Editor's Note: Marjolaine is a researcher and attorney admitted to the Geneva bar (Switzerland) who specialises in sports and life sciences. Her interests focus on interdisciplinary approaches as a way of designing effective solutions in the field of anti-doping and other science-based domains. Her book “Evidence in Anti-Doping at the Intersection of Science & Law” was published through T.M.C Asser Press / Springer in late 2015. She participates as a co-author on a project hosted by the University of Neuchâtel to produce the first article-by-article legal commentary of the 2021 World Anti-Doping Code. In her practice, she regularly advises international federations and other sports organisations on doping and other regulatory matters, in particular on aspects of scientific evidence, privacy or research regulation. She also has experience assisting clients in arbitration proceedings before the Court of Arbitration for Sport or other sport tribunals.
Since the spectre of the EU General Data
Protection Regulation (‘GDPR’) has loomed over the sports sector,[1]
a new wind seems to be blowing on anti-doping, with a palpable growing interest
for stakes involved in data processing. Nothing that would quite qualify as a
wind of change yet, but a gentle breeze of awareness at the very least.
Though the GDPR does mention the fight
against doping in sport as a potential matter of public health in its recitals,[2]
EU authorities have not gone so far as to create a standalone ground on which
anti-doping organisations could rely to legitimise their data processing.
Whether or not anti-doping organisations have a basis to process personal data –
and specifically sensitive data – as part of their anti-doping activities, thus
remains dependent on the peculiarities of each national law. Even anti-doping
organisations that are incorporated outside the EU are affected to the extent
they process data about athletes in the EU.[3]
This includes international sports federations, many of which are organised as private
associations under Swiss law. Moreover, the Swiss
Data Protection Act (‘DPA’) is currently
under review, and the revised legal
framework should largely mirror the GDPR, subject to a few Swiss peculiarities.
All anti-doping organisations undertake at a minimum to abide by the WADA International
Standard for Privacy and the Protection of Personal Information (‘ISPPPI’),
which has been adapted with effect to 1 June 2018 and enshrines requirements
similar to those of the GDPR. However, the ISPPPI stops short of actually
referring to the GDPR and leaves discretion for anti-doping organisations to
adapt to other legislative environments.
The purpose of this blog is not to offer a
detailed analysis of the requirements that anti-doping organisations must abide
by under data protection laws, but to highlight how issues around data
processing have come to crystallise key challenges that anti-doping
organisations face globally. Some of these challenges have been on the table since
the adoption of the first edition of the World Anti-Doping Code (‘WADC’) but
are now exposed in the unforgiving light of data protection requirements.
Who
is who and who does what?
It is hardly a scoop for those familiar
with the World Anti-Doping Program to state that its structures are complex, relying
on an intricate network of private entities as well as public (or quasi-public)
agencies, each subject to their own applicable laws. The World Anti-Doping
Program has always struggled with reconciling its objectives of global harmonisation
with the sovereignty and diversity of national laws. National Anti-Doping
Organisations (‘NADO’s) operate at the national level; they are in charge of
doping issues across all sports in one country and are endowed with more or
less extensive enforcement powers depending on their country’s regulatory
approach to the sport sector. By contrast, international federations claim exclusive
governance over one sport worldwide, uniformly and without regard to national
borders but have to do so with the instruments available to private entities
based on contractual or similar tools of private autonomy.
Over time, the WADC has been repeatedly updated
to strike a balance between the two (national versus international) spheres and avoid positive or negative
conflicts of competence. Provisions seek to clarify attributions in areas where
international- and national-level competences collide, such as roles in
Therapeutic Use Exemption (‘TUE’) management, testing authority, or results
management responsibilities.[4]
Even as it is, there is no safeguard to prevent disputes from arising about the
proper authority to investigate and initiate proceedings for doping.[5]
Data processing activities are not exempted
from the difficulties that accompany the complexity of anti-doping. If anything,
these difficulties are rather exacerbated by data protection laws. In
particular, the GDPR seeks to create a framework within which data subjects can
easily recognise when data is being processed about them, by whom and to what
aim(s), and whom to turn to in order to exercise their rights. This forces
anti-doping organisations to be precise and unambiguous about their respective
roles and attributions among themselves and chiefly towards the data subjects,
the athletes subject to doping control.
