1 Introduction

Increasingly, international sport federations (IFs) are adopting eligibility regulations for their male and female competition categories in recognition that the traditional sex binary does not account for intersex and transgender (trans) athletes who participate in sport. Indeed, in 2021, the International Olympic Committee (IOC) released its Framework on Fairness, Inclusion and Non-Discrimination on the Basis of Gender Identity and Sex Variations, which expressed the IOC’s position that it is for each sport governing body—particularly those responsible for organizing elite-level competition—to determine the eligibility of intersex and trans athletes in a sport, discipline, or event.Footnote 1 At least eighteen IFsFootnote 2 that belong to the Olympic Movement have established sex-based eligibility regulations to regulate the participation of intersex and/or trans athletes in international competitions,Footnote 3 and it is likely that additional IFs will follow suit.Footnote 4 The purported objective of these eligibility regulations is to ensure fairness in the female competition category due to perceptions that intersex athletes (specifically, female athletes with hyperandrogenism, also known as female athletes with “sex variances” or “differences of sexual development”) and trans women athletes have certain physiological characteristics that provide them with a performance advantage over other female athletes.Footnote 5 The physiological trait that has received the most attention in these eligibility regulations is serum testosterone and its androgenizing effect on the body. For example, the eligibility regulations of World AthleticsFootnote 6 and World AquaticsFootnote 7 exclude from competition trans women athletes who transitioned after puberty (due to their exposure to testosterone during male puberty) and exclude from competition trans women athletes who transitioned before male puberty as well as intersex athletes, if their serum testosterone levels have not been below 2.5 nmol/L for a defined period of timeFootnote 8 and are not continuously maintained below that threshold.

The regulation of serum testosterone levels to determine the eligibility of intersex and trans women athletes for the female classification engages several human rights, including the right to non-discrimination, the right to bodily integrity, and the right to information privacy. With respect to the right to non-discrimination, the eligibility regulations are prima facie discriminatory because they make distinctions on the basis of sex,Footnote 9 gender identity,Footnote 10 and/or genetic characteristics.Footnote 11 As a result, an IF would be required to demonstrate that the discrimination is justified (i.e., necessary, reasonable, and proportionateFootnote 12), to avoid violating the right to non-discrimination found in applicable law.Footnote 13 With respect to the right to bodily integrity, the eligibility regulations may require intersex and trans women athletes to undergo invasive physical examinations to assess their degrees of virilization from testosterone exposureFootnote 14 and/or require athletes to maintain their serum testosterone levels below certain thresholds through the use of medical interventions, such as medications.Footnote 15 Finally, with respect to the right to information privacy, it has been acknowledged that the eligibility regulations make it practically impossible for an athlete to maintain the confidentiality of their status as intersex or trans.Footnote 16 This is because the regulations make intersex and trans women athletes ineligible for international competitions during periods of time when their serum testosterone levels are not below certain thresholds.Footnote 17 As a result, when an athlete is noticeably absent from international competition due to their testosterone level exceeding a certain threshold, but the athlete is still competing at the national level where the same eligibility restrictions do not exist, the sport community and media may deduce that the athlete is intersex or trans and ineligible under the IF’s regulations—particularly, where they are a top-ranking athlete.

Another aspect of the right to information privacy is the right to have one’s personal information processed (i.e., collected, used, and disclosed) lawfully pursuant to a valid legal ground or base, such as the consent of the data subject or legislative authority.Footnote 18 This principle of lawfulness is a fundamental aspect of many national and supranational data protection laws.Footnote 19 The principle is especially relevant where an IF lawfully collects an athlete’s personal information for anti-doping purposes (for e.g., to analyze an athlete’s serum testosterone level to determine the presence or use of a prohibited substance),Footnote 20 and subsequently seeks to use that personal information to administer sex-based eligibility regulations that regulate testosterone levels. The valid legal base used to process the athlete’s personal information for anti-doping purposes may not extend to the processing of the same personal information for sex-based eligibility purposes, and without a separate legal base to authorize such processing for eligibility purposes, the principle of lawfulness under applicable data protection laws will be violated.

