Does sex testing violate privacy laws?

A blue and white wall with a paper sign taped up that says "doping control" with a black arrow pointing left
Image via Rob Sinclair, Flickr

On Tested, you heard about several cases brought before the Court of Arbitration for Sport (CAS) over the past few years by athletes impacted by these eligibility regulations — Dutee Chand, Caster Semenya, and Maximila Imali whose case is still locked up in confidential land (as soon as I can share more with you I will right here on this newsletter!).

Lots has been written about CAS — whether it’s truly neutral, whether its really equipped to handle these kinds of cases, whether it’s an accessible means of justice for athletes, etc — but for better or worse, it’s the first place athletes go when they have disputes. This is not necessarily by choice. Most athletes sign arbitration agreements that say that they must take any disputes to CAS, and nowhere else. In the 2023 World Athletics regulations it says “any dispute arising between World Athletics and a Relevant Athlete (and/or their Member Federation) in connection with these DSD Regulations will be subject to the exclusive jurisdiction of the CAS.”

But CAS is not the only legal option for athletes. In an upcoming newsletter, I’m going to explain what’s going on with Caster Semenya’s ongoing legal battle at the European Court of Human Rights (EHCR). And today, we’re going to talk about a new legal strategy that might help athletes subjected to these rules and regulations.

The doping back door

In the past, most cases around these eligibility rules have focused on the concept of human rights — arguing that the rules as written and enforced violate the human rights of the athletes who have to follow them. That line of argumentation has had some success, but also some failure. World Athletics (as they have pointed out themselves at CAS) is not actually beholden to international human rights law. They are a private organization, not a government body.

This new legal challenge comes at this topic from another angle: privacy. The idea comes from two legal scholars — Marcus Mazzucco, an Adjunct Lecturer of Sports Law at the University of Toronto, and Jensen Brehaut, one of Marcus’s former students who is now pursuing a law degree at Osgoode Hall Law School at York University.

Before we get into the legal strategy at hand, we need to talk a little bit about exactly how sex testing happens these days. You heard on Tested that track and field no longer does mandatory, blanket sex testing. Which means that not all athletes get tested for potential DSDs, only athletes that rise to some unspecified level of suspicion. Exactly what happens after an athlete is flagged is extremely opaque. It seems like sometimes athletes are asked to come in and do additional testing. And sometimes, the biological samples they provide for doping controls, get used to test for potential DSDs.

On page 146, Footnote 115 to Article 23.2.2 of the 2021 World Anti Doping Agency (WADA) code states that “an International Federation could use data from a Doping Control test to monitor eligibility relating to transgender and other eligibility rules.”

The way in which this footnote was added is something that some folks I interviewed find very suspect. Andy Brown, who you didn’t hear on the show but who I spoke with at length in my reporting, has written about this on his blog. True updates to the WADA code are incredibly laborious to make — there is a very long process in which many people must be consulted and approved. But since this was simply a footnote, not a true update to the code, that didn’t have to happen.

It’s hard to say how often this happens. Doping controls and these kinds of secondary tests are highly confidential, and my understanding is that often athletes don’t even know that their biological data that was gathered for one purpose, could be used for another. Which is exactly what the new legal challenge is all about.

Rather than trying to argue directly that the rules are unjust or a violation of human rights, what Mazzucco and Brehaut are arguing is that the method by which these tests are done is a violation of both domestic and international privacy law.

This was something Mazzucco says he’d been thinking about on and off for a while. And in class one day, he mentioned the idea that WADA might be violating privacy laws. The idea piqued the interest of Brehaut, who came up after class and asked about how this could actually be applied — what could actually be done to enforce those laws in this case. And together, Mazzucco and Brehaut published a paper in The International Sports Law Journal outlining their argument.

Buckle up kids, it’s about to get wonky

A cartoon image of two men standing in front of a car. One man, wearing a suit, seems to be trying to sell the car to the other man. Over it, white text says "Slaps roof of car, you would not believe how many acronyms this paper can hold"

In the paper, Mazzucco and Brehaut go through two main privacy laws: Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and the EU’s General Data Protection Regulation (GDPR) Mazzucco and Brehaut conclude that there is a genuine privacy violation case to be made in both places. Here is my attempt at summarizing their argument1.

First, they argue that there is a clear difference between using a sample taken for doping to test for its intended purpose — to check for doping violations — and using that same sample to test for a potential DSD. One is what WADA was built to do. The other is something that WADA has no business handling. “In fact, a disclosure for such a purpose would be inconsistent with the intrinsic value that, according to WADA, underpins anti-doping programs, which is the ethical pursuit of human excellence through the dedicated perfection of an athlete’s natural talents,” they write in the paper.

