Over the last decade we have seen Australian sports, such as AFL, NRL and Cricket, collect and use athlete data through wearable technology devices. Those of us who are AFL mad can get access to some of this data via the Telstra Tracker on the AFL App, which provides statistics on player speed, intensity and ground coverage during games in real time.1
It’s not just Australian sports that are interested in the collection and use of biometric data. The NFL in the US monitor players’ off-field recovery through the use of WHOOP armbands, which contain sensors that measure a range of data relevant to assessing an individual’s strain, recovery and sleep performance.2 In 2018, Formula 1 racing also introduced a new biometric race glove which is now used to monitor a driver’s heart rate as well as blood oxygen levels. The glove contains a 3mm sensor in the thumb which relays the driver’s health information to medical personnel providing support to injured drivers.3 Alpinestars (a MotoGP apparel brand) have also fitted a number of heat and physical sensors to collect data to determine what the riders were experiencing.4 Even the UFC is using wearable technology to identify ‘physiologically limiting factors’ that might hinder mixed martial arts athletes from reaching optimal levels of performance.5
Overall, the analysis of biometric data supposedly enables sporting organisations and clubs to develop better training and rehabilitation programs for athletes to both reduce the risk of injury and enhance post-injury (including post-surgery) rehabilitation.
But the collection of biometric and positional data in sport poses some interesting questions, such as who owns the data and how can that data be used? Can athletes use the data to their own advantage both on and off field? What are privacy law implications?
What is biometric data?
As a starting point, it is important to define what ‘biometric’ data actually is.
Biometric data refers to any kind of biological information which can be obtained from an individual player. These metrics could include everything from pulse rate and blood glucose, to oxygen levels, sweat rate and sleep rhythms. Some trackers used by athletes also collect positional data, which includes metrics such as position, acceleration, lateral motion, speed, and jump height.
Who owns the data being collected and ‘used’?
If we consider the ownership of data from an AFL perspective, there are numerous stakeholders potentially involved. There are, amongst others, the AFL itself, the 18 AFL clubs, the AFL Players Association representing the interests of the individual players, and the data collection partner who collated the data from the trackers. So, who owns the data being collected from the athletes? Many might assume that the data would be owned by the individual athlete, or the AFL – but what about no one at all?
In order for something to be owned in law, we need to be able to categorise it as ‘property’.
When talking about ‘records’ and data, there is a distinction between the idea that ‘property’ exists in the physical item holding those records (for example, a system which collates and stores data collected from the athletes) versus the concept of ‘property’ (if any) in the data itself.
For the purposes of this article, we are interested in the concept of ‘property’ and therefore ‘ownership’ of the data itself. It is important to keep in mind that ‘ownership’ is distinct from ‘use’ – so although there may be the existence of rights which impact how data is ‘used’, this doesn’t necessarily determine ownership.
The concept of ownership of biometric data in Australia is not straightforward. Superficially, no one actually owns biometric data. In effect, there can be no express ‘proprietary right’ or IP, in biometric data itself. In order for a proprietary interest to exist under copyright in Australia, it would need to be demonstrated that a human author has taken the data, and created an original work in a material form (ie the data put in writing). It must also be connected in some way to Australia, and must also fall into a category of work protected by the Copyright Act 1968 (Cth) (ie a literary work).
For instance, the owner of a AppleWatch does not ‘own’ the heart rate data relayed to the user. In its ‘bare’ or raw form, the data is unlikely to be a literary work, as it often lacks a human author and therefore is unlikely to attract IP protection.
However, don’t be fooled into thinking a person could rely on creating something like a database as a way of establishing a sufficient basis for asserting ownership of data under copyright laws in Australia. No specific law exists in Australia to protect databases.6
In the case of IceTV v Nine Network7 , (which overturned the Telstra v Desktop Marketing Systems8 – a case which originally established a database right), it was affirmed that copyright does not protect mere facts or information. The commercial value of facts or information is irrelevant, as copyright will protect only the particular form of expression of facts or information. In effect, it was held that in order to determine if copyright exists, particular consideration will need to be given to the originality of the work in question.
On the other hand, an example of an instance where a proprietary interest may arise in respect of biometric data is if the data is used in research. For example, if it could be demonstrated that a human author has used the data to create an original work (such as a published study looking at the heart rates of players during matches), it may be considered a literary work for the purposes of the Copyright Act 1968 (Cth) and attract IP ownership – and protection.
Protections under other areas of law
Of course, there are other rights that impact how data can be used and could offer protections in certain situations.
Arguably, quasi-proprietary rights could exist in confidential information. For example, parties can enter into agreements which create express or implied obligations. However, the information must be actually confidential.
