Athlete Consent As a Legal Base for Data Transfers to Third Countries for Anti-Doping Purposes, Under EU and German Law

Int Sports Law J (2017) 17:68–85 https://doi.org/10.1007/s40318-017-0112-9

ARTICLE

Athlete consent as a legal base for data transfers to third countries for anti-doping purposes, under EU and German law

Jacob Kornbeck1

Published online: 11 August 2017 Ó T.M.C. Asser Instituut 2017

Abstract This article aims to discuss athlete consent as a inter alia, of a valid legal base, including but not limited to legal base for data transfers to third countries for anti- the consent of the data subject (in this case: the athlete doping purposes, under EU and German law, including by concerned) or a speciﬁc legal (statutory) provision. As this summarising the legal relevance of international anti-dop- paper will show, the choice of legal base is of particular ing requirements and expectations. It presents the most importance in relation to transfers to third countries for salient features of enforceable EU and national German anti-doping purposes. The challenges involved will be data protection law, so as to arrive at an assessment of the discussed with reference to EU and German law. The relevant merits of the use of athlete consent. comparative analysis aims to identify the relative merits of athlete consent (the traditionally preferred legal base in the Keywords Anti-doping Á Data protection Á International anti-doping community) as opposed to statutory provision. data transfers Á Lawfulness Á European Union Á Germany While this article will maintain a focus on athlete consent, the intention is, in a future article, to perform a similar analysis regarding statutory provision. Such are the con- 1 Introduction ﬂicting rules which data protection authorities (DPAs) need to know if faced with requests for authorisations to transfer 1.1 Context and problem formulation athletes’ data to third countries for anti-doping purposes.

Whenever National Anti-Doping-Organisations (NADOs) 1.2 Why Germany? based in the European Union (EU) and the European Economic Area (EEA) are required to transfer the personal The choice of the legal regime of Germany is motivated data of athletes to partners operating outside the EU/EEA, fourfold. First, Germany is the cradle of EU data protection these data transfers are subjected to stricter conditions than law, as the European concept of data protection stems from those applying to intra-EU/EEA transfers. As for all data the 1970 Hessen Data Protection Act (1. HDSG 19701).2 processing operations, transfers require the demonstration, Second, Germany recently saw the entry into force of an Anti-Doping Act (Anti-Doping-Gesetz) (AntiDopG)3 which is one of the most far-reaching of any EU Member

1 Jacob Kornbeck is an EU ofﬁcial, yet opinions expressed are strictly Currently Hessisches Datenschutzgesetz (HDSG) in der Fassung personal and do not render ofﬁcial positions of any EU institution. He vom 7. Januar 1999, gea¨ndert durch Gesetz zur Neuordnung des is an external lecturer at the German Sport University (DSHS), Datenschutzes und der Wahrung der Unabha¨ngigkeit des Daten- Cologne. schutzbeauftragten in Hessen vom 20. Mai 2011 GVBL. I S. 208, zuletzt gea¨ndert durch Gesetz vom 14. Juli 2016 GVBL. I, S. 121. 2 & Jacob Kornbeck See Simitis (2011), p. 77, at 1, annotated by Simitis S. [email protected] 3 Anti-Doping-Gesetz (AntiDopG): Gesetz zur Beka¨mpfung von Doping im Sport vom 10. Dezember 2015. BGBl. I, Nr. 5, 1 European Commission, Brussels, Belgium 17.12.2015, S. 2210-2217. 123 Int Sports Law J (2017) 17:68–85 69

State (MS)4: an act of parliament including specific pro- NADOs are faced with far-reaching expectations which visions for data transfers. Third, the German NADO may be incompatible with legally binding requirements and (NADA Deutschland) is one of the biggest NADOs in the standards. Expectations are not merely of an informal EU.5 Fourth, awareness of the applicability of data pro- nature, as requirements for data sharing pervade the World tection rules to the anti-doping fight appears to be among Anti-Doping Code (WADC) and the International Stan- the highest in the EU, with books being available in Ger- dards (IS), in particular the International Standard for man which do not seem to exist in any other EU languages. Testing and Investigations (ISTI), the name of which (re- vealingly) was amended in 2015 to specifically include the word ‘‘investigations.’’ In this connection, the International 2 Legal, political and institutional framework Standard for the Protection of Privacy and Personal Information (ISPPPI)8 is of particular interest at it repre- 2.1 NADOs’ obligations under the WADC and IS sents WADA’s in-house privacy standard. In case of conflict, national law prevails over WADC or WADC-derived NADOs based in the EU and the EEA find themselves in a rules, as recognised in the ISPPPI, which was intended to situation of double jeopardy, simultaneously facing provide a floor rather than a ceiling standard,9 which expectations from the World Anti-Doping Agency however does not prevent one respected WADC com- (WADA) and sports governing bodies (SGBs) such as the mentator from postulating that national law ‘‘is unlikely to International Olympic Committee (IOC) for the sharing of have a great influence’’ on the interpretation of WADC athletes’ personal information,6 as opposed to strict legal provisions, given the contractual nature of the obligations requirements imposing limitations, under EU and national of NADOs, athletes, etc.10 In relation to privacy and data law, regarding the sharing of such data, in particular with protection, this assessment is definitely misguided as far as partners located outside the EU. While transfers to third the law of the EU and its MS is concerned. For unlike some countries for anti-doping purposes are subject to far higher non-European privacy law models, including the ‘‘sec- standards of scrutiny than intra-EU/EEA transfers,7 toral’’ model of the USA, the ‘‘co-regulatory’’ model of Australia or the absence of any model in China,11 the European model is one based on the respect for private life and the protection of personal data as inalienable fundamental rights. While the WADC does recognise NADOs as 12 4 For the currently most recent overview of national legislation, see ‘‘the entity(ies) designated by each country,’’ thus Backhouse et al. (2014), pending the publication of a specific study (seemingly) implying a certain national margin of appre- commissioned to Tilburg University and dealing with the NADOs’ ciation, it also requires governments to ‘‘respect the prospects for compliance with the General Data Protection Regula- autonomy’’ of their NADO(s) and ‘‘not interfere in its tion) (GDPR) by 2018. See, however, Austria’s Federal Anti-Doping 13 Act (Anti-Doping Bundesgesetz 2007) (ADBG 2007), whose § 22a operational decisions and activities.’’ Though the WADC foresees prison sentences in certain cases. 5 The organigramme currently available online lists over 30 permanent staff and a legal unit with six members: http://www.nada.de/de/ nada/organisation/mitarbeiter-innen/. (Accessed 20 June 2017). 8 International Standard for the Protection of Privacy and Personal 6 See in particular Art. 20.5. Roles and Responsibilities of National Information, https://www.wada-ama.org/en/resources/data-protection/ Anti-Doping Organizations: international-standard-for-the-protection-of-privacy-and-personal.(Ac- 20.5.1 To be independent in their operational decisions and cessed 20 June 2017). activities. 9 David (2013), p. 116. 20.5.2 To adopt and implement anti-doping rules and policies 10 Ibid.., p. 125: ‘[…] the law which governs the policy or rules is which conform with the Code. unlikely to have a great influence on questions of interpretation of the […] Code, in light of the increasing assimilation of the principles of 20.5.7 To vigorously pursue all potential anti-doping rule violations contractual interpretation across many jurisdictions including both within its jurisdiction including investigation into whether Athlete common law and civil systems, and the provision of Article of the Support Personnel or other Persons may have been involved in each Code relating to interpretation’. case of doping and to ensure proper enforcement of Consequences. 11 […] Swire et al. (2012), pp. 41–45. 20.5.9 To conduct an automatic investigation of Athlete Support 12 In full: ‘‘the entity(ies) designated by each country as possessing Personnel within its jurisdiction in the case of any anti-doping rule the primary authority and responsibility to adopt and implement anti- violation by a Minor and to conduct an automatic investigation of any doping rules, direct the collection of Samples, the management of test Athlete Support Person who has provided support to more than one results, and the conduct of hearings at the national level. If this Athlete found to have committed an anti-doping rule violation. designation has not been made by the competent public authority(ies), 20.5.10 To cooperate fully with WADA in connection with the entity shall be the country’s National Olympic Committee or its investigations conducted by WADA pursuant to Article 20.7.10. designee’’ (WADC, Appendix 1. Definitions, p. 137). 7 For a general introduction see e.g. Simitis (2011) or Ustaran (2012). 13 Art. 22.6 WADC. 123 70 Int Sports Law J (2017) 17:68–85 explicitly has no binding force vis-a`-vis governments,14 it appears to be irreconcilable with the principles of necessity simultaneously presents them with the ‘‘expectations of the and proportionality19 which are well established in EU and Signatories,’’15 defined exhaustively and normatively as a national data protection law. Finally, governments are fixed set of SGBs16: Governments ‘‘will put in place leg- expected to ‘‘respect arbitration as the preferred means of islation, regulation, policies or administrative practices for resolving doping-related disputes, subject to human and cooperation and sharing of information with [NADOs] and fundamental rights and applicable national law.’’20 Again, sharing of data among [ADOs] as provided in the Code.’’17 despite a generic national law caveat, the WADC unmis- This amounts to an invitation to national authorities to pass takably presents governments and NADOs with the such legislation as expected by (an) NGO(s): an invitation expectation that national courts of law will be recurred to heeded by Germany in adopting the AntiDopG. They ‘‘will as little as possible. And if a country has hitherto decided encourage cooperation between all of its public services or not to set up a NADO, it is expected to ‘‘work with its agencies and [ADOs] to timely share information with National Olympic Committee to establish one.’’21 Joined, [ADOs] which would be useful in the fight against doping these various provisions seem set to establish an autono- and where to do so would not otherwise be legally pro- mous set of rules outside national legal orders. hibited.’’18 Despite the reassuring reference to the lawful- Recurrent requirements for NADOs to engage in ‘‘in- ness of the expected data processing operations, the telligence’’ collecting work and in ‘‘investigations’’ per- provision’s unqualified reference to a potential usefulness vade the WADC and the ISTI. This may come as a surprise to observers with a vantage point outside the anti-doping community, as most ADOs and NADOs are not organised as public authorities with coercive powers. Even Ger- 14 Art. 22 WADC merely ‘‘set[s] forth the expectations of the many’s far-reaching new Anti-Doping Act, despite intro- Signatories.’’ Under Art. 20 WADC Governments cannot be Signa- ducing a criminal ban on doping with prison sentences up tories. Under Art. 1 International Convention against Doping in Sport to 3 years, does not change the legal status of the German 2005 (UNESCO Convention), the purpose of the Convention is to further the fight against doping. Art. 2 UNESCO Convention binds NADO (NADA Deutschland), which remains a mere pri- the Convention to the ‘‘definitions’’ which ‘‘are to be understood vate-law foundation. Under WADC terms, however, within the context of the [WADC]. However, in case of conflict the WADA is empowered to ‘‘initiate its own investigations of provisions of the Convention will prevail.’’ Art. 3 (a) UNESCO anti-doping rule violations and other activities that may Convention obliges State Parties merely to ‘‘adopt appropriate 22 measures at the national and international levels which are consistent facilitate doping,’’ and NADOs are expected to ‘‘coop- with the principles of the Code.’’ Under Art. 5, ‘‘[i]n abiding by the erate fully with WADA in connection with investigations obligations contained in this Convention, each State Party undertakes conducted by WADA pursuant to Article 20.7.10,’’23 to adopt appropriate measures. Such measures may include legisla- including investigations. NADOs therefore ‘‘shall ensure tion, regulation, policies or administrative practices.’’ While ‘‘States Parties commit themselves to the principles of the Code as the basis they are able,’’ in accordance with ISTI requirements, to for the measures provided for in Article 5 of this Convention’’ (Art. 4 ‘‘obtain, assess and process anti-doping intelligence from (1)), ‘‘the Code and the most current version of Appendices 2 and 3 all available sources to inform the development of an are reproduced for information purposes and are not an integral part effective, intelligent and proportionate test distribution of this Convention. The Appendices as such do not create any binding obligations under international law for States Parties’’ (Art. 4 (2)). plan, to plan Target Testing, and/or to form the basis of an Against this backdrop, it is easier to understand that governments investigation into a possible anti-doping rule viola- worldwide have had far fewer qualms about ratifying the UNESCO tion(s),’’24 to ‘‘investigate Atypical Findings and Adverse Convention than they have had about many other (legally more Passport Findings, in accordance with Articles 7.4 and 7.5 committing) international law conventions. The table of ratifications 25 (http://www.unesco.org/eri/la/convention.asp?KO=31037&language= respectively’’ and to ‘‘investigate any other analytical or E) (Accessed 20 June 2017) is instructive in this regard. By 22 non-analytical information or intelligence that indicates a February 2017, 184 countries worldwide were listed as having possible anti-doping rule violation(s), in accordance with accepted or even ratified. The figure 100 had been reached in 2008, a Articles 7.6 and 7.7, in order either to rule out the possible mere three years after the Convention had been open for accession. 15 Art. 22 WADC; Comment to Article 22. 16 Art. 23.1.1 WADC: ‘‘The following entities shall be Signatories 19 These principles flow from Article 8(2) CFR (EU Charter of accepting the Code: WADA, the International Olympic Committee, Fundamental Rights), Directive 95/46/EC and the relevant case law. International Federations, the International Paralympic Committee, See also European Data Protection Supervisor (EDPS) (2016) National Olympic Committees, National Paralympic Committees, 20 Art. 22.4 WADC. Major Event Organizations, and National Anti-Doping Organizations. 21 Art. 22.5 WADC. These entities shall accept the Code by signing a declaration of 22 acceptance upon approval by each of their respective governing Art. 20.7.10 WADC. bodies.’’ 23 Art. 20.5 WADC. 17 Art. 22.2 WADC. 24 Art. 5.8.1 WADC. 18 Art. 22.3 WADC. 25 Art. 5.8.2 WADC. 123 Int Sports Law J (2017) 17:68–85 71 violation or to develop evidence that would support the rights (unlike the US Constitution which extends similar initiation of an anti-doping rule violation proceeding.’’26 protection to free speech but not to privacy30), which Similarly, Art. 4.9.3 ISTI requires NADOs and other ADOs makes compliance mandatory and subject to specific to ‘‘consult and coordinate with each other, with WADA, standards which must be met in accordance with a strict and with law enforcement and other relevant authorities, in legality requirement: rather than being lawful by default, obtaining, developing and sharing information and intelli- subject to the absence of legal impediments, the lawfulness gence that can be useful in informing Test Distribution of data processing operations, ‘‘the first named principle’’ Planning, in accordance with Section 11.0 of the Interna- of European data protection law,31 require the demonstra- tional Standard for Testing and Investigations.’’27 Refer- tion of a legal base.32 For NADOs working with partners ences to ‘‘intelligence’’ are equally numerous, and high based in jurisdictions without such a requirement, this is levels of confidentiality are required.28 While these bound to pose some concrete problems in relation to the requirements sit well with an abstract concept of privacy, day-to-day business of WADC-proof anti-doping work. they may make it impossible for data subjects in the EU to ‘‘The legal status of data protection as a fundamental right exercise their rights of access, correction and deletion. Two is crucial to understanding the importance which Euro- German data protection authorities (DPAs) effectively took peans give to it,’’33 yet it cannot always be taken for the position, in assessing the bill for the current AntiDopG: granted that EU and national legal requirements are that secret investigations would be ‘‘unacceptable’’ under familiar to partners operating outside the EU.34 EU and German data protection law.29 The extent to which this argument holds obviously depends upon the degree of 2.2 NADOs’ obligations under international law recognition given to anti-doping work by the national legislator and, indeed, the German legislator gave a high Although international anti-doping conventions are some- degree of recognition by introducing criminal sanctions of times cited as possible sources of law permitting data up to 3-year prisons terms. But such recognition is absent collection and data sharing for anti-doping purposes,35 in most jurisdictions, and the fact remains that NADOs are obligations cannot bear upon NADOs, as conventions only faced with rather far-reaching expectations which may address the relevant parties. Even in MS where NADOs are have equally far-reaching privacy and data protection organised under public law (56%36), only the relevant MS implications. (not its NADO) can have any legally relevant obligations NADOs are expected to meet the expectations of and, in this case, not towards WADA, but rather towards WADA and WADA stakeholders such as sport governing the Council of Europe or UNESCO as depositories of the bodies (SGB’s), while also complying with national law. In two relevant conventions. It should also be noted that the the Member States (MSs) of the European Union (EU), this NADOs of 11 MS do not constitute a separate legal entity: poses a range of specific compliance issues, in particular rather, they are sub-entities of bigger legal entities which because privacy and data protection are EU fundamental