The GDPR draws a distinction between two
major categories of entities that process personal data: an entity can be
characterised either as a data ‘controller’, or as a data ‘processor’. A
controller is defined as an entity which “alone
or jointly with others, determines the purposes and means of the processing of
personal data”. A processor is an entity “which processes personal data on behalf of” a controller.[6]
The distinction may seem rather
straightforward at first sight: the controller has a personal or commercial interest
in the data processing and decides which data to collect, from whom, and
through what means. At the other end of the spectrum, a ‘typical’ processor
receives documented instructions from a controller and merely implements these
instructions with no autonomy of decision or an autonomy limited to technical issues
and logistics. However, interrelationships are often much more subtle in
reality with considerable room for borderline situations: multiple controllers may
need to agree on their (joint) controllership of the data while operating alongside
entities that may act in part as processors, in part as controllers of their
own right for different aspects of the data processing.[7]
In anti-doping, more than half a dozen
entities may be involved in a routine doping control activity, between test planning
and the outcome of a disciplinary process. All of these will either collect or
gain access to athlete data, including sensitive data, as illustrated by the
following: an international federation decides to conduct blood testing on an
athlete from its registered testing pool but delegates sample collection to the
NADO of the country in which the athlete is currently residing. To do so, the
NADO has access to the athlete’s whereabouts filings through the ADAMS database,
managed by the World Anti-Doping Agency (‘WADA’). The NADO itself carries out
sample collection through a private service provider with its dedicated blood
control officers and decides to use the opportunity to order, in addition, the
collection of urine samples from the athlete. Upon sampling, the athlete is
asked to fill in the doping control form in front of the doping control
personnel, which includes disclosing several ongoing medication courses in the
dedicated box. Samples are then transported, in a de-identified (‘coded’) form,
by private courier from the country of collection to the international
federation’s usual WADA-accredited laboratory in a different country.
Assuming the laboratory reports an adverse
analytical finding in the blood sample, the international federation requests a
full documentation package from the laboratory and verifies whether a Therapeutic
Use Exemption on the record could be related to the adverse analytical finding.
Upon notification of the results and public announcement of the immediate
provisional suspension, the athlete requests the analysis of the B sample,
thereby de facto lifting the code on
the A sample where the laboratory is concerned. The athlete submits a series of
explanations regarding the possible causes for the adverse analytical finding, including
a report from his treating physician regarding a medical condition that might
account for the findings. The international federation may send the laboratory
documentation package and athlete explanations to external experts for
additional input and then hands over the file to its external anti-doping
tribunal members. Most data will at some point have to pass through the ADAMS
database and be stored within that database for up to ten years. However, it may
also be communicated by other (electronic or physical) means among anti-doping
organisations and their service providers and experts.
Once the disciplinary decision is issued, its
main elements are publicly disclosed by the international federation on its
website, and the decision shared with WADA and any NADO having jurisdiction
over the athlete. The NADO further decides to send the negative urine sample
for long-term storage and possible reanalysis to the WADA-accredited laboratory
that provides its storage facilities.
The above description represents an imaginary
but ultimately rather standard situation for anti-doping organisations. It does
not seem too far-fetched to identify that the international federation at the
very least acts as a controller of the athlete data processed. However, a NADO
who receives instructions to collect samples and also decides to collect
additional data (and additional biological materials) on its own and for its
own purposes, potentially acts as both a processor and controller depending on
the data at stake. A number of processors and sub-processors are involved in
the process as service providers, while the qualification of external experts
may have to be assessed on a case-by-case basis. WADA offers the ADAMS database
as an IT infrastructure for data storage and sharing for the international federation
and NADO but also uses the data to fulfil its own obligations and purposes
under the WADC, such as exercising its appeal rights or verifying compliance of
the anti-doping organisations with their duties. Arguably, at the very least
there will be three controllers of data (international federation, NADO, and
WADA) in addition to multiple processors and sub-processors.
