HNK Solicitors HNK Solicitors

Footballers threaten data firms with legal action over alleged GDPR breach

A group of 850 professional footballers led by former Cardiff City and Leyton Orient manager Russell Slade are demanding compensation for use of their personal data by a range of sports data, betting, and entertainment companies.

Under the name Project Red Card, the group claims that the companies’ use of a wide range of identifiable information without the players’ permission is a breach of the General Data Protection Regulation (GDPR). As a result, they are seeking compensation for the use of their data over the past six years.

If the action is successful, it will have major implications for the sports industry as a whole, large parts of which rely on gathering detailed information about players.

In this post, we’ll look more closely at the claims put forward by Project Red Card, and we’ll consider how these claims relate to the UK’s data protection regulations. In doing so, we’ll explore how these regulations seek to safeguard individuals’ data in a world of ever-increasing connectivity and openness – and look at some of the steps you can take if you think your data has been misused.

Footballers on a pitch

The growing role of data in sports

The collection of data about professional athletes and sports stars is nothing new. For the more avid and dedicated fans, tracking the performance stats of favourite players has long been part and parcel of what it means to be a sports fan. But what has changed in recent years is the scope and scale of such data collection, particularly as it has moved from an amateur enthusiasm into a multi-million-pound global industry.

Sports data firms now routinely amass huge amounts of data on specific games – over 5,000 datapoints per game, in some cases – as well as on individual players. Slade himself stresses the significance of the issue: “On one player, and I’m not talking about a Premier League player or even a Championship player, there was some 7,000 pieces of information on one individual player at a lower league football club.”

This data is used by a wide range of companies, from betting companies to video game developers, and can lead to lucrative deals for the firms who gather it. Sportradar, who work with a network of around 900 bookmakers, recently secured a deal to become UEFA’s authorised data collector; while the value of the agreement has not been made public, a similar deal between Genius Sports and the Premier League in 2019 was estimated to be worth tens of millions of pounds.

This raises an important question: who actually owns player data, and who should be able to profit from it? The legal action threatened by Project Red Card is based on the idea that the players themselves should have control over any information that is gathered about them and the right to make decisions about how it is used.

To this end, the group has sent “letters before action” to 17 of the largest sports data firms, claiming that their practices are breaching UK data protection regulations.

The status of player data under the GDPR

The legal team supporting Slade has argued that, by not asking players’ consent or offering remuneration for the use of their data, the firms in question have breached the GDPR. The GDPR, which first came into effect in 2018, sets out strict requirements that organisations must follow if they store or process personal information.

This raises the question of what actually constitutes personal information. Do a footballer’s performance statistics, for instance, count or not?

The key part of the GDPR in this case, according to Slade’s group, is Article 4, which sets out definitions of various terms. According to Article 4 of the GDPR, personal data is defined as “any information relating to an identified or identifiable natural person,” otherwise referred to as a “data subject”.

Obviously, this is a rather broad definition. The Article further specifies that, in order to qualify as a data subject, the individual must be identifiable from the data by reference to a specific identifier such as a name or identification number, or by factors “specific to the physical, physiological, […] cultural or social identity” of that person.

Core to Slade’s argument is that the data collected about players – which often includes physical and physiological details relating to their height, weight, age, and so on – constitutes personal data insofar as it can be used to identify them. Thus, he argues, it must be processed in accordance with the GDPR. In theory, this would give the players significant control over how this data is collected and used.

There are, of course, some complicating factors. As Wired notes in its article on this case, data companies have previously argued that, because football games are widely broadcast, a player’s performance should be considered public information and thus not covered by data protection regulations.

However, under the GDPR even publicly available information cannot be gathered and processed with impunity. Ultimately, Project Red Card’s claims will form an important test case with potentially major implications.

Close up of a person typing on the computer

HNK Solicitors can support your data breach claim

This case highlights the significant impact that the GDPR has had, and will continue to have, on the use of personal data within the UK. Since its inception in 2018, it has profoundly impacted how companies collect and store personal data, as the requirements and expectations for the safeguarding and proper use of such data are now much tighter – and the repercussions of failing to do so potentially much more severe.

As in this case, it’s clear that some significant implications of the GDPR have yet to be fully explored, and that there are many data-heavy industries that may yet find themselves significantly transformed by the regulations.

The impact of the GDPR is a consequence of how seriously it takes the rights of the individual to have control and ownership of their personal information, and the recognition that any failure to do so can have a profound impact on those affected. From financial losses to emotional distress, the misuse of your personal information can be significant and long-lasting.

That’s why it’s important to know that the GDPR enshrines the right of individuals to seek compensation if their personal data is not treated appropriately and they have suffered damage as a result.

Here at HNK Solicitors, we have extensive experience in helping those whose data has not been properly safeguarded to seek the compensation they deserve. Our expert team provide free consultations, so if you have been impacted by the misuse of your data, get in touch today. If we do think you have a case, we can offer to take it up on a no-win, no-fee basis.

To arrange your consultation, fill out the form on our website to request a call back. Alternatively, call us on 0151 203 1104 or email us at

Share article


Latest News

No Win No Fee, Free Consultation

Please fill out the form below to get started with your claim

Please enable JavaScript in your browser to complete this form.
Terms & Conditions
Skip to content