Plus, there are deep issues of consent at play. Athletes often have no idea that international federations are even allowed to use their sample to test for a DSD. “The consent has to be explicit,” says Mazzucco. “It has to be knowledgeable and has to be voluntary. And we don’t think that those requirements exist right now with how consent about this is being obtained.”

Not only do athletes often not even know about this back door, even if they did, there’s also the conundrum of power. There is a huge power differential between an athlete and an international federation like World Athletics. Declining to do a doping test means, in some cases, giving up months to years of your career. Under these conditions, it’s hard to argue that athletes are giving true voluntary consent2.

And even if federations try to argue that consent was fully and explicitly obtained, in some countries, that might not matter. “Under Canada’s privacy laws even if an athlete has consented to have their data used for a certain purpose, if that purpose is inappropriate, then it’s unlawful,” Mazzucco told me. And in their paper, Mazzucco and Brehaut argue that the use of doping control samples to test for DSD conditions is indeed inappropriate. “It cannot be presumed that the valid legal ground that authorizes the processing of personal data for anti-doping purposes (if one exists) extends to the processing of personal data for the purpose of administering sex-based eligibility regulations,” they write.

(I reached out to WADA asking for comment on this paper and the arguments it contains. A spokesperson for the organization declined to do an interview, and wrote: “WADA is aware of the paper you cite. As we always do, we will continue to ensure that our rules and processes remain in line with the relevant laws concerning data privacy and protection.”)

Challenge filed

After concluding that this backdoor DSD testing did constitute a genuine violation of privacy under both EU and Canadian law, Mazzucco and Brehaut went a step further. They actually filed a complaint on behalf of the athletes with the Canadian Office of the Privacy Commissioner (OPC). Under Canadian law, anybody can file a complaint like this — it does not have to be the athletes themselves. And so Mazzucco and Brehaut went ahead and did it, to see what might happen.

Mazzucco and Brehaut can’t file a GDPR complaint themselves — that would require an athlete based in the EU. But they’re hoping that someone picks up on this research, and runs with it.

One of the other interesting benefits to this kind of challenge is that it doesn’t require going to CAS. “The nice thing about these privacy complaints, is that they involve administrative law remedies that are kind of outside the arbitration agreement to athletes,” Mazzucco told me. “So athletes are not barred from bringing a privacy complaint to a to commissioner or data protection authority.”

Mazzucco told me that he’s not confident in predicting the future, but in theory, if the OPC does find that WADA is violating privacy laws, it might ask the organization to stop. “WADA could enter into a voluntary compliance agreement where it agrees to do certain things to stop its non-compliant behavior,” he says. “And we think WADA would probably enter into such an agreement without being forced to do so just because it wants to maintain good relations with regulators.”

Which would mean that the door from doping control to DSD check would be closed.

Case closed? Not exactly

This would not prevent international federations like World Athletics from collecting data for sex testing themselves. Any international federation could decide to do this kind of data collection and analysis on their own. But it would be expensive, and many international federations — particularly smaller ones — likely don’t have the resources or expertise to do so.

But Mazzucco says that even if an organization like World Athletics set up their own, proprietary process for collecting data to figure out who might have a DSD there might still be a privacy argument to be made here. “Our research suggests that even if there’s a separate testing regime where you don’t have doping control data — it’s solely data that’s obtained that used for eligibility purposes — I don’t see how that can comply with some of these data protection laws.”

Just like consent doesn’t magically make this kind of information processing legal, neither does doing it yourself directly. Again, Mazzucco points to the concept of “lawfulness” — data processed and shared must be gathered for lawful purposes. And he and Brehaut argue that in some countries, the very concept of testing someone’s testosterone level in order to potentially ban them or require them to make biomedical changes to compete, would not hold up as lawful.

In Canada, for example, there are so-called “no-go zones” — certain uses of data that are simply not allowed. One of those zones involves data analytics “that results in inferences being made about individuals or groups, with a view to profiling them in ways that could lead to discrimination based on prohibited grounds contrary to human rights law.” Another is “collection, use or disclosure for purposes that are known or likely to cause significant harm to the individual.” Both of these seem quite applicable to athletes who are tested and ultimately fall under the DSD eligibility policies.

The EU’s General Data Protection Regulation (GDPR) law has similar guardrails around what it considers “sensitive” personal information — which a person’s DSD status certainly falls under. In order for the processing of such data to be lawful, it has to have what Mazzucco describes as “substantial public interest on the basis of EU or EU member state law.”

Let’s take that in two parts, shall we? First, what counts as “substantial public interest?” There is no singular test or definition here, but according to GDPR a substantial public interest needs to one that benefits the general public and not just the private interests of an organization3. And in cases where it might apply to an organization, the goals of that organization have to be high level — things like providing healthcare or government benefits, employment protection, or safeguarding public health.