Characterising the role of each entity as a
‘controller’ or as a ‘processor’ is far from being of academic interest only. The
two types of entities have distinct responsibilities and requirements for
lawful processing. Appropriate contractual arrangements need to be set up among
the entities involved, and data subjects must be informed of these in a
comprehensible manner allowing them to exercise their rights. Controllers have
primary responsibility for dealing with data subject requests and responding to
supervisory authorities and have a more extensive scope of liability across the
entire scope of data processing. By contrast, processors are, in essence, only
liable for their own processing activities and merely undertake to support the
controllers in their obligations towards data subjects and authorities.[8]
There is one other important difference that
carries special significance in the context of anti-doping: a processor who
acts under instructions can rely on the processing contract with the controller
responsible for the data as a lawful basis for processing.[9]
By contrast, if two or more parties qualify as controllers in their own right,
each controller needs to secure its individual lawful basis with respect to the
data subjects. The requirement of lawful processing is entwined with the discussion
around the validity of ‘consent’ to anti-doping regulations.
Lawful
basis and problematic character of consent
Processing of personal data under the GDRP
requires a lawful basis. As relevant to our topic, three types of legitimising
grounds co-exist: i.) grounds rooted in private autonomy (consent or necessity
for performance of a contract with the data subject), ii.) grounds relying on
public interest or overriding interests of the controller (e.g. pursuing a
legal claim), or iii.) a specific basis in Union or national law, e.g. for
performance of a substantial public interest or public health task.[10]
Not all grounds enter into consideration for every category of data; special
categories of data – also known as ‘sensitive’ data under the DPA – have a more
limited number of valid processing grounds.[11]
Obviously, a major part of data processed as part of doping control qualifies
as sensitive data as it relates to health,[12]
including the data gathered through analysis of doping control samples or collected
as part of TUE applications.
The traditional way for international
sports organisations to impose their rules on their ultimate addressees, i.e.,
the individual athletes, has been through contract, quasi-contractual chains of
submission, or other instruments involving a declaration of consent. The validity
of consent on the part of those who submit to anti-doping regulations is a
recurring matter for debate, in particular as its informed and voluntary
character is generally described at best as limited and more frequently as
purely illusory. The issue has been scrutinised in particular with respect to submission
to proceedings before the Court of Arbitration for Sport (‘CAS’),[13]
which the WADC imposes as a legal remedy in international doping disputes. While
acknowledging the ‘constrained’ nature of the athlete’s consent, the Swiss Supreme
Court accepts the validity of arbitration clauses in sports regulations in the
name of the needs for swift and competent resolution of sport disputes. It has,
however, imposed certain limits on the extent to which an athlete can entrust
their fate to the sports resolution system. As decided in the Cañas v. ATP case, an athlete cannot validly
waive in advance the right to challenge the CAS award in front of the Supreme
Court in disciplinary matters.[14]
In Pechstein v. Switzerland, the
European Court of Human Rights (‘ECtHR’) was asked to discuss the status of an
arbitration clause in the context of doping proceedings. It reached the same
conclusion that the only choice offered to the athlete was either to accept the
clause in order to be able to make a living by practising her sport at a
professional level or to refuse it and completely give up on practising at such
level. As a result of this restriction on the athlete’s professional life, it
was not possible to argue that she accepted the clause ‘in a free and unequivocal
manner’.[15]
In both cases, the findings were ultimately
of little consequence for the sports sector. The Swiss Supreme Court only
reviews CAS awards through an extremely narrow lens so that the power to set
strategic jurisprudence in sports matters remains with the CAS panels, whether
or not athletes retain their rights to challenge the award. Similarly, in the
Claudia Pechstein matter, the only shortcoming found in the ruling was the lack
of an option for a public hearing in CAS proceedings. Absence of genuine
consent has thus been – expressly or implicitly – compensated for by courts
through procedural safeguards, in an effort to ensure that athletes still
benefit overall from a system of justice broadly compliant with Article 6 of
the European Convention on Human Rights.