26 Art. 5.8.3 WADC. 30 Swire et al. (2012), p. 41. 27 Art. 4.9.3 ISTI. 31 FRA [European Union Agency for Fundamental Rights] & 28 See Art. 11.2.2 ISTI: ‘‘Anti-Doping Organizations shall have Council of Europe: Handbook on European Data Protection Law. policies and procedures in place to ensure that anti-doping intelli- Luxemburg 2014: Publications Office of the European Union, http:// gence captured or received is handled securely and confidentially, that fra.europa.eu/sites/default/files/fra-2014-handbook-data-protection- sources of intelligence are protected, that the risk of leaks or law-2nd-ed_en.pdf. Accessed 20 June 2017, p. 63. inadvertent disclosure is properly addressed, and that intelligence 32 Ibid., S. 63; Taranto (2012), pp. 83–85. German authoritative shared with them by law enforcement, other relevant authorities and/ commentaries entirely confirm this view: Gola et al. (2015), p. 110; or other third parties, is processed, used and disclosed only for supported by Simitis (2011), p. 415, at 3, with further references. legitimate anti-doping purposes.’’ See also Art. 12.3.1 ISTI: ‘‘Anti- 33 Kuner (2003), p. 16. Doping Organizations shall ensure that they are able to investigate 34 confidentially and effectively any other analytical or nonanalytical For an overview of the various approaches found outside Europe, information or intelligence that indicates there is reasonable cause to see Greenleaf (2012), as well as Swire et al. (2012), pp. 41–45. suspect that an anti-doping rule violation may have been committed, 35 See e.g. WADA: Anti-Doping and International Transfers. Work- in accordance with Code Articles 7.6 and 7.7, respectively.’’ ing Party Position. 17 June 2009. https://www.wada-ama.org/sites/ 29 Stellungnahme der Datenschutzbeauftragten der La¨nder Rhein- default/files/resources/files/WADA_AntiDopingInternationalTransfers_ land-Pfalz und Schleswig-Holstein zum Referentenentwurf des Bun- 20090617.pdf (Accessed 20 June 2017). desministeriums der Justiz und fu¨r Verbraucherschutz und des 36 According to a recent study, NADOs are a public authority in ten Bundesministeriums des Innern Entwurf eines Gesetzes zur Beka¨mp- EU MS (Cyprus, Denmark, Greece, Hungary, France, Lithuania, fung von Doping im Sport (nicht vero¨ffentlichte Version, Bear- Poland, Portugal, Romania, Spain), a ‘‘foundation’’ in four MS beitungsstand 01.09.2014). https://www.datenschutz.rlp.de/de/aktuell/ (Germany, Estonia, Luxembourg, Netherlands), a company in two 2014/images/Anti-Doping-GE_RLP_SH.pdf. Accessed 20 June 2017, MS (Austria, UK) and a ‘‘non-profit organisation’’ in two MS p. 9. (Finland, Slovenia). Backhouse et al. (2014), p. 48. 123 72 Int Sports Law J (2017) 17:68–85 are not always public authorities.37 Although NADOs may WADC einhalten).44 EU law also does not include any such face pressure from WADA and SGBs to share data with obligations (while it imposes many restrictions on data their partners in other countries, no legal obligations to do sharing, with data protection being an EU fundamental so exist as far as they have not been introduced by the right). Article 165 TFEU, on sport, cannot form the base national legislator. While the obligations, expectations and for any legally binding acts. While some MSs have trans- standards relevant to NADOs are found in the WADC,38 posed their international obligations into national law by this text has no binding legal force in itself, being rather a means of binding legislation, this is based on a national private standard-setting document. The same applies to the prerogative and reflects a deliberate choice only made in International Standards,39 which aim at further harmoni- parts of the EU.45 The German AntiDopG does not actually sation of anti-doping work. The Anti-Doping Convention40 refer to the WADC, but rather to Annex I (the Prohibited (and other sports conventions41) of the Council of Europe List) of the UNESCO Convention: a text which, according and UNESCO42 leave the choice of implementing instru- to that Convention itself, is not a binding part of the ment entirely at the discretion of their State Parties43 who, Convention.46 according even to the German Federal Court (BGH), are merely obliged to ‘‘respect WADC rules’’ (Regelungen des 2.3 NADOs’ obligations under EU and national law

As the preceding section has shown, few of the expectations 37 In eight cases (the French, Flemish and German-speaking Com- munities of Belgium, Bulgaria, the Czech Republic, Ireland, Latvia, facing NADOs are grounded in legally binding obligations Malta, Slovakia) (73%) they were found to be part of a ministry, (apart from the fact that international treaties address states, while in three MS (Croatia, Sweden, Italy) other legal forms were and not legal entities such as NADOs). But as this section will found to apply. Backhouse et al. (2014), p. 49. show, the data protection requirements against which these 38 WADA: World Anti-Doping Code 2015, https://www.wada-ama. anti-doping-related expectations are to be balanced are legally org/en/what-we-do/the-code. (Accessed 20 June 2017). binding. While the German Anti-Doping Act (AntiDopG) 39 Prohibited Substances and Methods (‘‘List’’)); International Stan- dard for Testing and Investigations (‘‘ISTI’’); International Standard makes provision for a certain data sharing framework, EU 47 for Laboratories (‘‘ISL’’); International Standard for Therapeutic Use legislation including the current Directive 95/46/EC, Reg- Exemptions (‘‘ISTUE’’); International Standard for the Protection of ulation 2016/679 48 (the General Data Protection Regulation) Privacy and Personal Information (‘‘ISPPPI’’), https://www.wada- (GDPR) (which will take full effect in 2018) and German ama.org/en/international-standards. (Accessed 20 June 2017). 40 legislation including the Federal Data Protection Act (Bun- Anti-Doping Convention 1989. CETS No. 135 (http://www.coe. 49 int/en/web/conventions/full-list/-/conventions/treaty/135). (Accessed desdatenschutzgesetz) (BDGS) and the various data pro- 20 June 2017). tection acts of the German states are all enforceable hard law, 41 European Convention on Spectator Violence and Misbehaviour at not mere soft law for best practice purposes. Sports Events 1985. CETS No. 120 (http://www.coe.int/en/web/ The demonstration of a valid legal base flows from the conventions/full-list/-/conventions/treaty/120) (Accessed 20 June principle of lawful processing enshrined in Article 8(2) 2017). Convention on the Manipulation of Sports Competitions 2014. CETS No. 215 (http://www.coe.int/en/web/conventions/full-list/-/ CFR (EU Charter of Fundamental Rights) and in relevant conventions/treaty/215) (Accessed 20 June 2017). 42 International Convention against Doping in Sport 2005. Paris, 19 44 BGH: Urteil v. 7. Juni 2016 - KZR 6/15. Nr. 97/2016. October 2005, (http://portal.unesco.org/en/ev.php-URL_ID= ECLI:DE:BGH:2016:070616UKZR6.15.0 (Pechstein), at 63. 31037&URL_DO=DO_TOPIC&URL_SECTION=201.html) (Ac- 45 Backhouse et al. (2014), Houlihan and Garcia (2012), Parzeller cessed 20 June 2017). et al. (2009) and T.M.C. Asser Instituut (2010). 43 States Parties solely undertake to: ‘‘(a) adopt appropriate measures 46 UNESCO Convention 2005, Art. 4 (2): ‘‘The Code and the most at the national and international levels which are consistent with the current version of Appendices 2 and 3 are reproduced for information principles of the Code; (b) encourage all forms of international purposes and are not an integral part of this Convention. The cooperation aimed at protecting athletes and ethics in sport and at Appendices as such do not create any binding obligations under sharing the results of research; (c) foster international cooperation international law for States Parties.’’ Art. 4 (3): ‘‘The Annexes are an between States Parties and leading organizations in the fight against integral part of this Convention.’’ doping in sport, in particular with the World Anti-Doping Agency’’ 47 Directive 95/46/EC of the European Parliament and of the Council (Art. 3). While the commitments identified in points (b) and (c) cannot of 24 October 1995 on the protection of individuals with regard to the under any circumstances be interpreted as implying ‘‘hard law’’ processing of personal data and on the free movement of such data. obligations (though binding public law instruments may be used to OJ L 281, 23.11.1995, pp. 31–50. achieve these aims), point (a) suggests a possible legal obligation. 48 This however is clarified in Art. 5: ‘‘In abiding by the obligations Regulation (EU) 2016/679 of the European Parliament and of the contained in this Convention, each State Party undertakes to adopt Council of 27 April 2016 on the protection of natural persons with appropriate measures. Such measures may include legislation, regard to the processing of personal data and on the free movement of regulation, policies or administrative practices.’’ In other words, as such data, and repealing Directive 95/46/EC (General Data Protection long as State Parties report having taken measures which they Regulation) (Text with EEA relevance). OJ L 119, 4.5.2016, themselves consider appropriate, they must be considered abiding. pp. 1–88. There is no obligation to adopt legislation. 49 For a legal commentary see Simitis (2011) and later editions. 123 Int Sports Law J (2017) 17:68–85 73

