A Game Changer in the Personal Data Protection in the EU

By: Sophie Goodman

The European Union’s (EU) new data protection law will go into effect on May 25, 2018[1] and will “radically reform the way [the EU] handle[s] individuals’ personal data.”[2] However, the right to personal data protection is not set out in any EU treaty, but is considered important when compared “to its function in society.”[3] Although personal data protection is not an absolute right, the principle of data protection is established in Article 16(1) of the Treaty of the Functioning of the European Union.[4] The main actors in personal data protection are controllers and processors.[5] A controller directs how to handle personal data, while a processor processes the data per the controller’s directions.[6]

This new data protection law, the General Data Protection Regulation (GDPR)[7], will replace the Data Protection Directive (DPD),[8] which was enacted on October 24, 1995.[9] The GDPR differs from the DPD in several aspects.[10] First, “the GDPR imposes stricter obligations on data processors and controllers with regard to data security while simultaneously offering more guidance on appropriate security standards.”[11] Second, the GDPR, for the first time, sets out a time limit where a controller must notify a supervisory authority when a breach of information has occurred.[12] Third, the “GDPR separates responsibilities and duties of data controllers and processors” and defines personal data breach.[13]

Since the adoption of the DPD, technological advancements have made this directive obsolete to regulate the protection of personal data.[14] The risk of failing to protect this personal data impacts not only the individual, but also has significant commercial risks.[15] Thus, the EU adopted the GDPR in order to improve the law.[16] The debates on the GDPR began in 2012, and the publication of the new law occurred in 2016, which gave organizations time to comply with the GDPR.[17]

The GDPR improves upon the DPD by harmonizing the national laws of EU Member States and creating “a robust common baseline for all countries to follow.”[18] While many of the 28 Member States[19] have included multiple DPD provisions in their national laws,[20] there is a lack of uniformity in the national laws. The GDPR harmonizes the law regarding personal data security in all Member States.[21] By applying a uniform law across all Member States, this provides predictability in how controllers and processors protect personal data.[22] Not only does the GDPR improve the DPD, it also creates new substantial and individual rights.[23] For example, a controller must report a data breach within 72 hours to a supervisory authority.[24]

The GDPR will not only apply to Member States, but it will also apply globally,[25] including to the United Kingdom.[26] Since the GDPR becomes effective in May 2018, prior to the United Kingdom leaving the EU, the United Kingdom must comply with the GDPR.[27] The GDPR applies in the global context because “it applies to the processing of personal data in the context of the activities of an establishment of a controller or processor in the [EU], regardless of whether the processing takes place in the [EU] or not.”[28]

The GDPR will have a major effect on sports clubs that record personal data of athletes,[29] as well as EU anti-doping laws.[30] Anti-Doping laws govern all athletes, including both professional and non-professional athletes.[31] Thus, the GDPR has a broad influence.[32] If an organization violates the GDPR, there are steep fines, which can total “4% of an organization’s worldwide revenue.”[33] Moreover, by May 2018, every organization must comply with the GDPR.[34]

A great deal of personal data is gathered on athletes in an effort to deter doping.[35] This data is gathered on both competitive and non-competitive athletes and consists of blood and urine samples and personal details, including addresses, names, and other identifying information.[36] This personal data can be stored anywhere from 18 months to 10 years, depending on what the data is used for.[37] Moreover, this data can be shared with other Member States, as well as internationally.[38]

Any personal data analyzed in the anti-doping context falls under sensitive personal data under the GDPR.[39] Usually, processing sensitive personal data is not allowed.[40] Sensitive personal data includes “racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; data concerning health or sex life and sexual orientation; genetic data …; and biometric data.”[41] However, Article 9 sets out where processing of sensitive personal data is allowed.[42]

Processing sensitive personal data is allowed in six situations.[43] First, the GDPR will be applicable when an athlete consents to the tests.[44] While many organizations rely on individual consent, this becomes problematic in the context of anti-doping tests,[45] as true consent must be given.[46] True consent is not given where an individual has no other choice but to consent, such as an employer asking an employee to give personal data.[47] However, when it comes to anti-doping measures, it does not matter if there is no true consent, as the testing is “justified on the basis of compliance with regulations or in the public interest.”[48] Moreover, the GDPR is applicable “when data processing is necessary for the performance of a contract,” a legal obligation, protecting the interest of the athlete, public interest, or legitimate interests of the controller or third party.[49] The GDPR is applicable in the anti-doping context in these types of situations.[50] In order to properly comply with the GDPR, Member States should ensure that processing data in the anti-doping context should be completed in one of these ways.[51]

Athletes maintain many rights under the GDPR in the anti-doping context.[52] These rights include “the right to be forgotten, the right to data portability, the right to access, the right to rectify, the right to object and the right not to be subject to a decision based solely on automated processing, including profiling.”[53] Moreover, the GDPR places specific limitations and obligations on the controllers and processors when handling data.[54] By building trust in these data servers, this will ensure economic development, which will not only benefit the EU, but also its citizens.[55]

[1] What You Need to Know About the EU’s New Data Protection Law, LabioTech (Sept. 13, 2017), https://labiotech.eu/gdpr-eu-data-protection/.

