BIG DATA, BIG PROBLEMS: ANALYSIS OF PROFESSIONAL SPORT LEAGUES CBAS AND THEIR HANDLING OF ATHLETE BIOMETRIC DATA Sarah M. Brown June 25, 2019
Introduction ■ The North American sports market is projected to reach $78.53 billion by 2021 (Statista, 2018). ■ Athlete biometric data (ABD) provides an opportunity to create new revenue streams for professional sports leagues, teams and athletes in addition to enhancing fan engagement and creating competitive advantageous. ■ Wearables have become ubiquitous within the five major professional sport leagues – At a minimum, each league has integrated wearables into athlete training, but the leagues’ understanding and protection of the data is still very limited.
What is ABD and Why is it Important? ■ ABD is a subcategory of big data and it is any measurement or record used to identify people as individuals; identifiers may be physiological (heart rate, temperature) or behavioral. ■ https://www.si.com/nfl/2016/01/13/super-bowl-100-player- tracking-analytics
Introduction Cont. ■ For professional sports to capitalize on these potential opportunities the leagues must effectively manage ownership , access , privacy, use, and security of such data. ■ Appropriate league management and security is critical because ABD is an attractive commodity, and when put into a digitized format it can easily become susceptible to cyber threats, putting the athletes at risk of loss of privacy.
Purpose ■ Analyze and compare the protections for ABD set forth in the collective bargaining agreements (CBAs) of the NFL, NBA, MLB, NHL and MLS. ■ Discuss the potential gaps in protection and potential athlete exposure, as well as the applicability of federal and state laws to biometric data collection. ■ Discuss current state privacy laws and privacy laws abroad (General Data Protection Regulation).
Potential Risks of ABD Collection ■ Three areas of potential risk: 1. Athlete whose data is being collected , ■ Athlete privacy and risk of misappropriation of ABD. – https://youtu.be/ug6SM5S2sIw – The most sophisticated wearable devices can collect up to one thousand data points per second. 2. Entity using the data (sport team), and 3. Vendor providing the wearable technology . ■ Security, including storage of ABD.
National Basketball Association & ABD Governing Provision of ABD in NBA CBA Management • Team must provide an explanation of what the device will measure, what those measurements mean and the benefits to the player for obtaining such data. • Wearable committee created to establish security protocols, review and approve requests for wearable devices. Use • Voluntary; only approved devices. • In practice only. • Medical, on-court strategic decisions, and performance. Ownership N/A Privacy N/A Access • Player (full access); Team staff (full access). Security • Wearable committee sets cybersecurity standards. • Teams security standards approved by the wearable committee. • Commercial Use Wearable data may not be leveraged in contract negotiations; violation is a $250,000 fine. • Continue discussions in good faith about commercialized data. Definition • Measures movement information, biometric information, or other health, fitness and performance information.
Major League Baseball and ABD Governing Provision of ABD In MLB CBA Management • Team must provide an explanation of the technology proposed. • Playing Rules Committee (PRC) has the authority to approve use and devices. • Wearable committee created and will meet biannually to discuss topics related to wearables. Use • Voluntary; only approved devices. • In practice and in game. • Medical and performance. Ownership N/A Privacy • Wearable data is treated as highly confidential; not part of player’s medical record. Access • Player (direct access); Team (listed personnel). • Player may request to restrict others access. Security • At player request, data is destroyed. • Commercial use is strictly prohibited. Commercial Use • Any device designed to collect and/or analyze data related to a Player’s health or performance. Definition
Major League Soccer and ABD Management N/A Use Players may be required to wear a monitoring device in connection with training. Ownership N/A Privacy Performance measures may be publicly disseminated, without the Union’s approval. Access Team shares results with player. Security N/A Commercial Use N/A Definition Physiological Testing
National Football League and ABD Governing Provisions of ABD in NFL CBA Management N/A Use • Voluntary; only approved devices. • In practice only. • Medical and performance. Ownership N/A Privacy N/A Access N/A Security N/A Commercial Use N/A Definition N/A
National Hockey League and ABD Governing Provision of ABD in NHL CBA Management N/A Use N/A Ownership N/A Privacy N/A Access N/A Security N/A Commercial Use N/A Definition N/A
Applicable Federal Law Genetic Information Nondiscrimination Act (GINA) Unlawful employment practice for any employment agency to discriminate against an individual because of genetic information. Health Insurance Portability and Accountability Act of 1996 (HIPPA) HIPPA does regulate some biometric data, but various definition of biometric data have created ambiguity. Athletes may sign waivers to exempt teams from complying with the federal requirement. Department of Health and Human Services issued a statement that professional teams are likely not bound by HIPPA
Applicable State Law ■ Biometric Information Privacy Act, 740 ILCS 14 (2008), et seq. – Applies to any private entity, including employers. – Employers must: ■ Provide each individual with written notice that their biometric information will be collected and stored. – Purpose for the collection of information and length of time it will be stored. ■ Obtain the individuals express written authorization to collect and store their biometric information, prior to it being collected. ■ Develop and make available to the public a written policy establishing a retention schedule and guidelines for destroying the biometric data. – Destruction of the data after its intended purpose has been fulfilled or three years after the employer last employed the individual, whichever comes first. ■ Allows for privacy a cause of action.
Applicable State Law ■ Texas Biometric privacy statue (2009) Tex. Bus. & Com. Code Ann. § 503.001 – Only applies to biometric identifiers and not biometric information being used for commercial purposes. ■ Finger prints/retina scans. – Must provide individuals with notice and receive consent, however, written consent is not required. – Prohibits the sale of biometric data. – Protect data with reasonable care – Destroy data within a “reasonable time” that does not exceed one year after the data is no longer needed. – No private cause of action, all claims must go through the attorney general who can sue for enforcement of the statute and seek up to $25,000 per violation.
Applicable State Law ■ Washington biometric privacy statute (2017) Wash. Rev. Code Ann. § 19.375, et seq. – Defines biometric data broadly: “any data generated by automatic measurements of an individual’s biological characteristics.” – Requires notice and consent of the individual, but does not specify that consent must be in writing. ■ Exception: Biometric data collected and stored by a business for security purposes (preventing shoplifting, fraud, etc.) – Does not create a private cause of action – Business may sell data (limited circumstances)
Other Applicable State Laws ■ California Consumer Privacy Act (CCPA) ; goes into effect January 2020 – This law has been proposed as the potential framework for a federal regulation. ■ Alaska, Connecticut, Massachusetts and New Hampshire have all discussed and debated implementing privacy laws targeting biometric data.
General Data Protection Regulation ■ The European Union has created the General Data Protection Regulation (GDPR), establishes a harmonized framework within the European Union for biometric data. ■ https://youtu.be/n5WJOncaHt4
General Data Protection Regulation ■ Biometric data: “personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allows or confirms the unique identification of that natural person, such as facial images." ■ Objective is to prohibit the “processing” of biometric data without a person’s consent, thereby protecting individuals from having their information shared with third parties without their knowledge. ■ GDPR applies to almost any processing of electronic communications
General Data Protection Regulation ■ Main objectives/Provisions – The right to be forgotten – Data breach must be notified within 72 hours – Global Law: Non-EU established organizations are subject to the GDPR where they process personal data about EU citizens. – Data minimization principle – Potential 4% worldwide revenue penalty
General Data Protection Regulation Lawsuits ■ Facebook (Instagram & WhatsApp) ($3.9B) & Google (Android operating system) lawsuit ($3.7B) – Argued that the way the companies try and obtain consent is not compliant because it forces users into an all-or-nothing choice. ■ Users are asked to check a box to obtain access to services.
Recommend
More recommend