Despite this overriding principle of lawfulness, the World Anti-Doping Agency (WADA)’s World Anti-Doping Code (WADC) provides that anti-doping organizations, such as IFs, may use data from a doping control test to monitor compliance with sex-based eligibility regulations that apply to intersex and trans athletes. This contemplated use of doping data to administer sex-based eligibility regulations is described in several articles of the WADCFootnote 21 and WADA’s International Standards,Footnote 22 and has also been incorporated into the regulations of at least nine IFs.Footnote 23 Scholars,Footnote 24 human rights groups,Footnote 25 and journalistsFootnote 26 have criticized WADA’s explicit allowance of the use of doping control data to administer sex-based eligibility regulations due to broadly-framed concerns that this type of data processing violates athletes’ privacy rights.

An IF’s use of doping control data to administer sex-based eligibility regulations is facilitated by WADA’s Anti-Doping Administration Management System (ADAMS).Footnote 27 ADAMS is a web-based database managed by WADA in Canada that contains analytical results from doping control tests and is accessible by anti-doping organizations. WADA’s processing of personal information through ADAMS is subject to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA),Footnote 28 which includes several requirements relating to the principle of lawfulness.Footnote 29 PIPEDA does not apply to the processing of doping control data by IFs for eligibility purposes due to PIPEDA’s limited scope, as further explained below. However, other data protection laws that enshrine the principle of lawfulness do apply to the use of doping control data by IFs for the purpose of administering sex-based eligibility regulations—whether that use of data occurs through or outside of ADAMS. These other data protection laws include the European Union (EU)’s General Data Protection Regulation (GDPR),Footnote 30 which has broad scope and effect due to its territorial application.Footnote 31

The purpose of this paper is twofold: (1) to examine WADA’s compliance with PIPEDA when it discloses doping control data through ADAMS to an IF for the purpose of the IF’s administration of sex-based eligibility regulations, and (2) to examine an IF’s compliance with the GDPR when it uses doping control data (through or outside of ADAMS) to administer sex-based eligibility regulations.

The paper is organized in several subsequent parts. Section 2 provides an overview of the anti-doping system to understand the processing of personal data for anti-doping purposes (including the types of personal data, the data controllers or processors involved, and the legal bases used to authorize the data processing) and explores how and why IFs might use doping control data to administer their sex-based eligibility regulations. Section 3 discusses WADA’s non-compliance with PIPEDA when it discloses doping control data through ADAMS to an IF for the purpose of the IF’s administration of sex-based eligibility regulations, and how a complaint about WADA’s data disclosures might be handled by Canada’s Privacy Commissioner. Section 4 examines the application of the GDPR to an IF’s collection and use of doping control data for the purpose of administering sex-based eligibility regulations and the implications of any violations of the GDPR. Finally, Sect. 5, provides concluding remarks about how athletes can use data protection laws to challenge the implementation of sex-based eligibility regulations, alongside other existing legal strategies.

2 Framework for the processing of personal data for anti-doping purposes and other purposes

2.1 WADA and the WADC

The WADC was created by WADAFootnote 32 and serves as the “fundamental and universal document upon which the World Anti-Doping Program in sport is based.”Footnote 33 All of the provisions in the WADC are mandatory in substance and must be followed, as applicable, by WADAFootnote 34 and each anti-doping organization that has signed the WADC, such as IFs, the IOC, the International Paralympic Committee (IPC), major event organizations,Footnote 35 national Olympic committees, and regionalFootnote 36 or national anti-doping organizations (NADOs).Footnote 37 However, each anti-doping organization (aside from WADA) must adopt its own anti-doping rules that comply with the mandatory aspects of the WADC.Footnote 38

Anti-doping organizations are also required to comply with WADA’s International Standards for specific technical and operational aspects of their anti-doping programs,Footnote 39 including the International Standard for Testing and Investigations,Footnote 40 the International Standard for Laboratories,Footnote 41 the International Standard for Results Management,Footnote 42 and the International Standard for the Protection of Privacy and Personal Information.Footnote 43 The International Standards are supplemented by WADA’s non-binding guidelines on various subjects, including the protection of privacy and personal information.Footnote 44