EU and German legislation.50 It is an established data Presidency.56 As the following section will reveal, some of the protection principle recognised in case law and legal lit- relevant questions have already been raised in legal scholarship, erature, especially in Germany.51 The mandatory choice yet none of them have been discussed thoroughly in the light of (Art. 45 GDPR) of a legal base for data transfers to third GDPR provisions. countries (i.e. countries outside the EU and EEA) for anti- doping purposes includes consent, legal (statutory) provision, individual agreement, standard contractual clauses 3 Political and legal debates (Art. 48 GDPR) as well as binding corporate rules (Art. 47 GDPR), all of which may under some conditions provide 3.1 Public policy debates at EU level appropriate safeguards. Among these potential legal bases, this paper aims to provide a comparative discussion of con- It was in 2008 that the EU policy community started sent versus legal provision in the light, in particular, of the realising that expectations from WADA regarding data provisions enshrined in the GDPR which entered into force in processing operations by NADOs were bound to pose 2016 and will take full effect in 2018, at which point in time it problems under EU data protection law. At that stage, the will replace Directive 95/46/EC. Consent is of particular regulatory framework was limited to Directive 95/46/EC interest as it has traditionally been relied upon in sport and and national legislation (the GDPR was only proposed by anti-doping,52 while the option of a statutory provision the Commission in January 2012), yet this was already became reality in Germany, on 1 January 2016, with the entry sufficient to make these expectations, including a draft of into force of a new anti-doping act (AntiDopG). Although this what was to become the ISPPPI57, emerge as conflicting legal base is not entirely unproblematic, it provides an explicit with legally binding rules. When the Commission asked the legal framework for a practice which, until now, relied solely EU Article 29 Data Protection Working Party (WP29)58 to on the more questionable base provided through the consent assess the first59 and the second60 draft ISPPPI circulated of the athletes concerned. by WADA, these Opinions were misread in the anti-doping While in the EU data protection is a fundamental right, it has community and communication problems followed.61 to be balanced against the aims and objectives of anti-doping However, already in May 2009, an EU anti-doping which however, as discussed,53 are not based upon legally binding commitments or obligations. Also, the aims and values 56 Ministry of Health, Welfare and Sport [The Netherlands]: Report represented by the anti-doping fight are not those of funda- on EU Anti-Doping Conference, 15 June 2016 in Amsterdam: ‘‘The mental values within the meaning of the CFR. A ‘‘fundamental fight against doping in the EU legal framework: balance between right to participate in doping-free sport’’ has been proclaimed effective anti-doping measures and fundamental rights.’’ Organised 54 by the Ministry of Health, Welfare and Sport in the context of the EU unilaterally by WADA, yetthisproclamationisdevoidof Presidency of the Netherlands. http://auteurs.allesoversport.nl/wp- legal meaning, at least in an EU context: such a fundamental content/uploads/2016/06/Report-on-the-anti-doping-conference-15- right does not exist in the legal order of the EU (and presumably June-2016-1.pdf. Accessed 20 June 2017. not in that of any of its MSs), even when the WADC has been 57 International Standard for the Protection of Privacy and Personal ‘‘transposed’’ (u¨bertragen)55 into national legislation. Against Information, https://www.wada-ama.org/en/resources/data-protec tion/international-standard-for-the-protection-of-privacy-and-personal this backdrop, how is the question of consent versus statutory (Accessed 20 June 2017). provision to be understood under the terms of the GDPR? This 58 Set up under Article 29 Directive 95/46/EC, composed of question is of particular importance as NADOs will need to representatives of each DPA, of the European Data Protection comply with the GDPR from 2018 onwards: a fact reflected at a Supervisor (EDPS) in charge of ensuring compliance with EU data conference organised, in June 2016, by the Dutch EU protection rules by EU institutions, agencies and bodies, and of the European Commission, and to be replaced in 2018, under the terms of Art. 68 GDPR by the future European Data Protection Board (EDPB). 59 50 See Sect. 4.1 (infra). Opinion 3/2008 on the World Anti-Doping Code Draft Interna- tional Standard for the Protection of Privacy. Adopted on 1 August 51 See Sect. 2.1 (supra) with comprehensive references. 2008. 1576-00-00-08/EN. WP 156. http://ec.europa.eu/justice/data- 52 Deutscher Bundestag: Drucksache 18/4898. 13.05.2015. Geset- protection/article-29/documentation/opinion-recommendation/files/ zentwurf der Bundesregierung. Entwurf eines Gesetzes zur Beka¨mp- 2008/wp156_en.pdf. Accessed 20 June 2017. fung von Doping im Sport. http://dip21.bundestag.de/dip21/btd/18/ 60 Second opinion 4/2009 on the World Anti-Doping Agency 048/1804898.pdf. Accessed 20 June 2017, p. 36. (WADA) International Standard for the Protection of Privacy and 53 See Sect. 2.1–2.2 (supra). Personal Information, on related provisions of the WADA Code and 54 WADC, p. 11. on other privacy issues in the context of the fight against doping in 55 Deutscher Bundestag: Das Dopingkontrollsystem in Deutschland. sport by WADA and (national) anti-doping organizations. Adopted on Rechtlich-regulative Grundlagen und Reformoptionen. WD 10 - 3000 6 April 2009. 0746/09/EN. WP 162. http://ec.europa.eu/justice/data- - 084/14. 03. 11. 2014. https://www.bundestag.de/blob/410226/ protection/article-29/documentation/opinion-recommendation/files/ aa21e92fbf398877cb19faedb2be1809/wd-10-084-14-pdf-data.pdf. 2009/wp162_en.pdf. Accessed 20 June 2017. Accessed 20 June 2017, p. 13, fn. 24. 61 Waddington (2010). 123 74 Int Sports Law J (2017) 17:68–85 conference including a substantial data protection work- 3.2 Legal scholarship shop took place in Athens with several high-ranking WADA representatives attending; the conference recog- While political debates at EU level started in 2008, nised that the problems were real and had to be addres- NADOs had not started processing athletes’ personal data sed,62 and WADA Executive Committee had adopted a just then (though the streamlining of whereabouts revised ISPPPI only 5 days earlier.63 The conference was requirements in the WADC 200968 may have lent extra to remain the single most important such event at EU level visibility to what was already going on in practice). Around until another conference was organised, in June 2016 in 2009, some scholars had noticed that anti-doping policies Amsterdam, by the Dutch EU Presidency.64 WP29 was in general, and whereabouts requirements in particular, later to contribute actively to the 2011–13 revision of the posed problems in relation to privacy.69 Some contribu- WADC,65 and in 2014 an Opinion on the level of data tions reach further back,70 but this type of scholarship was protection afforded by the provincial regime of Que´bec not always legal, and it usually referred to privacy rather (where WADA’s servers are located) was published.66 than to data protection, whereas in an EU context the latter Finally, in 2016 the European Commission commissioned is a far more specific concept; also, data protection law sets an external study with Tilburg University to prepare a specific procedural requirements which are not known research report on data protection law aspects of anti- under the more general concept of privacy.71 While both doping activities in the EU.67 are fundamental rights in the EU, guaranteed under Art. 7 and 8 of the Charter of Fundamental Rights (CFR), 62 EU Conference on Anti-Doping: Organised by the European respectively, the right to privacy (Art. 7 CFR) does not Commission. Athens, Greece, 13–15 May 2009. Conclusions of the require NADOs to take specific action like the right to data Conference. http://old.minedu.sk/data/USERDATAEN/Sport/Anti protection (Art. 8 CFR) does. With a few notable excep- Doping/athens_conf_conclusions_final_version_en.pdf (Accessed 20 tions, legal scholarship on the subject matter had started June 2017). relatively late as well. The data protection commissioner of 63 See European Commission press release: IP/09/733. Brussels, 11 May 2009. World Anti-Doping Agency adopts revised data protection the Swiss canton of Zurich appears to have released standard and continues successful dialogue with the EU. http://europa. guidelines as early as 2003, which was reflected in one eu/rapid/press-release_IP-09-733_en.htm (Accessed 20 June 2017). book chapter by a Swiss data protection colleague.72 In a 64 Ministry of Health, Welfare and Sport [The Netherlands]: Report Swiss legal PhD thesis from before the WADC 2009, on EU Anti-Doping Conference, 15 June 2016 in Amsterdam: ‘‘The Flueckiger identified ‘‘unlawful interferences with [ath- fight against doping in the EU legal framework: balance between effective anti-doping measures and fundamental rights.’’ Organised letes’] personality specifically caused by data processing 73 by the Ministry of Health, Welfare and Sport in the context of the EU operations’’ for anti-doping purposes, as well as a general Presidency of the Netherlands. http://auteurs.allesoversport.nl/wp- absence of awareness that established practices might pose content/uploads/2016/06/Report-on-the-anti-doping-conference-15- privacy concerns.74 Flueckiger attributed this disconnect June-2016-1.pdf. Accessed 20 June 2017. with an established practice in restricting access to Swiss 65 See 05.03.2013 Letter from the Article 29 Working Party addressed to World Anti-Doping Agency, regarding 3rd stage of courts in anti-doping litigation cases and the ensuing WADA’s consultation in the context of the review of the World Anti- impression, on the side of SGBs, of not being subject to the Doping Code and its International Standards, http://ec.europa.eu/ laws of the land.75 He hoped SGBs would gradually change justice/data-protection/article-29/documentation/other-document/files/ their mentality and commit themselves to the protection of 2013/20130305_letter-to-wada_en.pdf. Accessed 20 June 2017. See 76 also Contribution of the Article 29 Working Party to the 3rd stage of athletes’ privacy, thereby devoting three pages to what WADA’s consultation in the context of the review of the World Anti- appears to be the first study into international data transfers Doping Code and its International Standards – Ref. Ares(2013)289160 for anti-doping purposes, assessing these under Swiss data – 05/03/2013. http://ec.europa.eu/justice/data-protection/article-29/doc umentation/other-document/files/2013/20130305_letter-to-wada_annex_ 68 en.pdf. Accessed 20 June 2017. ‘‘In order to end the inconsistencies of ‘‘whereabouts’’ regimes 66 across different IFs and NADOs, WADA implemented a uniform Opinion 7/2014 on the protection of personal data in Quebec. series of strict ‘‘whereabouts’’ requirements to harmonize the Adopted on 4 June 2014. 14/EN. WP 219. http://ec.europa.eu/justice/ procedures and sanctions for no-notice out-of-competition testing.’’ data-protection/article-29/documentation/opinion-recommendation/ Halt (2009), p. 272. files/2014/wp219_en.pdf. Accessed 20 June 2017. 69 67 E.g. Halt (2009) and Hanstad and Loland (2009). ‘‘The EU accepted the TILT proposal for a study on anti-doping and 70 data protection (implementing framework contract JUST/2014/DATA/ E.g. Malloy and Zakus (2002). 71 FW/0038). One of the objectives is to prepare a complete list of all On this distinction see Docksey (2014, 2016). relevant legislation at national level in the 28 EU Member States, 72 Baeriswyl (2006). defining provisions (purpose, scope and nature) providing a legal basis 73 Flueckiger (2008), p. 307, at 1164, translation J.K. for the processing (which includes collection and transfers) of personal 74 Ibid., p. 307, at 1165, translation J.K. data in the context of anti-doping activities.’’ https://www.tilburguni 75 versity.edu/research/institutes-and-research-groups/tilt/research/current- Ibid., p. 307, at 1165. major-research-projects/ (Accessed 20 June 2017). 76 Ibid., p. 310, at 1175. 123 Int Sports Law J (2017) 17:68–85 75 protection law as well as under the Council of Europe’s Pfalz86), Weichert, published the book review already data protection convention (‘‘Convention 108’’).77 referred to, criticising the justifications used to support After 2009, three legal PhD theses are known to have the ‘‘Whereabouts’’ requirements of the WADC and been defended in Germany which look into data protection referring to the WADA-sponsored ADAMS database aspects of the anti-doping fight. Despite some reservations, (Anti-Doping Administration and Management System) Niewalda78 and Mortsiefer found data protection and anti- as ‘‘a control and surveillance system of great informa- doping to be reconcilable in principle.79 These theses were tional calibre, yet not particularly well thought out.’’87 viewed rather critically by Weichert, the retired data pro- Wedde, a labour law scholar commissioned by a trade tection commissioner of the German state of Schleswig- union of basketball players, submitted a legal opinion, Holstein, in a detailed book review.80 Weichert found calling for a specific legal base to be created by the Niewalda’s approach too academic, while by using an German legislator.88 International sports trade unions outspoken ad-hominem argument he took Mortsiefer’s contributed one study89 and several policy statements90 position as General Counsel to the German NADO (NADA which seem to vindicate Weichert. The equally retired Deutschland) as a sign of bias. A thesis which proved far federal German data protection commissioner, Schaar, less favourable to the extant anti-doping rules and practices authored a detailed opinion.91 Intriguingly, this text was that of Neuendorf,81 a former elite handball player, appears to be the manuscript of a paper delivered at a who did not hesitate to draw also on her personal experi- sports law conference; but the organisers appear to have ence having been subjected to the surveillance involved decided not to include it in the conference report, and the and the threat of sanctions: ‘‘In addition to a feeling of paper is only available on the website of Schaar’s former permanent hindrances to my free movement and fear of the office. Yet, the debate on data protection in anti-doping serious consequences for my sporting career if I made carries on, with papers being published in German legal mistakes when providing whereabouts, I also started journals addressing the public disclosure of results,92 as doubting about the lawfulness of the system under data well as on data transfers to third countries.93 The use of protection law.’’82 Neuendorf’s assessment was based on big data in sports in general was discussed critically in the legal framework in force in Germany until 31.12.2015 another article,94 as was the use of an anti-doping IT tool when no legal provision could be claimed as a legal base called eves.95 By early 2017, German legal scholarship (the AntiDopG entered into force on 01.01.2016) and had definitely recognised the acuity of privacy issues in athlete consent was the only option available. ‘‘Despite the sport and anti-doping, and the German book market was advantages they offer to the SGB system,’’ she did not the only one boasting a data protection handbook written think that the widespread use of indirect, chain-like legal for the sports sector and marketed by a major national obligations (dynamische Verweisungen), whereby athletes legal publisher.96 are deemed bound by rules which have only been accepted by federations to which they, as members of affiliated clubs, are indirectly affiliated, would stand judicial 83 review. ‘‘The widespread processing of highly sensible 86 Positionspapier des Landesbeauftragten fu¨r den Datenschutz data can hardly be justified by the interests of an efficient Rheinland Pfalz (LfD Rh.Pf.) und des Unabha¨ngigen Landeszentrums anti-doping fight,’’84 which is why Neuendorf called for a fu¨r Datenschutz Schleswig-Holstein (ULD). Mainz und Kiel, 26. Juli 2011. Datenschutz und Dopingbeka¨mpfung, https://www.datenschutz more efficient protection of athletes’ individual rights. zentrum.de/allgemein/20110726-positionspapier-dopingbekaempfung. 85 Further legal scholarship is exclusively post-2009. html. Accessed 20 June 2017. The retired data protection commissioner of the German 87 Weichert (2011), p. 166, translation J.K. state of Schleswig-Holstein (who just before retiring had 88 Wedde (2011). co-authored a highly critical legal opinion together with 89 Palmer et al. (2011). his regulator colleague from the state of Rheinland- 90 12. February 2013. 100,000 Elite Athletes Call for Fundamental Reform at WADA, http://www.euathletes.org/media-press/news-from- eu-athletes/eu-athletes-news/browse/5/article/100000-elite-athletes- 77 Ibid., pp. 82–84, at 269–276. call-for-fundamental-reform-at-wada/news.html?tx_ttnews%5Bback 78 Niewalda (2011). Pid%5D=361&cHash=e10b6cd12687f37d79263c538221798c. Accessed 79 Mortsiefer (2010). 20 June 2017. 80 Weichert (2011), pp. 166–167. 91 Schaar (undated). 81 Neuendorf (2015). 92 Lambertz (2015). 82 Ibid., p. 5, translation J.K. 93 Kornbeck (2016a, 2017). 83 Ibid., p. 68, translation J.K. 94 Bo¨rding and von Scho¨nfeld (2016). 84 Ibid., p. 188, translation J.K. 95 Plass and Giffeler (2016). 85 Exception: Weichert (2005). 96 Sreball et al. (2014). 123 76 Int Sports Law J (2017) 17:68–85

