SLIDE 1
BIG DATA, BIG PROBLEMS: ANALYSIS OF PROFESSIONAL SPORT LEAGUES CBAS AND THEIR HANDLING OF ATHLETE BIOMETRIC DATA
Sarah M. Brown June 25, 2019
BIG DATA, BIG PROBLEMS: ANALYSIS OF PROFESSIONAL SPORT LEAGUES CBAS - - PowerPoint PPT Presentation
BIG DATA, BIG PROBLEMS: ANALYSIS OF PROFESSIONAL SPORT LEAGUES CBAS - - PowerPoint PPT Presentation
BIG DATA, BIG PROBLEMS: ANALYSIS OF PROFESSIONAL SPORT LEAGUES CBAS AND THEIR HANDLING OF ATHLETE BIOMETRIC DATA Sarah M. Brown June 25, 2019 Introduction The North American sports market is projected to reach $78.53 billion by 2021
SLIDE 2
SLIDE 3
What is ABD and Why is it Important?
■ ABD is a subcategory of big data and it is any measurement or record used to identify people as individuals; identifiers may be physiological (heart rate, temperature) or behavioral. ■ https://www.si.com/nfl/2016/01/13/super-bowl-100-player- tracking-analytics
SLIDE 4
Introduction Cont.
■ For professional sports to capitalize on these potential
- pportunities the leagues must
effectively manage ownership, access, privacy, use, and security of such data. ■ Appropriate league management and security is critical because ABD is an attractive commodity, and when put into a digitized format it can easily become susceptible to cyber threats, putting the athletes at risk of loss
- f privacy.
SLIDE 5
Purpose
■ Analyze and compare the protections for ABD set forth in the collective bargaining agreements (CBAs) of the NFL, NBA, MLB, NHL and MLS. ■ Discuss the potential gaps in protection and potential athlete exposure, as well as the applicability of federal and state laws to biometric data collection. ■ Discuss current state privacy laws and privacy laws abroad (General Data Protection Regulation).
SLIDE 6
Potential Risks of ABD Collection
■ Three areas of potential risk:
- 1. Athlete whose data is being collected,
■ Athlete privacy and risk of misappropriation of ABD. – https://youtu.be/ug6SM5S2sIw – The most sophisticated wearable devices can collect up to one thousand data points per second.
- 2. Entity using the data (sport team), and
- 3. Vendor providing the wearable technology.
■ Security, including storage of ABD.
SLIDE 7
National Basketball Association & ABD
Governing Provision of ABD in NBA CBA Management
- Team must provide an explanation of what the device will measure, what those
measurements mean and the benefits to the player for obtaining such data.
- Wearable committee created to establish security protocols, review and approve requests
for wearable devices. Use
- Voluntary; only approved devices.
- In practice only.
- Medical, on-court strategic decisions, and performance.
Ownership N/A Privacy N/A Access
- Player (full access); Team staff (full access).
Security
- Wearable committee sets cybersecurity standards.
- Teams security standards approved by the wearable committee.
Commercial Use
- Wearable data may not be leveraged in contract negotiations; violation is a $250,000
fine.
- Continue discussions in good faith about commercialized data.
Definition
- Measures movement information, biometric information, or other health, fitness and
performance information.
SLIDE 8
Major League Baseball and ABD
Governing Provision of ABD In MLB CBA Management
- Team must provide an explanation of the technology proposed.
- Playing Rules Committee (PRC) has the authority to approve use and devices.
- Wearable committee created and will meet biannually to discuss topics related to wearables.
Use
- Voluntary; only approved devices.
- In practice and in game.
- Medical and performance.
Ownership N/A Privacy
- Wearable data is treated as highly confidential; not part of player’s medical record.
Access
- Player (direct access); Team (listed personnel).
- Player may request to restrict others access.
Security
- At player request, data is destroyed.
Commercial Use
- Commercial use is strictly prohibited.
Definition
- Any device designed to collect and/or analyze data related to a Player’s health or performance.
SLIDE 9
Major League Soccer and ABD
Management N/A Use Players may be required to wear a monitoring device in connection with training. Ownership N/A Privacy Performance measures may be publicly disseminated, without the Union’s approval. Access Team shares results with player. Security N/A Commercial Use N/A Definition Physiological Testing
SLIDE 10
National Football League and ABD
Governing Provisions of ABD in NFL CBA Management N/A Use
- Voluntary; only approved devices.
- In practice only.
- Medical and performance.