2.2 Testing authority of anti-doping organizations

Together, the WADC and the International Standard for Testing and Investigations (ISTI) set out the rights and obligations of anti-doping organizations in relation to testing. Testing is a central aspect of the doping control process, and it encompasses test distribution planning, the collection and handing of samples, and the transportation of samples to laboratories for analysis.Footnote 45 Article 5.1 of the WADC provides that testing may be undertaken for any anti-doping purpose, such as obtaining analytical evidence as to whether an athlete’s sample contains a prohibited substance or whether an athlete has used a prohibited substance in violation of the WADC. Importantly, however, the annotated commentFootnote 46 to article 5.1 of the WADC states that where testing is conducted for anti-doping purposes, the analytical results and data may be used for other legitimate purposes under the anti-doping organization’s rules.Footnote 47

Anti-doping organizations, including WADA,Footnote 48 have authority to conduct in-competition and out-of-competition tests of athletes within their respective jurisdiction,Footnote 49 which may be determined by the athlete’s nationality, the athlete’s place of residence or location in a particular country (as is the case for the jurisdiction of NADOsFootnote 50), or the athlete’s participation in events governed by the anti-doping organization (as is the case for the jurisdiction of IFs, the IOC, the IPC and other major event organizationsFootnote 51). Anti-doping organizations may work together to delegate any part of testing amongst each other to ensure coordination, avoid duplication of effortsFootnote 52 and, in the case of event testing, that only a single organization is responsible for testing.Footnote 53

The anti-doping organization with testing authority is responsible for collecting an athlete’s blood or urine sample.Footnote 54 During the sample collection process, the relevant anti-doping organization must ensure that certain information is recorded, including the athlete’s name, date of birth and ‘sport gender’, any medications and supplements recently taken by the athlete, and the athlete’s acknowledgement of the processing of their personal data.Footnote 55 This information does not need to be recorded in a single document,Footnote 56 but WADA has provided anti-doping organizations with a template doping control form that is intended to comply with the recordkeeping and process requirements set out in the WADC and the International Standards.Footnote 57

The sample collected from the athlete is subsequently sent by the anti-doping organization with testing authority to a laboratory.Footnote 58 The laboratory may conduct analytical testing of the sample to determine the presence of a prohibited substance or its metabolites or markers,Footnote 59 or employ analytical methods to measure certain variables in the sample as part of the athlete’s biological passport, such as the athlete’s serum testosterone levels.Footnote 60 The laboratory must report its test results in ADAMS.Footnote 61 If the laboratory’s analysis of the athlete’s sample does not indicate an anti-doping rule violation, then the sample may be retained for subsequent testing, including testing for the purposes of monitoring compliance with eligibility regulations.Footnote 62

2.3 ADAMS

In accordance with article 14.5 of the WADC, WADA is required to develop and manage a doping control information database. Currently, this database exists in the form of ADAMS, which is operated and managed by WADA from its headquarters in Quebec, Canada.Footnote 63 Various types of doping control-related information must be reported to WADA through ADAMS, including the whereabouts informationFootnote 64 of athletes in registered testing pools,Footnote 65 doping control forms used to collect samples for in-competition and out-of-competition tests,Footnote 66 and the analytical results from doping control tests.Footnote 67

The personal data about an athlete that is stored in ADAMS is made accessible to anti-doping organizations that have testing authority over an athlete.Footnote 68 This personal data includes basic demographic information, whereabouts information, information recorded during the sample collection process on a doping control form, laboratory test results, and biological passport data, such as steroidal blood marker values and ratios.Footnote 69 Anti-doping organizations with access to this personal data in ADAMS are authorized to process the data where necessary and appropriate to conduct their anti-doping activities under the WADC and International Standards, in compliance with the International Standard on the Protection of Privacy and Personal Information and applicable law.Footnote 70 However, as discussed in Sect. 2.5 of this paper, the WADC and WADA’s policies also permit anti-doping organizations to use doping control data (including the data in ADAMS) for non-doping purposes, such as monitoring compliance with eligibility regulations that apply to intersex and trans women athletes.Footnote 71

Although ADAMS is meant to serve as a clearing-house for doping control data,Footnote 72 an anti-doping organization can access the data in ADAMS and store it in a separate database managed by the anti-doping organization. Data in the separate database can then be used and disclosed by the anti-doping organization outside of ADAMS.Footnote 73

