On February 4, 2025, the DSI’s Computational Privacy Group held a pivotal meetup focusing on the pressing issues of privacy as they relate to machine learning. The event, held at Imperial College London, saw over 100 experts gather to engage with the latest research and share insights on maintaining data privacy amid technological advancements.
The gathering, which attracted professionals from various sectors, served to solidify London’s growing reputation as a hub for privacy innovation and discussion. Attendees participated in short research talks facilitated by prominent figures, each addressing unique aspects of privacy within the scope of machine learning technologies. Notable speakers included Graham Cormode from the University of Warwick, who discussed "Federated Computation for Private Data Analysis," and Lukas Wutschitz from Microsoft’s M365 Research, who presented insights on “Empirical privacy risk estimation in LLMs.”
Also gracing the stage were experts from Google DeepMind, including Jamie Hayes, who focused on the risks of “Stealing User Prompts from Mixture-of-Experts models,” and Ilia Shumailov, who tackled what it truly means to “operationalize privacy.” Full details can be found on the event webpage hosted by Imperial.
While this event primarily focused on privacy issues pertaining to machine learning, it converged with the theme of sports organizations grappling with the ever-evolving regulations surrounding personal data management. With sports organizations now required to comply with stringent privacy laws, including the General Data Protection Regulation (GDPR) established within the EU and Quebec’s Law 25 initiated to protect residents’ data, it raises the question: what should be the privacy game plan for sports entities?
Organizations involved with athletics—including teams, leagues, and player agents—often collect personal information from various stakeholders such as athletes, coaches, and fans. This data can encompass anything from sensitive health information and performance analytics to financial details related to consumer behavior.
The legal framework surrounding privacy is complicated, as businesses must navigate multiple overlapping laws. For example, even if based outside of Quebec, organizations dealing with Quebec residents must comply with its privacy regulations. Consequently, sports organizations may find themselves accountable under laws such as GDPR, Quebec’s Privacy Law, and Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), based on the geographical scope of their operations.
A major consideration for these organizations lies not only in compliance but also the potential repercussions stemming from non-compliance or data breaches. The sensitive nature of the data they manage can result in severe consequences. A breach might lead to the public exposure of personal health records or anti-doping test results, jeopardizing athletes' careers and tarnishing reputations.
Sports organizations are also required to handle personal information with care by obtaining informed consent for disclosing any sensitive data. For example, performance data may be shared among organizations to facilitate trades or support negotiations, but this must be done transparently, adhering to privacy laws. Under GDPR, consent serves as one legal basis for processing personal information, and for Quebec's regulations, it is often the only permissible basis.
There are specific conditions laid out by Quebec’s law, requiring explicit consent when disclosing sensitive information about athletes, particularly minors. This highlights the significance of obtaining proper consent—failing to secure it poses risks not just to individual privacy but also to the organization's legal standing.
Additionally, athletes operate within international contexts, engaging across borders. Spectators and athletes alike must comply with diverse privacy requirements wherever they are. This necessitates conducting Privacy Impact Assessments or Data Protection Impact Assessments before any cross-border data disclosures, particularly as many sports leagues operate globally.
Health information and biometric data are increasingly relevant, providing valuable insights for performance monitoring. These data points are often considered sensitive and are subjected to more stringent privacy laws. Therefore, sports organizations must apply heightened security measures to safeguard biometric data. Under regulations like GDPR, the use of biometric data must be carefully managed and comply with extensive reporting requirements.
Overall, the convergence of machine learning and sports emphasizes the importance of having sound privacy strategies. The urgency for sports organizations to acknowledge and address their privacy obligations cannot be overstated.
Failure to adhere to these legal demands is no longer viewed merely as potential oversight, but as malpractice with dire legal and financial repercussions on the horizon as data breaches and non-compliance grow more consequential.
With data increasingly driving decisions within sports, particularly amid the rise of machine learning applications, organizations must approach privacy with the seriousness it deserves. Ignoring legal obligations could not only harm individual athletes but jeopardize the entirety of the organization, impacting business operations and public perception.