Ownership N/A Privacy N/A Access N/A Security N/A Commercial Use N/A Definition N/A
SLIDE 11
National Hockey League and ABD
Governing Provision of ABD in NHL CBA Management N/A Use N/A Ownership N/A Privacy N/A Access N/A Security N/A Commercial Use N/A Definition N/A
SLIDE 12
Applicable Federal Law
- Genetic Information Nondiscrimination Act (GINA)
- Unlawful employment practice for any employment agency to discriminate
against an individual because of genetic information.
- Health Insurance Portability and Accountability Act of 1996 (HIPPA)
- HIPPA does regulate some biometric data, but various definition of
biometric data have created ambiguity.
- Athletes may sign waivers to exempt teams from complying with the
federal requirement.
- Department of Health and Human Services issued a statement that
professional teams are likely not bound by HIPPA
SLIDE 13
Applicable State Law
■ Biometric Information Privacy Act, 740 ILCS 14 (2008), et seq. – Applies to any private entity, including employers. – Employers must: ■ Provide each individual with written notice that their biometric information will be collected and stored. – Purpose for the collection of information and length of time it will be stored. ■ Obtain the individuals express written authorization to collect and store their biometric information, prior to it being collected. ■ Develop and make available to the public a written policy establishing a retention schedule and guidelines for destroying the biometric data. – Destruction of the data after its intended purpose has been fulfilled or three years after the employer last employed the individual, whichever comes first. ■ Allows for privacy a cause of action.
SLIDE 14
Applicable State Law
■ Texas Biometric privacy statue (2009) Tex. Bus. & Com. Code Ann. § 503.001 – Only applies to biometric identifiers and not biometric information being used for commercial purposes. ■ Finger prints/retina scans. – Must provide individuals with notice and receive consent, however, written consent is not required. – Prohibits the sale of biometric data. – Protect data with reasonable care – Destroy data within a “reasonable time” that does not exceed one year after the data is no longer needed. – No private cause of action, all claims must go through the attorney general who can sue for enforcement of the statute and seek up to $25,000 per violation.
SLIDE 15
Applicable State Law
■ Washington biometric privacy statute (2017) Wash. Rev. Code
- Ann. § 19.375, et seq.
– Defines biometric data broadly: “any data generated by automatic measurements of an individual’s biological characteristics.” – Requires notice and consent of the individual, but does not specify that consent must be in writing. ■ Exception: Biometric data collected and stored by a business for security purposes (preventing shoplifting, fraud, etc.) – Does not create a private cause of action – Business may sell data (limited circumstances)
SLIDE 16
Other Applicable State Laws
■ California Consumer Privacy Act (CCPA) ; goes into effect January 2020 – This law has been proposed as the potential framework for a federal regulation. ■ Alaska, Connecticut, Massachusetts and New Hampshire have all discussed and debated implementing privacy laws targeting biometric data.
SLIDE 17
General Data Protection Regulation
■ The European Union has created the General Data Protection Regulation (GDPR), establishes a harmonized framework within the European Union for biometric data. ■ https://youtu.be/n5WJOncaHt4
SLIDE 18
General Data Protection Regulation
■ Biometric data: “personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allows or confirms the unique identification of that natural person, such as facial images." ■ Objective is to prohibit the “processing” of biometric data without a person’s consent, thereby protecting individuals from having their information
shared with third parties without their knowledge.
■ GDPR applies to almost any processing of electronic communications
SLIDE 19
General Data Protection Regulation
■ Main objectives/Provisions – The right to be forgotten – Data breach must be notified within 72 hours – Global Law: Non-EU established organizations are subject to the GDPR where they process personal data about EU citizens. – Data minimization principle – Potential 4% worldwide revenue penalty
SLIDE 20
General Data Protection Regulation Lawsuits
■ Facebook (Instagram & WhatsApp) ($3.9B) & Google (Android
- perating system) lawsuit ($3.7B)
– Argued that the way the companies try and obtain consent is not compliant because it forces users into an all-or-nothing choice. ■ Users are asked to check a box to obtain access to services.
SLIDE 21
General Data Protection Regulation & the United States
■ Data Protection Commissioner v. Facebook & Max Schrems – Follow up case to the landmark Court of Justice for the European Union (CJEU) ruling striking down the “Safe Harbor” arrangement for transferring personal data of EU consumers from the EU and the United States.
SLIDE 22
In Conclusion
■ ABD is a hot commodity that needs to be adequately protected through comprehensive regulations at the league, state and/or federal level. – 3 states have biometric data regulation, CA has a new data privacy statute effective January 2020 and a handful of
- ther states have debated new privacy laws.
– HIPPA is not really applicable ■ The GDPR is the most extensive regulation for biometric data and is inclusive of athlete biometric data. – GDPR can extend to companies in the US who are processing EU citizens data.
SLIDE 23