4 Consent as a legal basis for data transfers principle’’107 of EU and Council of Europe data protection to third countries law, the principle of lawful processing, though in semanti- cally different terms, renders the meaning of the German 4.1 Lawfulness requirement and fundamental right concept of ‘‘of prohibition with the reservation of permission’’ status (Verbot mit Erlaubnisvorbehalt).108 Since the 1977 German Data Protection Act (2. BDSG), this has been an established The demonstration of lawfulness for processing personal data principle applying to all stages of data processing109:the is mandatory under EU and German data protection law: not prohibition applies ‘‘as long as no specific permission has merely a matter of good governance or best practice, but one been granted by law or by the data subject.’’110 The standard of legal compliance. At the highest level of prescription, the of lawfulness is higher than one of mere fairness and con- Charter of Fundamental Rights (CFR) guarantees ‘‘the right to tingent upon a detailed assessment ‘‘in each case and for each the protection of personal data concerning him or her’’ to phase of the processing operations.’’111 Failure to meet these ‘‘everyone,’’97 without limitation as to any groups of sectors. requirements makes the planned data processing unlawful.112 Data ‘‘must be processed fairly for specified purposes and on Due to the fundamental rights-based, specific, procedural and the basis of the consent of the person concerned or some other positive nature of EU data protection law requirements, legitimate basis laid down by law;’’98 and consent thus is a lawfulness goes beyond mere fairness.113 legal base alongside statutory provision, though it is open to Since the protection of personal data is a fundamental challenges as to whether it was given on a free and informed right in the EU, the absence of equivalent guarantees basis or not. Finally, compliance is ‘‘subject to control by an poses a problem whenever dataaretransferredtojuris- independent authority:’’99 the national (and in Germany dictions where there is no such constitutional require- regional) data protection authorities (DPAs). CFR provisions ment, such as the USA. Criticising the Court’s only become enforceable when backed by treaty provisions Schrems114 ruling on the basis that ‘‘it would be unre- and secondary legislation. Before the entry into force of the alistic and counterproductive to demand total worldwide Lisbon Treaty, data protection was guaranteed through harmonization of data protection laws’’,115 or arguing Directive 95/46/EC,100 which in the mid-1990s had been that registration under the Safe Harbor programme was enacted to ensure the smooth functioning of the single mar- equivalent with compliance with EU law,116 misses the ket101; this was no simple exercise, as MS with extant data point to the extent that one wonders if the omission is protection laws were more reluctant to transpose the directive wilful. In 2015 the High Court of England and Wales, in into national law, fearing a levelling down of standards.102 But in the post-Lisbon treaty framework, the Treaty on European Union (TEU) empowers the European Parliament and the Council to adopt secondary legislation103:datapro- tection had then become‘‘constitutionalised’’.104 The lawful- 107 ness requirement is further enshrined in enforceable EU105 FRA [European Union Agency for Fundamental Rights] & 106 Council of Europe: Handbook on European Data Protection Law. and German data protection law. As ‘‘the first named Luxemburg 2014: Publications Office of the European Union, http:// fra.europa.eu/sites/default/files/fra-2014-handbook-data-protection- 97 Art. 8(1) CFR. law-2nd-ed_en.pdf. Accessed 20 June 2017, p. 63. 98 Art. 8(2) CFR. 108 Gola et al. (2015), p. 110; supported by Simitis (2011), p. 415 99 Art. 8(3) CFR. with further references. 109 100 Directive 95/46/EC of the European Parliament and of the Simitis (2011), p. 415: annotation by Scholz P, Sokol B. Council of 24 October 1995 on the protection of individuals with 110 Gola et al. (2015), p. 110; translation J.K. regard to the processing of personal data and on the free movement of 111 Simitis (2011), p. 418, at 12: annotation by Scholz P, Sokol B.; such data. OJ L 281, 23.11.1995, p. 31–50. translation J.K. 101 Simitis (2011), p. 164, at 214. 112 Simitis (2011), p. 415, at 3: annotation by Simitis S. 102 Simitis (2011), p. 162, at 210. 113 Taranto (2012), p. 83: ‘‘an act could be fair between private 103 Art. 16 TEU. participants but unlawful by virtue of legal rules.’’ 104 Simitis (2011), p. 179, at 243. 114 Judgment of the Court (Grand Chamber) of 6 October 2015. 105 Art. 7 Directive 95/46/EC; Art. 6 GDPR; Art. 4 Reg. No 45/2001 Maximillian Schrems v Data Protection Commissioner. Request for a (Regulation (EC) No 45/2001 of the European Parliament and of the preliminary ruling from the High Court (Ireland). Case C-362/14. Council of 18 December 2000 on the protection of individuals with ECR: electronic only. ECLI:EU:C:2015:650. regard to the processing of personal data by the Community 115 Determann (2016), p. 248. institutions and bodies and on the free movement of such data. OJ 116 Determann 2016), p. 248: ‘‘at the time when the CJEU cast its L 8, 12/01/2001, pp. 1–22). judgment, about 5500 of roughly 6 million companies in the USA had 106 §4 BDSG (Bundesdatenschutzgesetz); §11 HDSG (Hessisches registered under the Safe Harbor programme and thus committed to Datenschutzgesetz). compliance with EU data protection law principles’’. 123 Int Sports Law J (2017) 17:68–85 77 its Vidall-Hall decision,117 affirmed that no pecuniary controller (Art. 6(1)(c) GDPR); protection of vital interests tort is required to trigger a right to a remedy whenever of the data subject or of another natural person (Art. data protection rights are infringed, since Art. 47 CFR 6(1)(d) GDPR); performance of a task carried out in the requires a remedy corresponding to each CFR-guaran- public interest or in the exercise of official authority vested teed fundamental right. The level of protection is among in the controller (Art. 6(1)(e) GDPR); protection of the the highest in the world118 (notwithstanding criticism legitimate interests of the controller or by a third party, as from some US119 and EU120 scholars) and the European long as this does not interfere with the interests or funda- model appears to be followed by more countries world- mental rights of the data subject, especially if the data wide than the US model.121 DPAs in the EU must take a subject is a child (Art. 6(1)(f) GDPR). In the case of data restrictive approach towards data transfers to third countries, processing operations by NADOs, it seems safe to assume since a too liberal practice could lead to fundamental rights that only the consent of the relevant athlete as a data violations,122 including through further transfers to and data subject (Art. 6(1)(a) GDPR) and, contingent upon specific processing in, unregulated ‘‘data havens’’123 (one of the provisions in national law, public interest or the exercise of concerns which led to the adoption of Directive 95/46/EC). official authority (Art. 6(1)(e) GDPR) can be claimed as The volume of data transfers for anti-doping purposes appears grounds of lawfulness. While the performance of a contract to be important,124 meaning that these operations deserve between the data controller and the data subject (Art. being taken seriously by DPAs. But anti-doping is not the 6(1)(b) GDPR) would probably seem a natural choice of only sector that would like to profit from exemptions from legal base from the perspective of WADA, of NADOs and data protection rules and, as the example of free movement of their partners, this avenue was effectively closed by for athletes shows in the case of the ECJ’s Bosman deci- WP29 over a decade ago, as it ruled that multinational sion125 and the subsequent follow-up shows126, unilaterally companies could not centralise HR management operations pushing for exemptions is not always the most successful across continents merely to save overheads and thereby strategy. invoke the performance of an employment contract EU and German data protection law both foresee that between the company and its employee, as no objective the requirement for a legal base can be met either through a reason (other than the cost-saving argument) would dictate specific legal provision or by demonstrating that the data the necessity of such transfers to third countries.127 It subject has consented validly. EU law is more specific in would seem that an Art. 6(1)(b) GDPR exception can only enumerating the valid cases of lawfulness (Art. 7 Directive be safely claimed when the data subject clearly benefits 95/46/EC; Art. 6(1) GDPR), including consent (Art. from the data transfers concerned (e.g. hotel bookings, car 6(1)(a) GDPR) as well as a detailed enumeration (not rentals).128 The case of athletes complying with anti-dop- found in Germany’s BDSG) of the remaining valid grounds ing regulations which have been developed and enacted for processing: performance of a contract between the data without their involvement (independent sports trade unions controller and the data subject (Art. 6(1)(b) GDPR); ful- have no seats on WADA governing bodies), even when as filment of a legal obligation on the part of the data amateurs these athletes are technically not employees (although the ECJ/CJEU has consistently ruled that a de facto notion of sports professionals has to be used), would 117 High Court of England and Wales: Judith Vidall-Hall, Robert come far closer to the HR case than to the hotel book- Hahn and Marc Bradshaw v Google Inc. [2015] EWCA Civ 311. ing/car rental case: compliance with anti-doping regula- Judgment of 27 March 2015. Case No: A2/2014/0403. (https://www. judiciary.gov.uk/wp-content/uploads/2015/03/google-v-vidal-hall- tions is not an elective but an obligation for athletes. judgment.pdf) (Accessed 20 June 2017) (Vidall-Hall). Consent (Art. 6(1)(a) GDPR) may be claimed as a rule, but 118 Kuschewsky (2014), p. 261. is subject to assessment of the free and informed nature of 119 E.g. Determann (2016). the consent provided, while public interest or the exercise 120 E.g. Koops (2014). of official authority (Art. 6(1)(e) GDPR) can only be 121 Greenleaf (2012). claimed if the national legislator has made specific provi- 122 Blume (2015), p. 34. sions in this regard. 123 Simitis (2011), p. 136, at 149: annotation by Simitis S. 124 Senećal (2006), p. 4. 125 Judgment of the Court of 15 December 1995. Union royale belge des socie´te´s de football association ASBL v Jean-Marc Bosman, Royal club lie´geois SA v Jean-Marc Bosman and others and Union 127 WP29: Working document on a common interpretation of Article des associations europeénnes de football (UEFA) v Jean-Marc 26(1) of Directive 95/46/EC of 24 October 1995. Adopted on 25 Bosman. Case C-415/93. ECR 1995 I-04921. Judgment November 2005. WP114. http://ec.europa.eu/justice/policies/privacy/ ECLI:EU:C:1995:463. Opinion ECLI:EU:C:1995:293. docs/wpdocs/2005/wp114_en.pdf. Accessed 20 June 2017, 15. 126 Parensen (1998). 128 Simitis (2011), p. 501, at 17: annotation by Simitis S. 123 78 Int Sports Law J (2017) 17:68–85