[2] Ian De Freitas, GDPR: A Game-Changer for the Sports Sector, Farrer & Co (June 29, 2017), https://www.farrer.co.uk/news/briefings/inn-the-field-of-play---june-2017-gdpr-a-game-changer-for-the-sports-sector/.

[3] Proposal for a Directive of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data by Competent Authorities for the Purposes of Prevention, Investigation, Detection or Prosecution of Criminal Offences of the Execution of Criminal Penalties, and the Free Movement of Such Data, at 6, SEC (2012) 72 final (Jan. 25, 2012).

[4] Id. at 2.

[5] See What You Need to Know About the EU’s New Data Protection Law, supra note 1.

[6] Id.

[7] See generally Commission Regulation 2016/679, 2016 O.J. (L 119).

[8] See What You Need to Know About the EU’s New Data Protection Law, supra note 1.

[9] See Council Directive 95/46, 1995 O.J. (L 281) (EC).

[10] See Rita Heimes, Top 10 Operational Impacts of the GDPR: Part 1 – Data Security and Breach Modification, iApp (Jan. 6, 2016), https://iapp.org/news/a/top-10-operational-impacts-of-the-gdpr-part-1-data-security-and-breach-notification/#.

[11] Id.

[12] Id.

[13] Id.

[14] Commission Staff Working Paper Executive Summary of the Impact Assessment Accompanying the Document Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, at 2, SEC (2012) 73 final (Jan. 25, 2012).

[15] Ed Hadcock, New Data Protection Laws Set to Impact the Sports Sector, Sports Score (Sept. 20, 2017), https://www.sportsscore.co.uk/blog/2017/9/20/new-data-protection-laws-set-to-impact-the-sports-sector.

[16] What You Need to Know About the EU’s New Data Protection Law, supra note 1.

[17] De Freitas, supra note 2.

[18] What You Need to Know About the EU’s New Data Protection Law, supra note 1.

[19] Countries, European Union, https://europa.eu/european-union/about-eu/countries_en.

[20] Anti-Doping & Data Protection: An Evaluation of the Anti-Doping Laws and Practices in the EU Member States in Light of the General Data Protection Regulation 18, https://publications.europa.eu/en/publication-detail/-/publication/50083cbb-b544-11e7-837e-01aa75ed71a1/language-en.

[21] See Heimes, supra note 10.

[22] Id.

[23] What You Need to Know About the EU’s New Data Protection Law, supra note 1.

[24] Id.

[25] Id.

[26] De Freitas, supra note 2.

[27] Id.

[28] Anti-Doping & Data Protection: An Evaluation of the Anti-Doping Laws and Practices in the EU Member States in Light of the General Data Protection Regulation, supra note 20, at 91.

[29] Kate Evans, A Game Changer: The Impact of GDPR on Sports Clubs and Associations, Welsh Sports Association (Oct. 24, 2017), http://wsa.wales/game-changer-impact-gdpr-sports-clubs-associations/.

[30] See generally Anti-Doping & Data Protection: An Evaluation of the Anti-Doping Laws and Practices in the EU Member States in Light of the General Data Protection Regulation, supra note 20.

[31] Id. at 17.

[32] Id.

[33] What You Need to Know About the EU’s New Data Protection Law, supra note 1.

[34] Evans, supra note 29.

[35] See Anti-Doping & Data Protection: An Evaluation of the Anti-Doping Laws and Practices in the EU Member States in Light of the General Data Protection Regulation, supra note 20, at 17.

[36] Id. at 17, 19.

[37] Id. at 17.

[38] Id.

[39] Id. at 20.

[40] Sensitive Data & Lawful Processing, Bird & Bird, https://www.twobirds.com/~/media/pdfs/gdpr-pdfs/25--guide-to-the-gdpr--sensitive-data-and-lawful-processing.pdf?la=en (last visited Jan. 8, 2018).

[41] Id.

[42] Id.

[43] Anti-Doping & Data Protection: An Evaluation of the Anti-Doping Laws and Practices in the EU Member States in Light of the General Data Protection Regulation, supra note 20, at 20.

[44] Id.

[45] Hadcock, supra note 15.

[46] De Freitas, supra note 2.

[47] Id.

[48] Id.

[49] Anti-Doping & Data Protection: An Evaluation of the Anti-Doping Laws and Practices in the EU Member States in Light of the General Data Protection Regulation, supra note 20, at 20.

[50] Id.

[51] Id.

[52] Id. at 101.

[53] Id. at 121.

[54] Id. at 120.

[55] Commission Staff Working Paper Impact Assessment Accompanying the Document Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, at 7, SEC (2012) 72 final (Jan. 25, 2012).