Data privacy law

Under the UK GDPR, health data is one of several categories of data which is classified as ‘special category data’ – a legal term given to data that, due to its sensitivity, is afforded extra protection. This means that sports teams and others processing it need to be especially diligent.

Before processing any personal data – irrespective of its sensitivity – a lawful basis needs to be established (such as consent or legitimate interest). However, the processing of special category data is unlawful unless an additional hurdle is cleared: a condition for processing the data must be established. Ten conditions exist at law and, whilst only one needs to be established, the conditions are interpreted restrictively – the bar is set high.

Of the available conditions, ‘explicit consent’ is commonly relied on but, due to the power imbalance between athletes and their clubs (and potentially others who may seek to gather athlete data, such as leagues, federations or competition owners) there are questions as to whether such consent is ‘freely given’ and therefore valid. Wearables complicate matters, as they capture health and performance data continuously, generating a volume and granularity of information such that athletes may not be able to provide fully informed consent.

This often leaves no alternative but to rely on other conditions such as conditions linked to an employment context (which may be available when protecting athletes against injury or otherwise assessing fitness to work) or substantial public interest (which may be available for anti-doping initiatives or other initiatives designed to protect the integrity of a sport or a sporting event). However, remember that all conditions are interpreted restrictively, so care needs to be taken, and organisations should carefully document their rationale.

Artificial intelligence

The use of AI to process any personal data further complicates the legal issues.

There is currently no specific UK legislation governing AI. However, EU facing organisations must consider the EU AI Act, which adds an extra layer of regulation.

AI systems used in performance management or recruitment may be classed as high risk under the EU AI Act. Where data is used to infer stress levels based on physiological factors such as heart rate or sweat analysis, this is likely to be deemed emotion recognition in the workplace which has been banned in the EU since February 2025. The EU adopts a broad interpretation of what is meant by ‘workplace’, almost certainly capturing athletes who are contracted to teams. The only exception is for uses required for medical or safety purposes.

Organisations should therefore map AI systems processing athlete data, reassess lawful bases, and carefully structure AI governance before regulators or athletes demand it. 

Competitive concerns and access to health data

An athlete’s primary concern is ensuring their highly sensitive and competitively valuable data does not reach their opponents. Used effectively, these datasets can help enhance performance, including adapting training plans, reducing injury risk and optimising recovery. In the wrong hands, however, competitors could use the same data for a competitive advantage.

While access to data collected from wearables can be restricted via technical and contractual controls, some detailed performance data can be extracted by computer vision technology. Whether such data, captured from publicly available broadcast feeds, is protectable using data privacy and/or IP laws is a complex legal question.

Regardless of the source of the data, disputes over who owns and can access athlete data are likely to intensify. As athletes increasingly evolve into commercial partners, the data generated by their performances is also becoming a valuable commodity, raising questions about who can monetise the data and for what purposes.

Athletes are becoming far more proactive in asserting their data rights. Project Red Card, led by former football manager Russell Slade, never ended up filing claims, but showed the potential impact of collective action. The project challenged the commercial use of players' performance data by betting and gaming companies without consent and represented more than 850 footballers across various leagues including the Premier League. Whether similar claims will result in litigation or drive negotiations between player bodies and sports organisations, this issue is unlikely to disappear.

Data ownership and IP

Data ownership in sports technology is a contentious issue. Wearables regularly collect an athlete's biometric data and AI systems are increasingly used to analyse it. But who ‘owns’ this data and the insights generated as the output of AI analysis?

From a data protection perspective, the UK GDPR does not confer property rights in personal data. Instead, it grants data subjects rights including access, rectification, erasure, restriction, portability, and objection. Athletes are entitled to obtain copies of their personal data, understand how it is being used, and in certain circumstances require its deletion or transfer to another controller. Additionally, where personal data is shared between organisations, how far the recipient can use it depends on the commercial terms agreed with the supplier; and the recipient’s ability to comply with data protection legislation.

From an intellectual property perspective, different considerations apply. Data from wearables usually form part of a database. There are two types of IP protection for databases and individual datasets:

• Copyright: protects the selection or arrangement of material in a database where this is original (i.e. creative); and
• Sui generis database rights: protect the content of a database where there has been substantial investment in obtaining, verifying, or presenting the data. This right safeguards this investment rather than data creation itself. Importantly, since Brexit, UK created databases protected by the UK’s sui generis right are not automatically enforceable in the EU, reducing the effective scope of such rights created in the UK.

In practice, individual readings from a sensor are unlikely to be protected by IP rights on their own. However, copyright protection should be available where: 

• Wearable data is combined with other IP (e.g. match footage); or
• The data is displayed in creative ways such as distinctive graphics or user interfaces.

Given the nature of all these IP rights, the athlete is rarely the first owner of IP generated from the data. Control over sports data is driven more by contractual arrangements, especially those governing wearable devices and the apps and platforms that store and analyse the data. Third-party technology providers, AI model developers, sports teams, leagues, and players (often via their union or player representatives) will look to negotiate agreements setting out the terms and conditions of use. Clear contractual drafting is essential to avoid disputes and to define rights.

Contracts should:

• establish a clear ownership structure - who owns the raw data, any insights derived from it, and any pooled datasets;
• delineate usage parameters - for example, a distinction between performance use, editorial use and commercial use is often appropriate; 
• address secondary uses of data, such as improving products, training algorithms and benchmarking; and
• if revenue is to be generated from the data the contract should address how this is to be accounted between the applicable parties.

Top tips - What sports organisations should do now

1. Take a privacy-first approach.

• Confirm that you have a sound lawful basis for processing  – and that you have established a separate condition where data constitutes special category data (including health data collected through wearables).
• Treat consent cautiously. It may not be valid unless the athlete has genuine choice. If in doubt, consider employment-related conditions for injury prevention and discharging duty of care obligations. Certain use cases may fall outside an employment context, in which case other conditions, including substantial public interest, should be considered.
• Be clear and transparent with athletes – at a minimum through up-to-date privacy policies, and through upfront disclosures where appropriate – to avoid unnecessary confusion and misunderstanding.
• Carry out a Data Protection Impact Assessment, especially where using innovative technology or processing biometric data or special category data on a large scale – with the ultimate aim of ensuring safeguards are in place to minimise the risks to individuals.

2. Review AI uses and assess EU AI Act exposure. Map AI tools used to analyse athlete data and flag any that infer emotional or psychological states. AI systems used in performance management or recruitment may be classed as high risk under the EU AI Act, and other considerations may apply.

3. Review and renegotiate contracts. Ensure that contracts with technology providers, leagues, broadcasters and players are clear as to what data can be gathered and what can be done with that data.   Allocate data and related IP ownership precisely and, if applicable, establish terms for commercial exploitation, so all parties understand their rights and limitations. Ensure that data processing agreements clearly allocate responsibilities in accordance with UK GDPR and include provisions for data security and breach notification.

4. Prepare for athletes asserting their rights. Project Red Card demonstrated that athletes are willing to challenge the commercial use of their data. Build athlete engagement into your data governance strategy; transparency and fair dealing will help avoid disputes, reputational damage, and potential litigation. In negotiations and contracts with athletes, be clear and transparent, alert to the fact that they are likely to want to control access to, and use of, their performance data.