4.2 Lawfulness of transfers to third countries a territory or an international organisation is deemed to offer an adequate level of protection, Art. 45 GDPR allows In spite of an explicit reference to anti-doping enshrined in transfers to that destination without ‘‘any specific authori- Recital 112 GDPR,129 the usual standards and guarantees sation.’’ But since the Court’s ground-breaking Schrems must be met for data transfers to third countries to be judgement of 6 October 2015,137 even the existence of an lawful. As the court ruled in Lindquist,130 data are not adequacy decision cannot ipso facto be taken as proof that merely uploaded when they can be accessed by others. transfers to the country in question are always lawful and They are effectively transferred,131 and under the GDPR can never be challenged by data subjects,138 who may even data controllers based outside the EU may be liable complain to DPAs and, if aggrieved by DPA decisions, for data processing affecting data subjects in the EU, in may seek review and redress in the courts of law. In particular if the relevant operations lead to a de-facto Schrems, the Court invalidated the Commission decision139 profiling (‘‘the monitoring of their [data subjects’] beha- which, since the year 2000, had granted recognition to the viour)’’132: a criterion which the increasingly intelligence- Safe Harbour regime of voluntary self-regulation. Doubts driven data sharing between NADOs, WADA and their had been voiced within the European Parliament140 at the partners clearly meets.133 When personal data are trans- time when Safe Harbour was adopted, but the rules were ferred to a third country or an international organisation applicable during a 15-year period. As a result of the (e.g. to a WADA server in Canada or to another partner court’s invalidation and its insistence that DPAs must organisation based outside the EU/EEA), Chapter V (Art. investigate allegations from data subjects of interferences 44-50) GDPR applies. Yet although a third country or an with their fundamental rights, the Commission drew the international organisation may benefit from a certain flex- conclusion that all extant adequacy decision may need a ibility on the part of the DPA of the MS from which the reassessment.141 data were initially transferred, possible onward transfers Regarding transfers to WADA’s servers in Canada, the into another third country or international organisation are Commission adequacy decision142 only applies to the covered by Recital 101 GDPR according to which the level federal Personal Information Protection and Electronic of protection guaranteed in the EU must not be ‘‘under- mined’’ thereby. Although this text was finally not kept in an article of the GDPR,134 the EU legislators clearly did not wish the fact that some destinations are more trusted 137 Judgment of the Court (Grand Chamber) of 6 October 2015. than others to lead to a situation where data would just Maximillian Schrems v Data Protection Commissioner. Request for a move freely on towards less trusted ones. The requirements preliminary ruling from the High Court (Ireland). Case C-362/14. ECR: electronic only. ECLI:EU:C:2015:650. of the GDPR thus apply to their fullest extent.135 Only a 138 Ibid., at 66. dozen jurisdictions136 outside the EU have until now been 139 2000/520/EC: Commission Decision of 26 July 2000 pursuant to officially recognised as being significantly more trustwor- Directive 95/46/EC of the European Parliament and of the Council on thy than the remainder of third countries: such recognition the adequacy of the protection provided by the safe harbour privacy takes the shape of an adequacy decision adopted by the principles and related frequently asked questions issued by the US European Commission after hearing WP29. If a Commis- Department of Commerce (notified under document number C(2000) 2441) (Text with EEA relevance.). OJ L 215, 25/08/2000, pp. 7–47. sion adequacy decision is in force, because a third country, 140 Simitis (2011), p. 489, at 78: annotation by Simitis S. 141 129 ‘‘The Commission will now draw the necessary consequences See Kornbeck (2016b) (supra) for a detailed discussion. from the judgment by shortly preparing a decision, to be adopted 130 Judgment of the Court of 6 November 2003. Criminal proceed- pursuant to the applicable comitology procedure, replacing that ings against Bodil Lindqvist. Reference for a preliminary ruling: Go¨ta provision in all existing adequacy decisions. Also, the Commission hovra¨tt - Sweden. Case C-101/01. ECR 2003 I-12971. will engage in a regular assessment of existing and future adequacy ECLI:EU:C:2003:596. decisions, including through the periodic joint review of their 131 Ibid.; see Ustaran (2012), pp. 174–175. functioning together with the competent authorities of the third 132 Recital 80 GDPR; Art. 27 GDPR. country in question.’’ See Communication from the Commission to the European Parliament and the Council on the Transfer of Personal 133 See Art. 22.5 WADC; Art. 4.9.3 ISTI; Art. 11.2.2 ISTI, as Data from the EU to the United States of America under Directive discussed (supra), Sect. 2.1. 95/46/EC following the Judgment by the Court of Justice in Case 134 In earlier stages of the legislative procedure, this provision used C-362/14 (Schrems). Brussels, 6.11.2015. COM(2015) 566 final, to be part of Article 40 GDPR. Between 15 December 2015 and 6 p. 15. April 2016 it was moved into the recitals. 142 2002/2/EC: Commission Decision of 20 December 2001 pursuant 135 Kornbeck (2016a, b). to Directive 95/46/EC of the European Parliament and of the Council 136 See the official list: Commission decisions on the adequacy of the on the adequate protection of personal data provided by the Canadian protection of personal data in third countries, http://ec.europa.eu/ Personal Information Protection and Electronic Documents Act justice/data-protection/international-transfers/adequacy/index_en.htm (notified under document number C(2001) 4539). OJ L 2, 04/01/ (Accessed 20 June 2017). 2002, pp. 13–16. 123 Int Sports Law J (2017) 17:68–85 79

