Home Knowledge WADA’s Anti-Doping Rules Not So Dope According to the EU Data Protection Watchdog

WADA's Anti-Doping Rules Not So Dope According to the EU Data Protection Watchdog

The World Anti-Doping Code

The World Anti-Doping Code (the “Code”) unifies and harmonises anti-doping rules, policies and regulations from around the world. The Code was created by the World Anti-Doping Agency (“WADA”) to address the problems that had arisen from inconsistent and uncoordinated anti-doping rules in the global arena of sports, from the Olympics to the World Cup. To date, almost 700 sport organisations are signatories to this Code.

The signatories to the Code must ensure their anti-doping rules are in line with the Code or risk a declaration of non-compliance and the imposition of punitive measures by WADA, as it did in the recent case involving the Russian Anti-Doping Agency. See our article here for more information on this case which led to Russia’s ban by WADA from participating in all major sporting events including the Tokyo 2020 Games and the FIFA World Cup Qatar 2022. 

Personal data and the Code

WADA and other sporting organisations are required to retain substantial amounts of athletes’ personal data, including name, country, gender, medical records and analytical results of any samples provided. The WADA International Standard for the Protection of Privacy and Personal Information (“International Standards”) was developed as part of the Code. The purpose of the International Standards is to ensure that appropriate, sufficient and effective privacy protections are put in place in relation to the processing of this personal information. These International Standards sit alongside five other international standards on code compliance, testing, therapeutic use exemptions, education and results management. 

The personal data processed by WADA contains special categories of personal data, such as health data, which is subject to additional protections under the EU’s General Data Protection Regulation (“GDPR”).  In 2016, a group of international hackers, ‘Fancy Bears’, hacked into WADA’s database and released sensitive personal data, including private medical records of Serena Williams.  See our article here for more information. The athletes affected had some of their special categories of personal data published, in contravention of their data protection rights. 

Data protection concerns

In 2013, the predecessor to the European Data Protection Board (“EDPB”), sent a letter to WADA outlining some of its concerns regarding the Code and its International Standards. 

WADA considered these concerns and, in June 2018, updated the Code to seek to ensure compliance with the GDPR. Despite this, some of the EDPB’s concerns remain, including: 

  • The broad definition of athletes to include recreational athletes;
    The Code states that Anti-Doping Organizations (“ADO”s) have discretion to bring athletes, who compete at a level below international or national level, within the remit of the Code and International Standards. As a result, athletes competing at lower levels or even recreational athletes could be required to furnish a significant amount of personal information to WADA where an alleged violation of the Code is committed. The EDPB believes that this is a disproportionate interference with the right to privacy and data protection of these athletes.
  • The lawfulness of data processing based on consent;
    The International Standards provide that WADA may rely on athletes’ “consent” as a legal basis for processing their personal data.  In order to do so, however, the consent must be explicit and must be informed, freely given, specific and unambiguous.  As athletes are required by WADA to give this consent, it is unlikely to meet the “freely given” limb of the test for consent. The issue is exacerbated by the potential for negative repercussions should an athlete refuse to provide its consent. The EDPB recommends that a more GDPR-appropriate basis for processing athletes’ personal data, e.g. necessity for the performance of a contract, be put in place by WADA.
  • The applicable retention periods; and
    The International Standards stipulate retention periods for the personal data collected. Some personal data e.g. athlete’s name, gender, samples, sanctions and disciplinary decisions, is required to be kept “indefinitely, which is unlikely to comply with the GDPR’s storage limitation and data minimisation requirements.
  • The automatic and unselective publication of anti-doping rule violation on the internet.
    The Code provides for the publication of all violations on the internet for the greater of one month or the duration of the athlete’s ineligibility to compete. Similarly, ADOs are permitted to publish statistical reports, including athlete’s names and testing dates, on the internet. The EDPB recommends amending such provisions, in line with the principles of necessity, proportionality and data minimisation.  

Revised Code and remaining concerns 

A revised Code (including the International Standards) was published by WADA in November 2019 and is scheduled to come into force in January 2021. It remains to be seen whether the Code and International Standards will be further updated to address the EDPB’s concerns and ensure compliance with data legislation requirements.

For further information, please contact Leo Moore, or your usual William Fry contact.

Contributed by Therese Chambers




Follow us @WilliamFryLaw