Data protection issues create a greater
challenge here, since the GDPR explicitly requires consent to be ‘freely given’,
in addition to being informed.[16]
The same is true under the Swiss DPA.[17]
The GDPR does not accommodate compensatory mechanisms to account for the
‘fictional’ character of consent in the sports context: consent that is not
optional is not free, and consent that is not free is not valid. Importantly, free
consent also presupposes that consent can be withdrawn at any time as easily as
it was given and without significant detrimental consequences for the data
subject.[18]
I will not delve here into how anti-doping
organisations can fulfil the requirement of ‘informed consent’, which as per
the GDPR requires “intelligible and
easily accessible form, using clear and plain language”.[19]
The template information notices (here
and here)
proposed by WADA currently in effect inform athletes, in essence, that their
data may be processed based on various legal grounds, may be accessed by
various entities around the world according to various data protections laws,
which may offer them various levels of protection, and that they may have
various rights and obligations under these laws. It is questionable whether explanations
in this form would satisfy the requirements for informed consent. Still, adequate
information appears at least achievable with appropriate and individualised
legal drafting supported by a data protection specialist. The question of free
consent is a much more delicate one since it is not in the hands of anti-doping
organisations to give athletes a genuine choice in this respect.
In spite of the potential financial
implications, one could argue that consent is freely given where the athlete
can choose at any time to withdraw consent to data processing, with the sole
consequence of losing the benefit of the services attached to the ‘contractual’
relationship with their sports authorities, i.e. the right to participate in
sports competitions. This would, for example, suppose that an athlete notified
of a testing attempt could elect to either submit or instead declare immediate
retirement from sport without any further consequences. Under the current rules,
however, such withdrawal of consent would trigger disciplinary sanctions, which
may include ineligibility or fines depending on the sport, and in any event,
will have a significant impact on the athlete’s reputation. The templates
proposed by WADA explicitly warn athletes about these consequences, as well as
the fact that anti-doping organisations may retain and continue processing
their data in spite of any withdrawal (see here
and here).
In fact, the WADC provides that the results management and disciplinary process
may be initiated or may continue in spite of the athlete announcing their
retirement from sport.[20]
To this day, one is still awaiting a realistic
proposal that would allow consent to anti-doping regulations to be genuinely
freely given. Most stakeholders would agree that there is no viable manner of making
compliance with anti-doping rules optional for athletes without undermining the
very notion of a level playing field.[21]
Unlike the relatively benign implications that lack of genuine consent had for
the sport dispute resolution system so far, the impossibility of creating the prerequisites
for free consent to anti-doping regulations is far more consequential in the
data protection context. Indeed, it precludes reliance on consent as a reliable
lawful basis that can be used globally by international sports governing bodies
to secure the lawfulness of their data processing. This is the case unless
courts would be willing to go against the explicit wording of data protection
laws and tolerate ‘forced’ consent as a lawful basis in the context of sport.
As the Swiss Federal Council noted in their
official communication on the Swiss Sport Act, the questionable validity of athlete
consent makes it necessary to create express legal provisions authorising
anti-doping organisations to collect and process personal data for anti-doping
purposes.[22] Under
the GDPR, processing sensitive data relying on an interest of substantial
public or public health interest equally requires a legal basis in EU or
relevant national law of a member state. Without intervention of national
lawmakers to recognise anti-doping as a matter of ‘substantial public interest’
or ‘public health’ interest and identify those entities that are entitled by
law to process data together with an appropriate description of the admissible scope
and purposes for such processing, sports organisations will continue to rest on
shaky ground when it comes to data processing and in particular processing of
sensitive data.