But it’s really the second part of that phrase that matters: “on the basis of EU or EU member state law.” What that means is that it actually doesn’t matter whether World Athletics, or even CAS believes that there is “substantial public interest.” That interest has to be enshrined in a specific EU wide, or individual EU state law. In other words, someone would have to put a specific law on the books that states that sex testing is necessary for the good of the public.

“You would need to have some EU member state pass a law authorizing the IAAF to use, personal data to enforce these regulations. And I’m not sure how many countries would want to do that,” Mazzucco told me.

And even if a country did put a law like this one the books, in this long chain of hypotheticals we’re building together, Mazzucco still doesn’t think it would hold up to GDPR. “Even if such a law existed, we don’t think it would meet the other requirements in the GDPR,” he told me. “Specifically, be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.” Because again, you’d be running into no-go zones around unethical treatment, harm, and loss of business or professional opportunities.

What does this all mean????

This is all a little bit wonky, I know. But the main gist is that right now it seems like WADA is violating several privacy laws when they allow federations to use the data to check for DSDs. And that even if WADA stopped letting sporting agencies use their data in this way, the collection of biomedical data for DSD eligibility policies might never be able to pass privacy law standards in Canada and the EU.

When Mazzucco emailed me telling me about this paper, I got pretty excited. Because for years I’ve been wondering if lawyers were going to pick up on this route4. It seemed fairly obvious to me — a former tech reporter who’s covered privacy a fair amount — that both WADA and international federations like World Athletics, were playing with fire on the privacy front. Allowing sensitive personal data like this to be used for purposes it was not collected for is pretty low hanging fruit, privacy violation wise.

And one thing I’ve long wondered is this: do international federations simply not know about privacy law? Why is WADA allowing this, knowing that it will almost certainly not hold up in court? Before they filed their complaint Mazzucco and Brehaut reached out to WADA to talk — letting them know about this analysis. They told me that WADA took the meeting, but didn’t seem all that concerned.

Here’s what Mazzucco said when I asked him: “Who knows what happens behind the scenes. Maybe they did seek legal advice, and the decision was still to go ahead and take the risk. Let let a regulator tell us that we’re violating the law, and then switch your practices. You see that all the time with organizations making calculated business decisions, right? But I think the other perspective is that they don’t care. And I hate to say it, but that’s a common theme in international sport organizations. They know all these laws exist, but they think they’re exempt from them somehow. Because sport is special. Sport is unique. And it shouldn’t be bound by the same act, norms or laws that apply to everyone else.”

Whether that’s actually true might be determined by the courts.

Mazzucco and Brehaut are still waiting to hear back about their complaint to the Canadian Office of the Privacy Commissioner (OPC). When they do, I’ll let you know what happens next.

Footnotes

  1. I am not a lawyer! I fact checked this newsletter with Mazzucco but any mistakes in the explanation are mine, not his. Please read the original article if you want the full explanation in full legal paper glory. ↩︎
  2. This consent argument is one that a lot of folks are wary of taking too far. Because if you really go down this road, you have to admit that basically all doping controls are non-consentual. And if that’s the case, then you can’t test for doping at all. “We’re a bit doubtful about how far you can take that position because it applies to other areas of sport, like anti-doping,” Mazzucco says. “It’s all built on consent. And so to take a hard stance could impact the whole doping system.” ↩︎
  3. Who decides whether something counts as “substantial public interest” you might ask? I wondered that too, and Mazzucco told me that there isn’t some singular body that rules on this, but essentially it’s up to governments to decide. He pointed me to the UK’s guidance on this question, for example, which lays out 23 substantial public interest conditions. Two of those directly address sports. One allows for doping, and the other allows for data processing that “is necessary for the purposes of measures designed to protect the integrity of a sport or a sporting event.” Some might argue that eligibility policies are necessary to protect the integrity of sport (World Athletics has made this argument in the past). But within that provision, it stills says that whatever data processing is done “necessary for reasons of substantial public interest.” Which loops us back around. Don’t you love law? ↩︎
  4. The other argument I’ve wondered whether anybody was going to run with is something that comes from biomedical ethics called the “right not to know.” The idea here is that people should have the right not to find out information about themselves that they don’t desire. So if you get test results, and you don’t want to know what they say, a doctor can’t force you to find out. This idea is still controversial in some realms (some argue that you have an ethical obligation to know, if the information might impact your family, or cost money to the healthcare system). But in the case of women who are required to test for a DSD, and then informed of that diagnosis whether they like it or not, they’re certainly not being given the right not to know. ↩︎