' data or the data of visitors to its website) in the UK (or vice versa), that organisation may be subject to both data protection regimes (EU GDPR and UK GDPR). Whilst these are broadly similar, it means there is the potential for enforcement action to be brought against sports organisations in the UK and EU for a single infringement.
- Where a sports club in the UK (or other sports-related organisation) offers goods or services to (or who monitors the behaviour of) individuals in the EU it may also be subject to EU GDPR. Such clubs who do regular business with individuals in the EU may need to appoint a representative in an EU member state. Similarly, clubs in the EU offering goods or services to (or monitoring the behaviour of) individuals in the UK may also be subject to UK GDPR. Such clubs who do regular business with individuals in the UK may need to appoint a representative in the UK.
International Data transfers:
- Until at least 30 June 2021 flows of personal data from the EU to the UK can continue as if the UK were still an EU Member State. The UK Government has indicated that it will allow data flows from the UK to the EU to continue in any event, although this may change if there is a dispute over any decision by the European Commission whether or not to confer an "adequacy decision" on the UK. This means that sports-related organisations have been able so far to continue to move player and athlete data freely across the EU/UK border for the time being but the position may be different in 100 days' time.
- The European Commission is in the process of deciding whether to confer "adequacy" status on the UK's data protection regime for data transfers. If the UK's regime is accepted as adequate, then personal data transfers from the EU to the UK can continue. However, if the UK's regime is not considered to be adequate, organisations will need to assess whether they can rely on other transfer mechanisms. In February 2021, the European Commission issued draft decisions to the effect that the UK's data protection regime was adequate. Until final approval of those decisions is confirmed, sports-related organisations should undertake assessments to identify potential issues and mitigation strategies.
Read more about the impact of Brexit on data protection, the provisions in the TCA relating to digital trade and the Commission's draft adequacy decisions.