2.4 Data protection laws applied to anti-doping activities

One of the stated purposes of the World Anti-Doping Program is to ensure that all anti-doping measures comply with human rights,Footnote 74 including the right to information privacy. To advance this purpose, the WADC and International Standards include several provisions related to confidentiality and data privacy.Footnote 75 The International Standard for the Protection of Privacy and Personal Information (ISPPPI), in particular, prescribes a minimum set of requirements for the processing of personal information by anti-doping organizations in the context of their anti-doping activities.Footnote 76 The requirements take into account various international and national data protection standards and laws, including the GDPR.Footnote 77 However, the requirements in the ISPPPI are not intended to replace the data protection laws that apply to anti-doping organizations, which may be numerous and overlapping in their application due to the geographic distribution of anti-doping organizations and the cross-border exchange of personal information that occurs for anti-doping activities. Where these applicable data protection laws are stricter than the ISPPPI, the data protection laws will prevail.Footnote 78 Further, where an anti-doping organization’s compliance with the data protection laws would result in its non-compliance with the ISPPPI, there are no enforcement consequences for the anti-doping organization under the WADC.Footnote 79

One of the key requirements in the ISPPPI is that anti-doping organizations can only process personal information in accordance with a valid legal ground. As noted earlier, this requirement is based on the principle of lawfulness set out in many data protection laws. The ISPPPI provides a non-exhaustive list of valid legal grounds for data processing that are intended to mirror those set out in the GDPR:Footnote 80

6.1 Anti-Doping Organizations shall only Process Personal Information in accordance with a valid legal ground, which can include:

  1. a)

    Compliance with legal obligations, performance of a public interest task, where necessary for reasons of substantial public interest, public health, or fulfillment of a contract, or to protect the vital interests of the Participant and other Persons; or

  2. b)

    Where permitted, consent of a Participant or other Person, which shall be informed, freely given, specific and unambiguous […].Footnote 81

The ISPPPI further states that, where an anti-doping organization processes sensitive personal data (e.g., health information)Footnote 82 on the basis of consent, the explicit consent of the data subject must be obtained (as opposed to implied consent).Footnote 83 This additional requirement for sensitive personal data is consistent with data protection laws, including PIPEDA and the GDPR, as further discussed in Sects. 3 and 4 of this paper.

Finally, with respect to disclosures of personal information by an anti-doping organization (including WADA) to other anti-doping organizations, the ISPPPI provides that the disclosing organization must ensure, among other things, that the receiving organization has a right, authority or need to obtain the personal information, that the receiving organization can comply with the ISPPPI (including having a valid legal ground for its processing of the information), and that the disclosure is permitted under applicable law.Footnote 84

The processing of personal data for anti-doping purposes pursuant to a valid legal ground specified in data protection laws has received attention from data protection regulators and researchers. For example, the European Data Protection Board established under the GDPR (and its predecessorFootnote 85) has questioned the applicability of various legal grounds to the data processing conducted by anti-doping organizations, particularly the legal ground of consent.Footnote 86 Similarly, Kornbeck has reviewed the applicability of the valid legal grounds permitted under the GDPR and has concluded that only athlete consent and legislative authorityFootnote 87 are theoretical options based on European case law. However, as an important caveat, Kornbeck notes that relying on athlete consent as a legal ground may be highly problematic due to the power imbalance between an athlete and their anti-doping organization, the mandatory nature of anti-doping rules, and the legal requirement for consent to be freely given.Footnote 88 The potential risk with relying solely on athlete consent as a valid legal ground for anti-doping data processing is also discussed in WADA’s Guidelines for the ISPPPI:

Where alternative legal grounds to consent exist in a legal framework, these alternatives can be considered more appropriate for the anti-doping context by some. This is because anti-doping activities are a mandatory feature of sport and cannot be refused or rejected by athletes who wish to participate in sport.Footnote 89