Additionally, in the absence of property rights, parties could enter into contractual arrangements which impose limitations on how the data is collected or used. We know for example that the collective bargaining agreement (CBA) between the AFL and players requires the players to wear GPS units in matches if requested by their club.9 Section 45 of the CBA sets out how the data can be used, and in effect, leaves control of the data in the hands of the AFL.10 Interestingly, the CBA has left open the potential for further commercialisation of the data.
What about protections in privacy law?
Biometric data is considered personal and sensitive information for the purposes of the Privacy Act 1988 (Cth) (Privacy Act), which governs the ways in which certain private businesses and Commonwealth agencies can use personal information. For example, the AFL, which has an annual turnover of over $3 million dollars, is an entity which is required to comply with the Privacy Act. Under the Privacy Act, the collection or solicitation of biometric information from an individual without their consent by such an entity or agency would be inconsistent with the Australian Privacy Principles (APPs).11 Even if consent is given, APPs 3 requires that collection of biometric information to be reasonably necessary for one or more of the agency’s functions or activities.12
Under the Privacy Act, it may be possible to limit the way in which biometric data can be used or disclosed. However, it is important to note that privacy laws in Australia do not create any ownership rights for individuals – it simply gives them some control over the way that biometric data is used. For example, it may allow individuals to request a copy of their own information,13 or provide a right for the individual to refuse the collection of biometric data if it can be demonstrated that it is not reasonably necessary in order for the agency to conduct its functions or activities.
There is also an employee record exemption for employees under the Privacy Act. The exemption allows an employer to collect personal information from an employee provided that information relates to the employment of that individual (known as an ’employee record’). However, the employee record exemption doesn’t necessarily allow for the collection and use of biometric data. Importantly, in Jeremy Lee v Superior Wood Pty Ltd, the Full Bench of the Fair Work Commission found that the employee records exemption in the Privacy Act did not apply to the collection of biometric data such as fingerprints or other sensitive information. So, in the context of team sports athletes having their sensitive information collected and used by the entity that employees them, employers will need to be mindful of whether they require the consent of the athlete in circumstances where the collection of the information isn’t required or authorised under law.
Where to next?
Ultimately, there are clear difficulties in establishing any proprietary rights in respect of biometric data and it is unlikely that the IP laws in Australia will change any time in such a way that something like biometric data will attract proprietary rights. However, given the ever-evolving landscape of data collection and use globally, it’s conceivable that other rights may be established in the future (in particular, under privacy laws).
For the time being, athletes may have to look at other areas of laws to assert some sort of ‘quasi-ownership’ over their biometric data, or at least consider ways that they can negotiate some contractual restrictions in respect of the use of the data collected by stakeholders.
That’s not to say that athletes whose biometric data is currently being collected and used by a third party cannot also use that data collection to their own advantage. Referring again to the AFL as an example, players are able to request their player information under the CBA. In theory, those players could then refer to that data as an indicator of performance and use it as bargaining tool to renegotiate future contracts with clubs.
This article was written by Peter Campbell, Partner and Alexandra Douvartzidis, Solicitor.
2 ‘NFLPA Provides WHOOP to All Active NFL Players’ (10 August 2020) https://www.whoop.com/thelocker/nflpa-provides-whoop-to-players/
3’Why biometrics is the future of F1 racing overalls’, Jonathan Noble (22 May 2020) https://www.motorsport.com/f1/news/future-racing-overalls-alpinestars-biometrics/4795251/
5 ‘UFC Performance Institute Adopts New Athlete Monitoring Technology’, Jen Booton (11 September 2018), https://www.sporttechie.com/ufc-performance-institute-adopts-new-athlete-monitoring-technology/
6 However, this is not the case for foreign sports or Australian entities which may be subject to foreign data protection laws – like the European Union (EU) General Data Protection Regulation (GDPR). The GDPR applies to any business ‘established’ in the EU and any “controller” or “processor” of personal data who offers goods or services to individuals residing in the EU, or otherwise monitors the behaviour of individuals in the EU. Under the GDPR, database rights exist.
7  HCA 14.
8  FCA 612.
9 Claudia Levings (12 August 2019) https://www.cgw.com.au/publication/wearable-technology-in-sport/?utm_source=Mondaq&utm_medium=syndication&utm_campaign=LinkedIn-integration
10 ‘Wearable technology in sport’, Sam Adams andSee the AFL’s Collective Bargaining Agreement for 2017 – 2022: https://www.aflplayers.com.au/industry-home/cba
11’Chapter 3: APP 3 — Collection of solicited personal information’ (22 July 2019) https://www.oaic.gov.au/privacy/australian-privacy-principles-guidelines/chapter-3-app-3-collection-of-solicited-personal-information/
13 ‘Chapter 12: APP 12 — Access to personal information’ (22 July 2019) https://www.oaic.gov.au/privacy/australian-privacy-principles-guidelines/chapter-12-app-12-access-to-personal-information/