Proportionality
of treatment
The issue of proportionality is relevant for
almost any component of an anti-doping system. It is recognised by CAS panels
and courts as an internationally accepted standard,[23]
as part of the assessment for deciding whether an encroachment upon individual
freedoms is justifiable and justified in any given case. Proportionality is
frequently debated in connection with the severity of the disciplinary sanctions
set forth in the WADC,[24]
but it is also a test that every other aspect of the regulation must stand up
to.[25]
An important limb of the proportionality
test is the ‘necessity’ of a measure having regard to the rights affected. This
aspect was recently addressed by the European Court for Human Rights in the
context of French legislation on the whereabouts regime applicable to
professional athletes and its compatibility with privacy: “the general‑interest
considerations that make them necessary are particularly important and, in the
Court’s view, justify the restrictions on the applicants’ rights under Article
8 of the Convention. Reducing or removing the requirements of which the
applicants complain would be liable to increase the dangers of doping to their
health and that of the entire sporting community, and would run counter to the
European and international consensus on the need for unannounced testing.”[26] The ECtHR conducted its assessment with respect to the right
to privacy under Article 8 of the European Convention on Human Rights without
having regard to specific data protection provisions.
The requirement of proportionality is a
pillar of data protection in all its aspects, from the decision to collect the
data to its retention. It is enshrined both in the GDPR and in the DPA[27]
and is notably also highlighted in the WADA ISPPPI.[28]
Concerns about proportionality of the anti-doping system were expressed
by EU data protection advisory authorities as early as 2008,[29]
and numerous exchanges with WADA have ensued.[30]
Various adjustments have been made to the ISPPPI since then with a significant
review to adapt the ISPPPI to the GDPR requirements, and a new set of WADA
Guidelines adopted in 2018.
Still, the threats on proportionality are
bound to be ubiquitous in a context where standardisation is a guiding
principle of regulation. For example, the ISPPPI (Annex A) enshrines retention
times based on different categories of data (TUE, samples, whereabouts, etc.), but
with only two different retention periods overall: 18 months (newly being
reconsidered in the draft revised version as 12 months) or 10 years. These have
been criticised again in the ongoing stakeholder consultation
process as being insufficiently differentiated to be adequate.[31]
Indeed, while a column in the Annex formally indicates for each category that the
retention time has been chosen based on “necessity”
or “proportionality” criteria, Annex
A states in limine that the
limitation to two retention periods is “for
practical reasons”. These justifications cannot be easily reconciled. To
properly account for proportionality, anti-doping organisations would need to
conduct their own assessment in a more individualised fashion, adapted to their
athlete pool and sport. However, as in many other domains of doping control, one
wonders how many of them will have the resources, competences and willingness
to look beyond WADA prescriptions. Also, since most of the data must be
processed through the ADAMS database managed by WADA, anti-doping organisations
may have limited effective power over the set-up of the data deletion process.
The proportionality principle is also connected
to another fundamental requirement, which is that data processing must remain
within the ‘purpose’ defined (‘purpose limitation’ principle). The ISPPPI
contains a list of purposes for which anti-doping organisations may process
data. However, the ISPPPI gives anti-doping organisations an option to decide
to process data for other purposes related to the fight against doping,
provided they carry out a documented assessment. The WADA Guidelines propose a
template for ‘new purpose assessment’, and indicate that such new purpose could
encompass purposes that were not contemplated in the WADC nor perhaps could
even be envisaged at the time of collection. The draft
revised ISPPPI seems to go even further down this line: “In certain contexts, it may be appropriate
or necessary for Anti-Doping Organizations/WADA to Process Personal Information
for additional purposes, […] besides those already permitted or required by the
Code, the International Standard or expressly required by law, in order to
engage effectively in the fight against doping”.[32]
It is unclear how this assessment is to be effectively implemented especially
for sensitive data, be it under the assumption of a consensual basis or of one
based on national law recognising substantial public interests for anti-doping
activities. In both cases, if the actual purposes for which the data may be
used are in limbo awaiting potential
reassessment for ‘new’ purposes, it is questionable whether informed consent or
a sufficiently predictable legal basis respectively could even be created.[33]
As the claims for more ‘evidence-based’
approaches and stronger monitoring of anti-doping programs grow louder, more
thought could be spent on proportionality and purpose limitation of data
processing in anti-doping. Most of the discussion so far has revolved around
the intrusiveness of the whereabouts requirements. Whereabouts information,
however, is only collected from a limited number of high-profile athletes
(i.e., those included within a registered testing pool) and is only a fraction
of the data collected as part of anti-doping programs. In the
FNASS et al. v. France ruling, the
ECtHR essentially relied on the pleas of the anti-doping movement and
governments to find that the fight against doping pursues a public health
interest and implements it in a proportionate way. In doing so, the ECtHR seems to perpetuate a tendency of CAS and other
courts to take policy documents and consensus statements - whether enshrined or
not in international law instruments such as the UNESCO Convention against
Doping in Sport - as proof of the reality of the claims they contain[34]
without requiring much supporting evidence. In many instances, this is
technically justified by placing on the contesting party the burden of
demonstrating any lack of proportionality.[35]
On a higher level, however, it tends to create a presumption that any doubt
must benefit the cause of anti-doping.[36]
This may lead to self-perpetuating policy biases based on circular reasoning by
justifying new measures through previous, unverified claims.