Documents Act (PIPEDA),143 and not to the provincial ‘‘the objective of ensuring an equivalent level of protection regime of Que´bec: PIPEDA applies only to commercial in all Member States, the concept of necessity […] cannot undertakings while WADA is a non-profit charity, so that have a meaning which varies between Member States. It, the adequacy decision is not unambiguously applicable, therefore, follows that what is at issue is a concept which despite a recent amendment made to PIPEDA (as part of an has its own independent meaning in Community law and otherwise unrelated bill144) in 2015. Although the Com- which must be interpreted in a manner which fully reflects mission reacted promptly by negotiating a new EU–US the objective of [Directive 95/46/EC]’’.150 The Digital framework, the so-called Privacy Shield, which was offi- Rights Ireland judgement is of interest in relation to the cially announced on 29 February 2016,145 this framework WADA file because, as the then defeated directive was one (just like Safe Harbour before it) failed to offer matching aimed at protecting citizens from exposure to terrorist rights and obligations on both sides of the Atlantic: the US attacks and criminality, it can be assumed to have benefited side would not offer remedies to data subjects like those from a high degree of sympathy and leniency; a degree not offered by the EU.146 In September 2016, an action for automatically brought towards NADOs, as the anti-doping annulment of the Privacy Shield was filed at the court by fight can hardly be claimed to address similarly serious Digital Rights Ireland,147 an NGO which had managed, in public policy concerns. The idea of a legal challenge had 2014, through a similar court case, to achieve the invali- then already been aired by the DPA of the German state of dation148 of the EU’s Data Retention Directive149: though Hamburg,151 so that the WP29 statement of 16 October politically popular as a means to fight against terrorism and 2015, considering the option of ‘‘coordinated enforcement organised crime, this controversial piece of legislation had actions’’152 (coordinated between DPAs to ensure robust required MS to retain large data sets, but failed to impose enforcement across the EU) remained and still remains limitations based on necessity and proportionality. In this relevant. A 2014 WP29 opinion on the provincial data connection, it should be borne in mind that on account of protection regime of Que´bec, specifically prepared to cater for concerns over WADA-related transfers, had not pro- 143 Consolidation. Personal Information Protection and Electronic vided the desired legal certainty.153 Rather, it seems to Documents Act. S.C. 2000, c. 5. Current to June 6, 2016. Last have left most operational questions unanswered. The heart amended on June 23, 2015 (http://laws-lois.justice.gc.ca/PDF/P-8.6. pdf) (Accessed 20 June 2017). of the matter remains the fact that data protection is a 144 Second Session, Forty-first Parliament, 62-63-64 Elizabeth II, fundamental right in the EU. That Schrems had not suffered 2013-2014-2015. Statutes of Canada 2015 Chapter 36. An Act to any pecuniary loss and perhaps no concrete damage at all implement certain provisions of the budget tabled in Parliament on (‘‘where the plaintiff can hardly show any plausible harm April 21, 2015 and other measures. Assented to 23rd June, 2015. Bill or need of protection’’154) is immaterial because data C-59. Schedule 2 (Section 166) Schedule 4 (Subsection 4(1.1) and paragraph 26(2)(c)) (http://www.parl.gc.ca/content/hoc/Bills/412/Gov ernment/C-59/C-59_4/C-59_4.PDF) (Accessed 20 June 2017), see 150 Judgment of the Court (Grand Chamber) of 16 December 2008. p. 158: ‘‘Organizations’’. Heinz Huber v Bundesrepublik Deutschland. Reference for a 145 Restoring trust in transatlantic data flows through strong preliminary ruling: Oberverwaltungsgericht fu¨r das Land Nordrhein- safeguards: European Commission presents EU-U.S. Privacy Shield Westfalen - Germany. Case C-524/06. ECR 2008 I-09705. Brussels, 29 February 2016. Press release IP/16/433. http://europa.eu/ ECLI:EU:C:2008:724, at 52. rapid/press-release_IP-16-433_en.htm (Accessed 20 June 2017). 151 Meyer D: Hamburg’s DPA aiming to challenge Privacy Shield. 146 EDPS (European Data Protection Supervisor): Opinon 4/2016. The Privacy Advisor, Aug 4, 2016, https://iapp.org/news/a/hamburgs- Opinion on the EU-U.S. Privacy Shield draft adequacy decision. 30 dpa-aiming-to-challenge-privacy-shield/?mkt_tok=eyJpIjoiTldaaU1X May 2016. (https://secure.edps.europa.eu/EDPSWEB/webdav/site/ RmpZek01WTJVeiIsInQiOiJBQ09zSmJUYmxXdUFBd0FwVElpam mySite/shared/Documents/Consultation/Opinions/2016/16-05-30_ swbGZqckVhc0RISUxnRUpaK2FXYU9QcEdvZkpmK2JDVEp1bH Privacy_Shield_EN.pdf) (Accessed 20 June 2017). ZmQ3FFVDRCYWRqK1JRV1U4ZkR3bGtzbTRXeHhsXC8zYWQ0 147 Case T-670/16: Action brought on 16 September 2016—Digital VENXdjdhcjV6MVlMXC83eDJZPSJ9. Accessed 20 June 2017. Rights Ireland v Commission. OJ C 410, 7.11.2016, pp. 26–27. 152 WP29: Statement of the Article 29 Working Party. Brussels, 16 148 Judgment of the Court (Grand Chamber) of 8 April 2014. Digital October 2015. http://ec.europa.eu/justice/data-protection/article-29/ Rights Ireland Ltd (C-293/12) v Minister for Communications, press-material/press-release/art29_press_material/2015/20151016_ Marine and Natural Resources and Others and Ka¨rntner Lan- wp29_statement_on_schrems_judgement.pdf (Accessed20June desregierung (C-594/12) and Others. References for a preliminary 2017). ruling: High Court—Ireland, Verfassungsgerichtshof - Austria. Joined 153 WP29: Opinion 7/2014 on the protection of personal data in cases C-293/12 and C-594/12. ECR: electronic only. Quebec. Adopted on 4 June 2014. 14/EN. WP 219. ECLI:EU:C:2014:238. 154 See Determann (2016): ‘‘Operators fund their social network 149 Directive 2006/24/EC of the European Parliament and of the offerings by selling space for advertising to companies, which try to Council of 15 March 2006 on the retention of data generated or customize the ads based on interests of the individual users to be processed in connection with the provision of publicly available effective. […] In light of this and the lack of any substantiated harm electronic communications services or of public communications associated with alleged NSA espionage on information disseminated networks and amending Directive 2002/58/EC. OJ L 105, 13.4.2006, via social networks, US data protection laws and courts would dismiss pp. 54–63. claims for lack of standing and intrusion into reasonable data privacy 123 80 Int Sports Law J (2017) 17:68–85 subjects’ right to access is unconditional, while DPAs’ being the legal counsel of the German NADO,158 found the oversight role is mandatory. It was for this very reason that public interest ground ‘‘questionable,’’ as ‘‘no criminal the High Court of England and Wales ruled, in its 2015 sanctions laid down in primary or secondary legislation’’ Vidall-Hall judgment,155 that no tort had to be demon- would ‘‘justify an urgent information exchange.’’159 strated for an action to be permissible, since Art. 47 CFR requires that each fundamental right must be matched by an 4.3 Consent as a legal basis for data transfers appropriate remedy. to third countries If the destination country does not benefit from an adequacy decision (Art. 45 GDPR), the lawfulness of the Whenever a data controller (the ‘‘data exporter’’) envisages intended transfers depends on the demonstration of either using the consent of the data subject (Art. 49(1)(a) GDPR) appropriate safeguards (Art. 46 GDPR), binding corporate as a legal base for a planned data transfer to a third country, rules (Art. 47 GDPR) or standard contractual clauses (Art. particularly high standards have to be met so as to ensure, 28(1), Art. 46(2)(d) GDPR). Derogations may be granted in accordance with Recital 101 GDPR,160 that this transfer by the competent DPA (Art. 49 GDPR) contingent upon will not lead to a violation of the data subject’s funda- the request meeting one of the criteria laid down in an mental rights. If none of the safeguards required in such enumerative list (largely mirroring the list found in Art. 6 cases (Art. 45-46 GDPR) are in place (WADA may use GDPR defining the lawfulness of processing data inside the contractual clauses but not binding corporate rules, as EU156): consent of the data subject (Art. 49(1)(a) GDPR); WADA’s partners are not mere divisions or subsidiaries of performance of a contract between the data controller and the same legal entity), and if none of the ‘‘special excep- the data subject (Art. 49(1)(b) GDPR); or one concluded in tions’’ apply, transfers ‘‘may only take place if the transfer the interest of the data subject between the controller and is not repetitive, concerns only a limited number of data another natural or legal person (Art. 49(1)(c) GDPR); subjects, is necessary for the purposes of compelling public interest (Art. 49(1)(d) GDPR); establishment, exer- legitimate interests pursued by the controller which are not cise or defence of legal claims (Art. 49(1)(e) GDPR) (not overridden by the interests or rights and freedoms of the found in Art. 6 GDPR); vital interests of the data subject data subject, and the controller has assessed all the cir- (Art. 49(1)(f) GDPR); public register (Art. cumstances surrounding the data transfer and has on the 49(1)(g) GDPR). As with Art. 6 GDPR,157 it seems fair to basis of that assessment provided suitable safeguards with assume that only consent (Art. 49(1)(a) GDPR) and, if regard to the protection of personal data. The controller provided for by law in the relevant MS, public interest or shall inform the supervisory authority of the transfer. The the exercise of public authority (Art. 49(1)(d) GDPR) can controller shall, in addition to providing the information be safely claimed as legal grounds for transferring data to a referred to in Articles 13 and 14, inform the data subject of third country whenever none of the grounds enshrined in the transfer and on the compelling legitimate interests Art. 45–48 GDPR are fulfilled. Commenting on the pre- pursued’’ (Art. 49(1) GDPR). In this case it should be noted GDPR, pre-AntiDopG framework, Mortsiefer, despite that the DPAs of the German states of Schleswig-Holstein and Rheinland-Pfalz, in an opinion submitted to the Ger- man Bundestag in connection with the AntiDopG bill, Footnote 154 continued considered the option of secret investigations ‘‘unaccept- expectations. […] Equally, and because it was already the 23rd able.’’161 Due to these constraints on the use of legal bases complaint of the claimant who must have been intimately familiar other than consent and statutory provision, and because with the data processing practices of social networks by now and continued to use it voluntarily and free of charge, the Irish data legal basis remains the only realistic option in jurisdictions protection authority had dismissed his complaint as ‘frivolous and where legal provisions have not been made, a particularly vexatious’.’’ This German-educated US privacy lawyer cannot be high level of due diligence is required of NADOs to ensure ignorant of the fact that no tort is required in the EU. Data subjects are that their use of the consent of the data subject will not be entitled to access and (conditionally) to the correction and deletion of their data. They do not need to justify their requests for access and DPAs cannot refuse complaints on the basis of convenience arguments. 159 Mortsiefer (2010), p. 238, translation J.K. 155 High Court of England and Wales: Judith Vidall-Hall, Robert 160 See Sect. 4.1 (supra). Hahn and Marc Bradshaw v Google Inc. [2015] EWCA Civ 311. 161 Judgment of 27 March 2015. Case No: A2/2014/0403. (https://www. Stellungnahme der Datenschutzbeauftragten der La¨nder Rhein- judiciary.gov.uk/wp-content/uploads/2015/03/google-v-vidal-hall- land-Pfalz und Schleswig-Holstein zum Referentenentwurf des Bun- judgment.pdf) (Accessed 20 June 2017) (Vidall-Hall). desministeriums der Justiz und fu¨r Verbraucherschutz und des Bundesministeriums des Innern Entwurf eines Gesetzes zur Beka¨mp- 156 Discussed in Sect. 4.1 (supra). fung von Doping im Sport (nicht vero¨ffentlichte Version, Bear- 157 Discussed in Sect. 4.1 (supra). beitungsstand 01.09.2014). https://www.datenschutz.rlp.de/de/aktuell/ 158 Weichert (2011) found Mortsiefer’s PhD thesis/book biased. 2014/images/Anti-Doping-GE_RLP_SH.pdf. Accessed 20 June 2017. 123 Int Sports Law J (2017) 17:68–85 81 met with legal challenges by data subjects. Failure to rulings to law courts, and in spite of the obvious contra- demonstrate convincingly that consent was given on a free diction involved in designating a decision imposed ‘‘by and informed basis must lead DPAs to conclude, if consent others’’ as ‘‘free.’’168 More fundamentally, however, data is the only legal ground invoked, that the planned data protection lawyers know that an analogous interpretation in processing operation is unlawful. the field of data protection is not possible on account of the Before data can be transferred to third countries, they fundamental right status of the right to the protection of must have been collected, stored and processed lawfully personal data, and also because very specific standards within the EU; unlawfully collected, stored or processed apply there in regard to assessing the validity of consent. data cannot be lawfully transferred. The principle of pur- While the BGH solely had to adjudicate the case on the pose limitation (Art. 7(1)(1)-(3) GDPR) means the prior basis of EU and German antitrust law (where one may collection, storage and processing must have been tied to speculate if a different outcome could not have been specific and limited purposes. In the contemporary context, reached), it may be safely claimed that the same outcome increasing opportunities for ‘‘multifunctional data usage’’ could not have been reached had the matter been adjudi- make the requirement of ‘‘strictly tying’’ authorisations to cated under EU and German data protection law. Consent specific purposes more crucial than ever before.162 The cannot be used as a legal ground for processing data in case obvious requirements flowing from the provision laid down of a ‘‘significant imbalance’’ between the data controller in the GDPR are that that consent must have been given and data subject (Recital 34 GDPR). By inserting this new without submitting the data subject to any degree of duress, provision (not found in Directive 95/46/EC169), the Euro- and that no relevant piece of information must have been pean legislator did not invent a new norm but rather con- concealed from him or her when consent was given. But solidated what had emerged over years (even decades), what is obvious from a literal reading of legal provisions is including in WP29 opinions. not always upheld in case law, as shown through the Even if the father of the first Hessian Data Protection German Federal Court’s (BGH) surprising contention, in Act, Simitis,170 considers consent to be a ‘‘fully valid’’ its 7 June 2016 Pechstein ruling, that a decision ‘‘decided option,171 the architecture of Directive 95/46/EC (and of by others’’ (fremdbestimmt)163 could, for the purpose of the GDPR) reveals that it is one among many, as underlined assessing the conformity of consent given to an arbitration by WP29.172 The German data protection law has, since the clause in the context of anti-doping procedures, with EU 1993 Volksza¨hlung (‘‘public census’’) judgement173 of the (Art. 102 AEUV) and German antitrust legislation,164 be Federal Constitutional Court, been based on a doctrine of considered ‘‘free’’ as long as ‘‘no physical or psychical ‘‘informational self-determination’’ (informationelle violence, including the threat of considerable duress Selbstbestimmung), which is understood, by Simitis, as a (Drohung mit einem empfindlichen U¨ bel)’’ had been constitutional rule.174 While this doctrine carries the applied in extracting the consent related to ‘‘the involuntary renunciation of exercising a fundamental right’’ (unfrei- 168 Duval (2016). williger Verzicht auf die Grundrechtsausu¨bung).165 This 169 In the Commission’s initial legislative proposal (25.1.2012. judgement provides surprising reading to those who had COM(2012) 11), this provision had even been part of Art. 7(1)(4). been following the rulings of the Munich court (LG This text was later moved towards the recitals. 166 167 Mu¨nchen) and the court of appeal (OLG Mu¨nchen), 170 Professor emeritus at Frankfurt University, Spiros Simitis (born both of which had vindicated the plaintiff in this point. The 1934) served as Hessian Data Protection Commissioner (1975–1991), BGH’s ruling provides unsettling reading to those inter- inter alia. As the Hessian act was the first German act and the first act representing the European model anywhere in the world, it is of ested in safeguarding fundamental rights in Germany and interest that the Hessian Act predates the federal German act, and also in the EU, including in sports, especially because this that the German model has largely influenced the European model, ruling was disseminated widely within the sporting com- although, as Simitis (2011), 162, at 210, notes, when the 1995 munity, where it was taken as a sign that athletes must directive required MS to harmonise their acts, MS with extant acts often showed themselves less cooperative than those without. Spiros accept arbitration and refrain from appealing anti-doping Simitis is the brother of the former President of the Hellenic Republic, Constantinos Simitis (born 1936), who has also held professorships in Germany. 162 Simitis (2011), p. 89, at 35; translation J.K. 171 Simitis (2011), p. 434, at 1. 163 BGH: 7. Juni 2016 - KZR 6/15. Nr. 97/2016 (Pechstein), at 54; 172 WP: Opinion 15/2011 on the definition of consent. Adopted on 13 translation J.K. July 2011. WP187. http://ec.europa.eu/justice/data-protection/arti 164 Ibid., at 66. cle-29/documentation/opinion-recommendation/files/2011/wp187_ 165 BGH: 7. Juni 2016 - KZR 6/15. Nr. 97/2016 (Pechstein), at 54; en.pdf. Accessed 20 June 2017, p. 8. translation J.K. 173 BVerfG, Urteil v. 15. Dezember 1983, Az. 1 BvR 209, 269, 362, 166 LG Mu¨nchen I, 26.02.2014 - 37 O 28331/12. 420, 440, 484/83) (Volksza¨hlung). 167 OLG Mu¨nchen, 15.01.2015 - U 1110/14 Kart. 174 Simitis (1984). 123 82 Int Sports Law J (2017) 17:68–85 semantic risk of seemingly condoning any settlement that operations of NADOs, yet unless they have been trans- can be reached between two parties, its use is contingent posed into national law they remain legally immaterial as upon the negative test of a ‘‘significant imbalance’’ (erhe- they are merely enshrined into standard-setting documents bliches Ungleichgewicht) of power between the data con- from an NGO.179 NADOs’ obligations under international troller and data subject, just like that found in Recital 34 law are seriously limited by the fact that the relevant GDPR. Simitis sees this as a loan from the German law of conventions address State Parties, while NADOs are not contract which has gradually developed rules on standard always organised under public law, and even more so by form contracts (Allgemeine Gescha¨ftsbedingungen) (AGB), the uncommitting nature of the precise prescription which were similarly meant to protect consumers whose enshrined in the relevant international law conventions.180 bargaining power is more fictive than real.175 In the same NADOs’ obligations under EU and national law are often vein, WP29 ruled that, in an employment context, ‘‘where marginal and often absent with regard to the purported consent is required from a worker, and there is a real or obligation to share athletes’ data, while their obligation to potential relevant prejudice that arises from not consenting, protect the privacy of athletes and ensure the protection of the consent is not valid in terms of satisfying either Article 7 their personal data is enshrined in enforceable EU and or Article 8 [CFR] as it is not freely given. If it is not national legislation with fundamental right status.181 possible for the worker to refuse it is not consent. Consent Policy debates on the applicability of EU and national must at all times be freely given. Thus a worker must be data protection legislation to anti-doping work started late able to withdraw consent without prejudice.’’176 The WP29 (essentially in 2008),182 whereas potential legal problems Opinion thereby confirms the line chosen, in Germany, by had been recognised in legal scholarship somewhat earlier, Simitis.177 Consistently, having examined the initial ISPPPI including in the Swiss context.183 The right to protection of draft circulated by WADA in early 2008, WP29 concluded personal data is guaranteed by the CFR, with EU secondary that the clauses contained in that version with regard to and national (including German) legislation providing consent did not meet the requirements of Art. 2 Directive specific, procedural requirements for the respect of this 95/46/EC: ‘‘The sanctions and consequences attached to a fundamental right, including the requirement that the possible refusal by participants to subject themselves to the lawfulness of all data processing operations must be obligations of the Code (for example providing where- demonstrated mandatorily.184 Consequently, the choice of abouts filings) prevent the Working Party from considering a valid legal base, including athlete consent, specific legal that the consent would be, in any way, given freely.’’178 provisions or other legal bases as foreseen by law, is not an option but an unavoidable legal requirement for data processing to be permissible. The lawfulness of data transfers 5 Findings of this article to third countries, including Switzerland and Canada, is subject to higher thresholds than are intra-EU transfers. 5.1 Athlete consent: a fragile legal base Enforceable secondary legislation requires that data be only transferred if the level of protection in the destination This article has shown that EU-based NADOs, and indeed jurisdiction does not undermine the aims of the relevant EU other organisations involved in the anti-doping fight, face and national rules. In other words, transfers can only take international expectations and requirements with variegat- place if after arrival in the third country jurisdiction data ing legal implications. NADOs’ obligations under the are protected as efficiently as they would have been in the WADC and IS may be very relevant in the day-to-day EU. Requirements enshrined in Directive 95/46/EC have been confirmed or even reinforced in the GDPR, while 175 Simitis (2011), p. 435, at 3. WP29 guidance documents and recent case law of the 176 WP: Opinion 15/2011 on the definition of consent. Adopted on 13 court, in cases unrelated to anti-doping yet with unmis- July 2011. WP187. http://ec.europa.eu/justice/data-protection/arti takeable legal implications across all sectors, have made it cle-29/documentation/opinion-recommendation/files/2011/wp187_ clear that these requirements must be taken very seri- en.pdf. Accessed 20 June 2017, p. 23. ously.185 Whereas athlete consent has traditionally been 177 Simitis (2011), p. 453, at 62. 178 WP29, Second opinion 4/2009 on the World Anti-Doping 179 Agency (WADA) International Standard for the Protection of See Sect. 2.1 (supra). 180 Privacy and Personal Information, on related provisions of the See Sect. 2.3 (supra). WADA Code and on other privacy issues in the context of the fight 181 See Sect. 2.3 (supra). against doping in sport by WADA and (national) anti-doping 182 See Sect. 3.1 (supra). organizations. Adopted on 6 April 2009. 0746/09/EN. WP 162. 183 See Sect. 3.2 (supra). http://ec.europa.eu/justice/data-protection/article-29/documentation/ 184 opinion-recommendation/files/2009/wp162_en.pdf. Accessed 20 June See Sect. 4.1 (supra). 2017, p. 11. 185 See Sect. 4.2 (supra). 123 Int Sports Law J (2017) 17:68–85 83 relied upon to a very large extent in anti-doping work, it the ‘one-federation-per-country’ principle might one day transpires from an even quite cursory assessment of EU have to be abandoned.192 Such a move would also affect and national German legal requirements that the consent of the architecture of the WADC and related rules, pro- the data subject is highly problematic as a legal base, grammes, procedures and practices. The current reliance on especially where a significant imbalance between data a questionable athlete consent as a legal base for anti- subject (athlete) and data controller (NADO) is found, as in doping work would then also need to be revisited in view anti-doping work.186 of finding more robust solutions.

