Athlete Consent As a Legal Base for Data Transfers to Third Countries for Anti-Doping Purposes, Under EU and German Law
Total Page:16
File Type:pdf, Size:1020Kb
Int Sports Law J (2017) 17:68–85 https://doi.org/10.1007/s40318-017-0112-9 ARTICLE Athlete consent as a legal base for data transfers to third countries for anti-doping purposes, under EU and German law Jacob Kornbeck1 Published online: 11 August 2017 Ó T.M.C. Asser Instituut 2017 Abstract This article aims to discuss athlete consent as a inter alia, of a valid legal base, including but not limited to legal base for data transfers to third countries for anti- the consent of the data subject (in this case: the athlete doping purposes, under EU and German law, including by concerned) or a specific legal (statutory) provision. As this summarising the legal relevance of international anti-dop- paper will show, the choice of legal base is of particular ing requirements and expectations. It presents the most importance in relation to transfers to third countries for salient features of enforceable EU and national German anti-doping purposes. The challenges involved will be data protection law, so as to arrive at an assessment of the discussed with reference to EU and German law. The relevant merits of the use of athlete consent. comparative analysis aims to identify the relative merits of athlete consent (the traditionally preferred legal base in the Keywords Anti-doping Á Data protection Á International anti-doping community) as opposed to statutory provision. data transfers Á Lawfulness Á European Union Á Germany While this article will maintain a focus on athlete consent, the intention is, in a future article, to perform a similar analysis regarding statutory provision. Such are the con- 1 Introduction flicting rules which data protection authorities (DPAs) need to know if faced with requests for authorisations to transfer 1.1 Context and problem formulation athletes’ data to third countries for anti-doping purposes. Whenever National Anti-Doping-Organisations (NADOs) 1.2 Why Germany? based in the European Union (EU) and the European Economic Area (EEA) are required to transfer the personal The choice of the legal regime of Germany is motivated data of athletes to partners operating outside the EU/EEA, fourfold. First, Germany is the cradle of EU data protection these data transfers are subjected to stricter conditions than law, as the European concept of data protection stems from those applying to intra-EU/EEA transfers. As for all data the 1970 Hessen Data Protection Act (1. HDSG 19701).2 processing operations, transfers require the demonstration, Second, Germany recently saw the entry into force of an Anti-Doping Act (Anti-Doping-Gesetz) (AntiDopG)3 which is one of the most far-reaching of any EU Member 1 Jacob Kornbeck is an EU official, yet opinions expressed are strictly Currently Hessisches Datenschutzgesetz (HDSG) in der Fassung personal and do not render official positions of any EU institution. He vom 7. Januar 1999, gea¨ndert durch Gesetz zur Neuordnung des is an external lecturer at the German Sport University (DSHS), Datenschutzes und der Wahrung der Unabha¨ngigkeit des Daten- Cologne. schutzbeauftragten in Hessen vom 20. Mai 2011 GVBL. I S. 208, zuletzt gea¨ndert durch Gesetz vom 14. Juli 2016 GVBL. I, S. 121. 2 & Jacob Kornbeck See Simitis (2011), p. 77, at 1, annotated by Simitis S. [email protected] 3 Anti-Doping-Gesetz (AntiDopG): Gesetz zur Beka¨mpfung von Doping im Sport vom 10. Dezember 2015. BGBl. I, Nr. 5, 1 European Commission, Brussels, Belgium 17.12.2015, S. 2210-2217. 123 Int Sports Law J (2017) 17:68–85 69 State (MS)4: an act of parliament including specific pro- NADOs are faced with far-reaching expectations which visions for data transfers. Third, the German NADO may be incompatible with legally binding requirements and (NADA Deutschland) is one of the biggest NADOs in the standards. Expectations are not merely of an informal EU.5 Fourth, awareness of the applicability of data pro- nature, as requirements for data sharing pervade the World tection rules to the anti-doping fight appears to be among Anti-Doping Code (WADC) and the International Stan- the highest in the EU, with books being available in Ger- dards (IS), in particular the International Standard for man which do not seem to exist in any other EU languages. Testing and Investigations (ISTI), the name of which (re- vealingly) was amended in 2015 to specifically include the word ‘‘investigations.’’ In this connection, the International 2 Legal, political and institutional framework Standard for the Protection of Privacy and Personal Information (ISPPPI)8 is of particular interest at it repre- 2.1 NADOs’ obligations under the WADC and IS sents WADA’s in-house privacy standard. In case of con- flict, national law prevails over WADC or WADC-derived NADOs based in the EU and the EEA find themselves in a rules, as recognised in the ISPPPI, which was intended to situation of double jeopardy, simultaneously facing provide a floor rather than a ceiling standard,9 which expectations from the World Anti-Doping Agency however does not prevent one respected WADC com- (WADA) and sports governing bodies (SGBs) such as the mentator from postulating that national law ‘‘is unlikely to International Olympic Committee (IOC) for the sharing of have a great influence’’ on the interpretation of WADC athletes’ personal information,6 as opposed to strict legal provisions, given the contractual nature of the obligations requirements imposing limitations, under EU and national of NADOs, athletes, etc.10 In relation to privacy and data law, regarding the sharing of such data, in particular with protection, this assessment is definitely misguided as far as partners located outside the EU. While transfers to third the law of the EU and its MS is concerned. For unlike some countries for anti-doping purposes are subject to far higher non-European privacy law models, including the ‘‘sec- standards of scrutiny than intra-EU/EEA transfers,7 toral’’ model of the USA, the ‘‘co-regulatory’’ model of Australia or the absence of any model in China,11 the European model is one based on the respect for private life and the protection of personal data as inalienable funda- mental rights. While the WADC does recognise NADOs as 12 4 For the currently most recent overview of national legislation, see ‘‘the entity(ies) designated by each country,’’ thus Backhouse et al. (2014), pending the publication of a specific study (seemingly) implying a certain national margin of appre- commissioned to Tilburg University and dealing with the NADOs’ ciation, it also requires governments to ‘‘respect the prospects for compliance with the General Data Protection Regula- autonomy’’ of their NADO(s) and ‘‘not interfere in its tion) (GDPR) by 2018. See, however, Austria’s Federal Anti-Doping 13 Act (Anti-Doping Bundesgesetz 2007) (ADBG 2007), whose § 22a operational decisions and activities.’’ Though the WADC foresees prison sentences in certain cases. 5 The organigramme currently available online lists over 30 perma- nent staff and a legal unit with six members: http://www.nada.de/de/ nada/organisation/mitarbeiter-innen/. (Accessed 20 June 2017). 8 International Standard for the Protection of Privacy and Personal 6 See in particular Art. 20.5. Roles and Responsibilities of National Information, https://www.wada-ama.org/en/resources/data-protection/ Anti-Doping Organizations: international-standard-for-the-protection-of-privacy-and-personal.(Ac- 20.5.1 To be independent in their operational decisions and cessed 20 June 2017). activities. 9 David (2013), p. 116. 20.5.2 To adopt and implement anti-doping rules and policies 10 Ibid.., p. 125: ‘[…] the law which governs the policy or rules is which conform with the Code. unlikely to have a great influence on questions of interpretation of the […] Code, in light of the increasing assimilation of the principles of 20.5.7 To vigorously pursue all potential anti-doping rule violations contractual interpretation across many jurisdictions including both within its jurisdiction including investigation into whether Athlete common law and civil systems, and the provision of Article of the Support Personnel or other Persons may have been involved in each Code relating to interpretation’. case of doping and to ensure proper enforcement of Consequences. 11 […] Swire et al. (2012), pp. 41–45. 20.5.9 To conduct an automatic investigation of Athlete Support 12 In full: ‘‘the entity(ies) designated by each country as possessing Personnel within its jurisdiction in the case of any anti-doping rule the primary authority and responsibility to adopt and implement anti- violation by a Minor and to conduct an automatic investigation of any doping rules, direct the collection of Samples, the management of test Athlete Support Person who has provided support to more than one results, and the conduct of hearings at the national level. If this Athlete found to have committed an anti-doping rule violation. designation has not been made by the competent public authority(ies), 20.5.10 To cooperate fully with WADA in connection with the entity shall be the country’s National Olympic Committee or its investigations conducted by WADA pursuant to Article 20.7.10. designee’’ (WADC, Appendix 1. Definitions, p. 137). 7 For a general introduction see e.g. Simitis (2011) or Ustaran (2012). 13 Art. 22.6 WADC. 123 70 Int Sports Law J (2017) 17:68–85 explicitly has no binding force vis-a`-vis governments,14 it appears to be irreconcilable with the principles of necessity simultaneously presents them with the ‘‘expectations of the and proportionality19 which are well established in EU and Signatories,’’15