Data protection laws, with their detailed requirements
and descriptions of data subject rights, may offer a foundation for a more
granular analysis than general human rights provisions under the undetermined heading
of ‘privacy’. Opportunities for legal analysis may still be hindered by the
fact that an argument related to data protection is hard to build into a
defence when athletes – or their counsel – would typically start seriously
thinking about these issues only once they become subject to investigations or
discipline for a potential breach of the anti-doping rules. CAS panels have
been rather generous in admitting evidence unlawfully obtained against
individuals charged in disciplinary proceedings.[37]
It could thus prove extremely difficult – perhaps even counter-productive as a
defence strategy – for an athlete to object to the admissibility of doping
control data obtained in breach of data protection laws, in particular when the
objection relates to a breach that leaves as much discretion to the panel as
proportionality of data collection or retention. CAS panels have repeatedly
recognised the fight against doping as an interest that overrides individual
freedoms without carrying out much of an individualised balance of the
interests at stake. [38] More promising impetus could come from a
random athlete seeking advice from supervisory authorities through the avenues
offered by his or her national data protection laws prior to exposure to a
positive test or other disciplinary action. Unfortunately, much like consumers,
athletes often seem to show little interest in their privacy until they are
confronted with some tangible detrimental consequences.
A
true plague or a real opportunity?
Some may view recent developments in data
protection laws as just another headache for sports governing bodies and deplore
the advent of a new hurdle for anti-doping organisations who aspire to take
their tasks under the World Anti-Doping Program seriously. Anti-doping
organisations advocate that they are carrying out a mission of public interest.
As we have seen, this view has been supported by various bodies and courts
around the world and is also reflected in the UNESCO Convention against Doping
in Sport. However, the GDPR does not regard public interest as an absolute
basis for all data processing; in particular, sensitive data cannot be
processed on the sole basis of an alleged public interest unless such public
interest is substantial or related to public health, and its modalities are set
out in national or EU law.
In a time where the credibility of existing
structures and procedures within anti-doping authorities is questioned, the
challenge arising from data protection standards can also be perceived as an
opportunity for the anti-doping system. The ISPPPI and related WADA Guidelines,
unfortunately, do not purport to provide solutions to the various crucial
challenge set out above but merely invite anti-doping organisations to act in
accordance with their applicable data protection laws. They give little guidance
on how this is to be achieved in the event that these laws conflict with their
duties under the WADC.
Developments in data protection force
anti-doping organisations to look at their structures, legal status and their
relationships with other organisations within the system. These developments
should also have the effect of prompting national legislators to take measures
more supportive of anti-doping policies in this domain, and in particular by
making sure that sports governing bodies benefit from an appropriate legal
basis for processing data, including sensitive data. Given that the very
purpose of the WADC is to harmonise the regulation of doping in sport worldwide
and that this objective is routinely invoked to justify restrictions on athlete
rights, it would seem somewhat counterintuitive not to afford all athletes the
same level of protection where their data is concerned. If there is truly a
general international consensus on the legitimacy of the fight against doping
and this consensus is supported by the State parties to the UNESCO Convention, those
States, at a minimum, must be willing to give anti-doping organisations the
means to carry out their tasks in a legally sustainable manner, unless and
until these States are ready to engage in a fundamental overhaul of the current
system.