One year on: “Project Red Card”
Was the Supreme Court’s decision in Lloyd v Google a red card for “Project Red Card”? The present article is a deep dive into the implications of the abolishment of the concept of Loss of Control, on claims for misuse of sportspersons’ personal data.
Background: Project Red Card
In 2020, the Global Sports Data and Technology Group (GSDTG) made headlines by launching ‘Project Red Card’ – a large-scale litigation on behalf of current and former professional football players against sports data mining companies, for breaches of data protection laws by scraping performance data. It is understood that the claimants, approximately 850 current and former players in the Premier League, the English Football League and the Scottish Premiership, are seeking compensation from the numerous defendants, for the processing of their performance data (this being personal data for the purposes of the GDPR), without a lawful basis. The lawsuit (which is understood to be still in its pre-action stage) is being led by former Cardiff City manager Russel Slade, with assistance from Cardiff-based technology expert Jason Dunlop.
The Supreme Court’s decision in Lloyd v Google: Loss of Control
The timing of the launch of Project Red card is anything but accidental. The first months of 2020, in addition to a global pandemic, saw a big increase in the number of privacy litigation claims in England and Wales. This was fuelled by the Court of Appeal’s decision in the landmark case of Lloyd v Google  EWCA Civ 1599, in which, amongst other very important findings, the court held that a claimant can recover damages for loss of control of their personal data without proving distress or pecuniary loss – the so-called “Loss of Control”.
Working in contentious data protection matters at the time, the author of this article witnessed first-hand the influx of new privacy litigation claims started against companies for the most benign of breaches. Claimant firms no longer pursued allegations of distress following technical violations of the GDPR and the Data Protection Act – their template letters of claim simply included “Loss of Control” as a head of loss, alongside a four-digit demand for compensation.
It is therefore unsurprising that approximately eight months after the Court of Appeal’s judgment, Project Red Card was announced. While the letters of claim (or letters before action) in the matter have not been made public, one can assume with a high degree of certainty, that the compensation demands were at least partially based on Loss of Control, as a result of the defendants’ technical breaches of privacy legislation. Our request to the GSDTG to confirm the same has remained unanswered.
Approximately 17 months later, on 10 November 2021, privacy professionals, insurers and claimant law firms from across the country collectively tuned in to the Supreme Court’s Live Feed to hear the final judgment in Lloyd, delivered by Lord Reed, on behalf of a five-strong panel of Lord Justices. Excited to learn what the future holds, this author even turned up at the Supreme Court in person to witness privacy history being made.
Over 30 paragraphs, the 60-page judgment of the Supreme Court overturned the Court of Appeal’s decision and established that past and current privacy legislation cannot be reasonably interpreted as conferring on a data subject a right to compensation for any (non-trivial) contravention by a data controller without the need to prove that the contravention has caused material damage or distress to the individual concerned. The decision was a crushing blow to many individuals with outstanding privacy claims for trivial damages. One can also expect that it has affected the pre-action correspondence on Project Red Card.
However, is this the end of the matter? Have professional footballers and their personal data been left unprotected in the hands of profit-hungry supporters of the betting industry? Let us examine two alternative causes of action which the legal team behind Project Red Card may explore in pursuit of the claim.
Alternative causes of action
As summarised in Lord Leggatt’s judgement in Lloyd, “User damages” is the name commonly given to a type of damages readily awarded in tort where use has wrongfully been made of someone else’s land or tangible moveable property, although (importantly) there has been no financial loss or physical damage to the property. This type of damages is determined by estimating what a reasonable person would have paid for the right of the user. Damages of this nature are also available on a similar basis for certain Intellectual Property rights infringements.
User damages were not available in Lloyd, as the matter only involved allegations for breaches of privacy legislation, rather than the Common Law tort of Misuse of Private Information (MPI). However, in its discussion of the doctrine, the Supreme Court left the door open to claimants who are able put forward claims for MPI, to attempt and benefit from this type of compensatory damages.
Another common presence in claimant law firms’ letters of claim, MPI is often pleaded in parallel to allegations of privacy legislation violations. The leading case on the tort is Campbell v MGN Limited  UKHL 22, which concerned, like nearly all successful MPI claims, the violation by tabloid media of a celebrity’s deeply personal matters. The House of Lords established in Campbell that, as the name suggests, a claim for MPI can only succeed where the “I” is both “P” and “M”, i.e. there is (1) a “misuse” of (2) “private” (3) “information”.
Arguably, in the case of Project Red Card, performance data does amount to “information” and there is a good argument that it has been “misused”. However, the claimants will need to demonstrate significant legal acumen in persuading the court that the performance data of footballers in some of the most-watched football leagues in the world is a “private” matter. Whether they choose to continue under this line of argument remains to be seen.
Breach of Confidence
The legal doctrine of Breach of Confidence, another frequent addition to privacy claimant firms’ templates, was established in Coco v. AN Clark (Engineers) Ltd  RPC 41. For a claim to be successful, the court in Coco held that it must satisfy the following three-stage test:
- does the information have ‘the necessary quality of confidence about it’? If so,
- was it communicated in circumstances imparting an obligation of confidence? If so,
- was there an unauthorised use of the information to the detriment of the party communicating it?
The applicability of Breach of Confidence in relation to sports performance data was recently discussed by the Court of Appeal in Racing Partnership Ltd v Sports Information Services Ltd  EWCA Civ 1300. The case concerned a dispute arising out of an exclusive agreement for the provision of live horseracing data from certain racecourses. One of the claimants, the rightsholder under the agreement, discovered that the defendant had been supplying similar alternative data from the same racecourses to some of the country’s largest betting companies and launched a claim, alleging, amongst other things, Breach of Confidence.
A divided Court of Appeal found that commercial value over the information in question alone was not enough to treat information as “confidential”, and that “the confidentiality of any information must depend on its nature, not its market value”. Lord Justice Lewinson quoted Lord Walker from Douglas v Hello! Ltd (No.3)  AC 1, another celebrity case, who stated that the law of Breach of Confidence should not “afford the protection of exclusivity in a spectacle”, such as a publicly-broadcasted horse race. Therefore, the performance data of jockeys did not amount to confidential information and there was no Breach of Confidence. In late 2021, the claimants obtained leave to appeal to the Supreme Court, but the matter settled in July 2022, leaving the Court of Appeal’s judgment as good authority.
As the court in Racing Partnership was divided in its opinion, the claimants in Project Red Card may have some scope to pursue distinctions between the performance information in football and horse racing, and the argument that the former amounts to confidential information.
While it is clear that the Supreme Court’s judgment in Lloyd v Google has delivered a significant blow to the claim in Project Red Card, the judgment leaves the door open to a number of common law alternatives. The author will keep a close watching brief of developments in this matter.
If by now you haven’t had enough of the subject of sports data and want an update on the latest developments on competition law breaches relating to sports data exclusivity deals, please check out this recent article.
 Lloyd v Google  UKSC 50, paras. 109 to 138
 As above, paras. 139 to 143