The Rugby World Cup win and the fervour which surrounds this glorious win remain fresh in almost every corner of South African society. Not only did this magnificent achievement demonstrate the effect of sound leadership on the nation's success, it also created a group of individuals who will forever be regarded as legends to South African society and to rugby fans worldwide. Being a legend, however, does come at some cost, and for sports stars it raises multiple questions around the demand to feed the passion of fans and a demanding media versus the individual legend's right to privacy. In this week's feature article, we touch on some of the issues that sports stars and their teams need to consider from a privacy law perspective.

Being a celebrity sports star is not an open sesame for individuals and companies to violate the privacy rights of sports stars. While media scrutiny of sports stars has always been prevalent, and while legislation like the Protection of Personal Information Act, 2013 ("POPIA") has certain exceptions which generally do not constrain the media from processing personal information of data subjects, in a world being increasingly driven by data and technology, the privacy concerns of sports stars continue to increase. Some of the concerns arise from:

  • eager fans posting all types of personal information of sports stars on social media or other channels;
  • misappropriation of the name or likeness of the sports star: players are increasingly becoming concerned about third parties using their name and/or image without consent, either for commercial purposes or for creating fake social media accounts;
  • use of virtual reality technology during live games, which allows fans to have a multi-sensory experience often from the actual player's perspective. This raises multiple concerns for the player from a privacy perspective;
  • the use of wearable technology to track the sports star's performance; the data from such devices is often made available by sports organisations to third parties such as broadcasters, gaming companies, betting organisations and even fans, usually without the consent of the sports star;
  • the transfer of players from one club to another raises the issue of what happens to data of the player (including health data) collected by the current club. Can it be transferred to the new club either at a separate cost or as part of the transfer fee? Will consent of the sport star be required before such transfer of data occurs?;
  • data theft, especially in circumstances where sport clubs are lax in their cybersecurity initiatives;
  • post theft of data, the sale of personal information to tabloids or competing teams or even scammers;
  • harassment, stalking or even slander through social media accounts of sports stars or their clubs; and
  • sports clubs sharing too much information with the media, fans or on social media pages.

This list of concerns to sports stars and their clubs is not exhaustive. For sports clubs or organisations, agents and even sports stars, it is essential that the right to privacy and the application of privacy laws are given priority especially as sport becomes increasingly intertwined with technology and data. After all, it is doubtful that many will argue against our legends being afforded their basic right to protection of their privacy.

The concerns of sports fans including attendees at games is a topic for a separate article but the risk to fans has likewise increased considerably through the use of technology such as VAR (video assistant referee), the increasing televising of sports events and social media. We will deal with this topic in a future edition. For now, enjoy the win!

POPIA in brief

Condition 5: information quality

A responsible party must take reasonably practicable steps to ensure that personal information is complete, accurate, not misleading and updated where necessary taking into account the purpose for which such information was collected.

GDPR: article 5(1)(d)

Personal data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (the 'accuracy' principle).

ENSpired (compliance) tip of the week

Make it easy for data subjects (including customers, suppliers and employees) to update their information and have procedures in place to action correction of data requests. Deal appropriately with emails/mails that are returned undelivered and incorrect phone numbers on your records.

case spotlight

Credit bureaus beware!

In Smeaton v Equifax Plc [2012] EWHC 2322, the UK court held that a credit reference agency, which inaccurately recorded Mr Smeaton as being bankrupt for over 5 years, was in breach of the Data Protection Act (UK), 1998, entitling him to statutory compensation under that Act. Significantly, the court also found that the credit reference agency had a common-law duty of care towards Mr Smeaton and had breached that duty by failing to take reasonable care. The Court of Appeal in Smeaton v Equifax Plc [2013] EWCA Civ 108 held that while there is no absolute obligation to maintain the accuracy of personal data, it is necessary to take reasonable steps to keep it up to date.

In 2006, the French data protection authority imposed a fine of EUR45 000 on Crédit Lyonnais as a result of claims filed by clients whose names had been incorrectly included in its consumer credit reimbursement files and, consequently, in those of the Banque de France. It also ordered that details of the fine be published in two major French business newspapers.

To view the full article, please click here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.