5.2 Athlete consent and the overall WADC architecture 6 Further implications

At the heart of the legal and political strategy pursued by 6.1 Consent versus statutory provision WADA, the IOC and like-minded sports stakeholders are an attachment to the extant system of contractual obliga- The present article aims to have discussed athlete consent tions,187 usually under private law yet with a strong as a legal base for data transfers to third countries for anti- transnational scope, and a conviction that extant arrange- doping purposes, under EU and German law, including by ments will also be able to resist future stress tests. Yet the summarising the legal relevance of international anti-dop- optimism of one WADC commentator, according to which ing requirements and expectations. A future article is the ‘‘private disciplinary nature of doping rules in sport was intended to present the most salient features of enforceable generally recognised by national courts […] at an early EU and national, German data protection law, so as to stage’’188 might be difficult to sustain in the light of a address the merits and limitations of an approach based on systematic review of national European and case law. specific legal prescription: statutory provision for short. It Intriguingly, the same commentator advanced this claim will compare and contrast the findings from that exercise without providing any references to support it, and case law with the outcome of the analysis made in the present arti- may change over time. ‘‘The extraordinary global reach of cle, with the aim to arrive at an assessment of the two the Code as a result of the hierarchical structure of gov- options for a legal basis under EU and German data pro- ernance of international sport, and its contractual force as // tection law. and instrument of private international law binding all of those organisations in the hierarchy’’189 is unique but may 6.2 Beyond the current WADC 2015 framework owe as much to extra-legal factors as to the law itself. While the commercial arrangements between different The analysis provided in this article is limited to the current sport stakeholders are currently effective in ensuring a WADC 2015 framework. Much will depend on what the bargaining power190 which allows the imposition of many WADC and WADC-derived rules will be after the Fourth rules and standards to go largely unchallenged, the hier- World Anti-Doping Conference, to be held in Katowice archical structure of the sporting pyramid and the pervasive (Poland) in 2019. Whether a revision will take place like loyalty clauses encapsulated in the omnipresent ‘‘one-fed- that performed in 2011–13, and which led to the WADC eration-per-country’’ principle (in German commonly 2009 being replaced by the WADC 2015, is not yet known known as Ein-Platz-Prinzip) may not be sustainable in the and remains to be resolved by WADA’s Foundation Board long run. As the European Commission (Directorate Gen- in November 2017. What is known, however, is that on 18 eral for Competiton) is currently investigating an alleged May 2017 the Foundation Board approved the ‘‘develop- antitrust law breach under Art. 101-102 TFEU following a ment of [a] graded sanctioning framework for non-com- complaint filed by Dutch speed skaters Mark Tuitert and pliance by Code Signatories,’’ ‘‘an Investigations Policy Niels Kerstholt against the selection rules of the Interna- and Framework,’’ ‘‘principles to assist the International tional Skating Union (ISU),191 it is not inconceivable that Olympic Committee (IOC) for establishing an Independent Testing Authority (ITA)’’ and the ‘‘development of’’ an ‘‘International Standard for Compliance by Signato- 186 See Sect. 4.3 (supra). ries.’’193 A stakeholder consultation was launched on 1 187 See David (2013), 125, as discussed in Sect. 2.1 (supra). 188 David (2013), p. 17. 192 Verdonk (2017). 189 Hayes (2016), p. 274. 193 See press release: May 18, 2017. WADA Foundation Board takes 190 Hayes (2016), p. 290, Appendix (graph). decisive action on the Way Forward for the Agency and for Clean 191 Online access to the file: 40208 International Skating Union’s Sport. https://www.wada-ama.org/en/media/news/2017-05/wada-founda Eligibility rules. http://ec.europa.eu/competition/elojade/isef/case_ tion-board-takes-decisive-action-on-the-way-forward-for-the-agency- details.cfm?proc_code=1_40208. (Accessed 20 June 2017). and. Accessed 20 June 2017. 123 84 Int Sports Law J (2017) 17:68–85

