The Beijing Olympics was as grand as they come — from the epic opening ceremony and state-of-the-art venues to the 24-hour media coverage. Even the anti-doping testing was done on a huge scale, with 4,770 tests carried out — a record for an Olympic Games.
Under the authority of the International Olympic Committee (IOC), the World Anti-Doping Agency (WADA) and the Beijing Organising Committee of the Olympic Games, a system was employed in which athletes were required to take spot tests at any one of 41 doping control stations. As a general rule, the top five finishers were tested, plus a further two athletes selected at random. In the end, around 40 cheats were caught.
As WADA has been at pains to point out, the fight against doping goes far beyond the Olympic Games. Before competitors in organised sports are allowed to step on to their chosen field of play, they must agree to abide by the anti-doping rules and procedures in WADA’s Anti-Doping Code. Introduced just over four years ago, the Code requires in and out-of-competition testing to determine whether athletes are using performance-enhancing substances on WADA’s prohibited substances list.
National and regional anti-doping organisations (ADOs) are therefore required to amass, analyse and transmit a massive amount of personal data, including sensitive medical details, as well as biological specimens containing information about the athlete and their health. As they do so, an increasingly challenging question arises: how do anti-drug efforts square with national and regional data protection and privacy laws?
WADA has taken the first critical step in trying to address this issue by proposing an International Standard for the Protection of Privacy. However, the provisions of the draft Standard are meeting with resistance from European data privacy regulators, who believe it does not go far enough. A clash could be on the cards, with a worst-case scenario of athletes from around the world being prevented from competing.
At present, ADOs are not subject to a global standard, code or convention that specifically mandates data privacy protection in sport. WADA began to prepare its Standard in late 2007 and engaged stakeholders in the process by circulating drafts — first in December 2007 and again in June 2008 — to receive and respond to their feedback. WADA seems to understand that it is necessary to have the input of all interested parties in order to make this international instrument work.
Now in its third draft, the Standard has been assessed by the article 29 Working Party (WP) — the independent European Union (EU) Advisory Body on data protection and privacy made up of Europe’s national data protection regulators — and is facing a challenge over the level of protection it should require. WADA set out for the Standard to be a minimum set of data privacy rules that all ADOs must adhere to in order to provide a uniform approach around the world, while recognising that organisations in jurisdictions with more restrictive data protection rules should be compelled to comply with local law. However, the WP has assessed the Standard against the most restrictive data protection laws in the world — despite the intention for the Standard to apply in several countries with few, or no, data privacy laws and little practical experience in applying privacy norms.
Without consulting or soliciting information from WADA, the WP published an opinion geared entirely towards assessing the provisions of the Standard against European data protection rules. Although the framework and core principles of the Standard, such as notice, proportionality, legitimate processing, and data security, reflect those of the EU directives, it was never intended for it to contain all of the stringent European provisions.
An example of the Standard being held to European levels of protection is the WP’s view regarding athlete consent. Under the Data Protection Directive 95/46/EC, one method of legitimising processing is by obtaining consent. This consent must be “freely given, specific and informed”. The WP considers, however, that because athletes must agree to be tested in order to compete, they cannot offer free or informed consent for the purposes of
The WP’s concerns over the validity of consents are not universally shared. Even in
In the vast majority of jurisdictions without data protection laws, it is likely to be an uphill struggle to explain to ADOs that they cannot do their job because the consent of their athletes is not sufficiently free or informed, according to the standard of a foreign legal regime.
Going forward, privacy regulators should bear in mind that the Standard represents a floor, not a ceiling: European and other ADOs that believe they must apply additional protections can and should do so. It is to be hoped that a compromise can be reached and that WADA will be able to fulfil its aim of bringing the Standard into effect by January 2009.
Dan Cooper is head of the