June 2017 with the aim of collecting comments on these Docksey C (2016) Four fundamental rights: finding the balance. Int proposals.194 Based on previous experience with the Data Priv Law 6(3):195–209 Duval A (2016) The BGH’s Pechstein decision: a Surrealist Ruling. WADC framework, it is highly likely that some of the Asser International Sports Law Blog. 8 June 2016. http://www. proposed measures will have legal implications within the asser.nl/SportsLaw/Blog/post/the-bgh-s-pechstein-decision-a-sur legal orders of the EU and its MS, including with regard to realist-ruling. Accessed 20 June 2017 athletes’ access to exercising their fundamental rights. EDPS (2016) Developing a ‘toolkit’ for assessing the necessity of measures that interfere with fundamental rights. Background While a full-fledged WADC revision like that conducted in paper for consultation. 16 June 2016. https://secure.edps.europa. 2011–13 would have the merit of permitting a transparent eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consulta and open debate, the option of introducing further tion/Papers/16-06-16_Necessity_paper_for_consultation_EN.pdf requirements on sanctions carries the risk of further tight- Accessed 20 June 2017 Flueckiger C (2008) Dopage, sante´ des sportifs professionnels et ening an already tight sanctions regime without having an protection des donneés me´dicales. Schulthess, Geneva open and transparent debate, and there is good reason to Gola P, Klug C, Ko¨rffer B, Schomerus R (2015) BDSG Bundes- question the legitimacy of regulating the monitoring of datenschutzgesetz Kommentar, 12th edn. C.H.Beck, Munich sanctions regimes via an international standard, as opposed Greenleaf G (2012) The influence of European data privacy standards outside Europe: implications for globalization of Convention to through the WADC itself. Even if a future IS on Com- 108. Int Data Priv Law 2(2):68–92 pliance were ‘‘only’’ to include provisions regarding Halt J (2009) Where is the privacy in WADA’s ‘‘Whereabouts’’ rule? sanctions on organisations, it is inconceivable that such Marquette Sports Law Rev 20(1):267–268 provisions would not also affect individual athletes. Hanstad DV, Loland S (2009) Elite level athletes’ duty to provide information on their whereabouts: justifiable anti-doping work or Developments up until 2019 will therefore bear crucially an indefensible surveillance regime? Eur J Sport Sci 9(1):3–10 upon the prospects for athletes to exercise their rights as Hayes P (2016) The commercial rationale of the world anti-doping data subjects, as guaranteed by EU and the national law. code. In: Haas U, Healey D (eds) Doping in sport and the law. Hart, Oxford & Portland, pp 269–290 Houlihan B, Garcia B (2012) The use of legislation in relation to controlling the production, movement, importation, distribution 195 and supply of performance-enhancing drugs in sport (PEDS). References Loughborough University: WADA-UNESCO. http://www.wada- ama.org/Documents/World_Anti-Doping_Program/WADP-Legal_ ADBG (2007) Bundesgesetz u¨ber die Beka¨mpfung von Doping im Library/National_Legislation/UNESCO-Legislative-Research- Sport (Anti-Doping-Bundesgesetz 2007 – ADBG 2007) StF: Report-FINAL.pdf. Accessed 20 June 2017 BGBl. I Nr. 30/2007 (NR: GP XXIII AB105 S. 24. BR: 7688 AB Koops BJ (2014) The trouble with European data protection law. Int 7701 S. 746 Data Priv Law 4(4):250–261 Backhouse S et al (2014) Study on doping prevention: a map of legal, Kornbeck J (2016a) Anti-doping: U¨ bermittlung von Athletendaten in regulatory and prevention practice provisions in EU 28. Drittla¨nder. Causa Sport 2:118–124 Luxembourg 2014: Publications Office of the European Union. Kornbeck J (2016b) Transferring athletes’ personal data from the EU http://ec.europa.eu/sport/news/2014/docs/doping-prevention- to third countries for anti-doping purposes: applying Recital 112 report_en.pdf. Accessed 20 June 2017 GDPR in the post-Schrems era. Int Data Priv Law 6(4):291–298 Baeriswyl B (2006) Datenschutzrecht und Sport. In: Arter O, Kornbeck J (2017) Einwilligung oder gesetzliche Regelung? Die Baddeley M (eds) Sport und Recht. Schulthess, Bern, Wahl der Rechtsgrundlage bei Datenu¨bermittlungen der NADA pp 133–156 Deutschland in Drittla¨nder zu Anti-Doping-Zwecken gema¨ß EU- Blume P (2015) EU adequacy decisions: the proposed new possibil- Datenschutz-Generalverordnung. Datenschutz-Nachrichten ities. Int Data Priv Law 5(1):34–39 40(1):17–30 Bo¨rding A, von Scho¨nfeld M (2016) Big Data im Leistungssport – Kuner C (2003) European data privacy law and online business. Datenschutzrechtliche Anforderungen an die Vereine. Causa Oxford University Press, Oxford Sport 1:7–12 Kuschewsky K (2014) European Union. In: Kuschewsky K (ed) Data David P (2013) A guide to the world anti-doping code: a fight for the protection and privacy: jurisdictional comparisons, 2nd edn. spirit of sport, 2nd edn. Cambridge University Press, Cambridge Thomson Reuters, London, pp 255–289 Determann L (2016) Adequacy of data protection in the USA: myths Lambertz P (2015) Problematische Namensvero¨ffentlichungsregelung and facts. Int Data Priv Law 6(3):244–250 in Dopingfa¨llen gema¨ss WADA-Code. Causa Sport 4:369–373 Docksey C (2014) Articles 7 and 8 of the EU charter: two distinct Malloy D, Zakus D (2002) Ethics of drug testing in sport: an invasion fundamental rights. In: Grosjean J (ed) Les enjeux europeéns et of privacy justified? Sport Educ Soc 7(2):203–218 mondiaux de la protection des donneés personnelles. Larcier, Mortsiefer L (2010) Datenschutz im Anti-Doping-Kampf. Gardez, Brussels, pp 63–89 Bonn Neuendorf S (2015) Datenschutzrechtliche Konflikte im Anti-Dop- ing-System. Am Beispiel des Anti-Doping Administration and 194 See press release: June 1, 2017. WADA launches stakeholder Management Systems ADAMS. Nomos, Baden-Baden consultation process regarding development of an International Niewalda J (2011) Dopingkontrollen im Konflikt mit allgemeinem Standard for Code Compliance by Signatories. https://www.wada- Perso¨nlichkeitsrecht und Datenschutz. Duncker & Humblodt, ama.org/en/media/news/2017-06/wada-launches-stakeholder-consulta Berlin tion-process-regarding-development-of-an. Accessed 20 June 2017. Palmer W, Taylor S, Wingate A (2011) ‘‘Adverse Analyzing’’. 195 Only scholarship, all other publications being referenced in the A European study of anti doping organization reporting practices relevant footnotes. and the efficacy of drug testing athletes. Nyon: UNI Global 123 Int Sports Law J (2017) 17:68–85 85

Union. http://www.euathletes.org/uploads/media/Adverse_Ana Flemish Minister responsible for Sport in view of the Belgian lyzing__FINAL__02.pdf. Accessed 20 June 2017 Presidency of the European Union in the second half of 2010. Parensen A (1998) Die Fußball-Bundesliga und das Bosman-Urteil. The Hague: T.M.C. Asser Instituut. http://www.asser.nl/upload/ In: Tokarski W (ed) EU-Recht und Sport. Meyer & Meyer, documents/9202010_100013rapport%20Asserstudie%20(Engels). Aachen, pp 70–150 pdf.Accessed20June2017 Parzeller M, Prittwitz C et al (2009) Rechtsvergleich der strafrech- Taranto L (2012) Data protection principles. In: Ustaran E (ed) tlichen Normen und der strafprozessualen Verfolgung des European privacy: law and practice for data protection profes- Dopings im Leistungs- und Spitzensport in Deutschland, Italien, sionals. IAPP, Portsmouth, pp 81–92 Frankreich, Schweiz und Spanien. BISp-Jahrbuch 10:315–326 Ustaran E (2012) International data transfers. In: Ustaran E (ed) Plass J, Giffeler D (2016) Anti-Doping-Kontrollen mit ,,eves‘‘. European privacy: law and practice for data protection profes- Datenchutz-Nachrichten 39(4):158–161 sionals. IAPP, Portsmouth, pp 173–189 Schaar P (undated) Anforderungen des Datenschutzes an Dopingkon- Verdonk T (2017) Rivalry among sports associations: the compati- trollen. http://www.bfdi.bund.de/SharedDocs/Publikationen/Info bility of sports associations’ exclusivity clauses with EU broschueren/Tagungsbaende/TagungsbandBeitragDopingkontrolle. competition law. Eur Compet Law Rev 38(2):80–88 pdf?__blob=publicationFile&v=5.Accessed20June2017 Waddington I (2010) Surveillance and control in sport: a sociologist Senećal F (2006) La protection des donneés de sante´ des athle`tes dans looks at the WADA whereabouts system. Int J Sport Policy Polit le cadre de la lutte contre le dopage. Lex Electronica 11(2):1–23 2(3):255–274 Simitis S (1984) Die informationelle Selbstbestimmung – Grundbe- Wedde P (2011) Rechtsgutachten zum Thema ,,Datenschutzrechtliche dingung einer verfassungskonformen Informationsordnung. Bewertung der Melde- und Kontrollpflichten im Rahmen von Neue Juristische Wochenschrift 8:398–405 Anti-Dopingprogrammen, die die von SP.IN vertretenen Ath- Simitis S (ed) (2011) Bundesdatenschutzgesetz. Kommentar, 7th edn. leten betreffen‘‘. Erstattet von Prof. Dr. Peter Wedde. Eppstein/ Nomos, Baden-Baden Ts., 5. September 2011. http://www.spinbb.net/uploads/media/ Sreball G, Schmidt S, Hermonies S (2014) Handbuch Datenschutz im Wedde_-_Gutachten_fu__r_SP.IN_per_5.9.2011.pdf. Accessed Sport. Nomos, Baden-Baden 20 June 2017 Swire PP, Ahmad K, McQuay T (2012) Foundations of information Weichert T (2005) Die Fussball-WM als U¨ berwachungs-Grosspro- privacy and data protection: a survey of global concepts, laws jekt. Datenchutz-Nachrichten 28(1):7–11 and practices. IAPP, Portsmouth Weichert T (2011) [Review essay]. Datenchutz-Nachrichten T.M.C. Asser Instituut (2010) The implementation of the WADA 34(4):166–167 Code in the European Union. Report commissioned by the

123