As an alternative to consent, some anti-doping organizations, such as NADOs, may rely on legislative obligations or authorities to process personal data for anti-doping purposes under national laws. Such laws have been made or enacted by national governments in order to fulfill their commitment to facilitate anti-doping measures in their countries under the United Nations Educational, Scientific and Cultural Organization (UNESCO) International Convention against Doping in SportFootnote 90 or the Council of Europe Anti-Doping Convention.Footnote 91 These national laws include Germany’s Anti-Doping Act,Footnote 92 Austria’s Federal Anti-Doping Act,Footnote 93 and the Netherlands’ Anti-doping Policy Implementation Act.Footnote 94

Despite concerns about the applicability of the legal ground of consent to process personal data for anti-doping purposes, it appears that consent is the legal ground preferred by WADA and other anti-doping organizations, based on their data policies and practices. In a 2017 study of anti-doping laws and practices of EU member states, it was found that most NADOs relied upon consent as the legal basis to process personal data for anti-doping activities, even where anti-doping legislation existed and provided an alternative (and stronger) legal ground.Footnote 95

This reliance on consent as a valid legal ground to process personal data is also reflected in the requirements set out in the WADC and the International Standards. As noted earlier, anti-doping organizations are required to record certain information in a doping control form during the sample collection process,Footnote 96 including information regarding the athlete’s consent to data processing for the doping control process and the athlete’s consent to data processing for anti-doping research.Footnote 97 The athlete’s consent to the processing of their personal data for the doping control process is, for all intents and purposes, mandatory as the athlete is required to grant consent to avoid an anti-doping rule violationFootnote 98 and possibly avoid other disciplinary action under an anti-doping organization’s rules.Footnote 99 In contrast, the athlete’s consent to the processing of their personal data for anti-doping research can be viewed as voluntary, at least from the perspective that granting consent is not required to comply with the doping control process.Footnote 100

2.5 Use of doping control data to administer sex-based eligibility regulations

Several provisions in the WADC and the International Standards permit IFs to use doping control data for non-doping purposes, such as monitoring compliance with eligibility regulations that apply to intersex and trans women athletes.Footnote 101 This doping control data includes the athlete’s sample (which may be subjected to non-doping testing)Footnote 102 and the analytical results obtained from laboratory doping tests of the sample (e.g., serum testosterone levels), but would not include whereabouts information, which, as per the WADC must be exclusively used for doping control purposes.Footnote 103 However, the WADC prohibition on using whereabouts information for non-doping purposes may have a practical loophole where the information is used to conduct a doping control test and the results from that test or the sample collected are subsequently used to monitor compliance with eligibility regulations, thus creating a link between the whereabouts information and the implementation of the eligibility regulations.Footnote 104 Additionally, an IF may attempt to circumvent the WADC prohibition by requiring athletes to agree to provide their anti-doping whereabouts information to the IF for the purpose of monitoring compliance with sex-based eligibility regulations.Footnote 105

ADAMS facilitates this secondary use of doping control information since anti-doping organizations are required to report the information to WADA through ADAMS.Footnote 106 WADA, as the data controller or custodian that manages ADAMS, subsequently discloses the doping control data to IFs for their own data processing activities. Although some of the IF’s subsequent data processing activities may occur outside of ADAMS, those activities are only made possible by WADA’s initial disclosure of the data through ADAMS.Footnote 107

From the perspective of an IF, there are obvious advantages in relying on doping control data to administer sex-based eligibility regulations. It is administratively and operationally efficient to use data originally collected for doping control purposes for the secondary purpose of determining athlete eligibility under IF regulations. The World Anti-Doping Program consists of a vast network of anti-doping organizations and laboratories that are required to follow certain rules and standards to ensure the quality and integrity of their activities, and these organizations exchange athletes’ personal data through an established web-based database in the form of ADAMS. By leveraging this system of organizations, standards, and information technology, IFs would not need to invest considerable time, money, or resources to develop a parallel system solely to administer its eligibility regulations. In addition, an argument can be made that relying on doping control data to administer eligibility regulations minimizes further intrusion on the privacy rights of athletes who would otherwise be subjected to a separate system of personal data processing for eligibility purposes. It is, therefore, not surprising that at least nine IFs have adopted rules that describe their use of doping control data to administer sex-based eligibility regulations.Footnote 108

The difficulty with accepting the above advantages as fair and legitimate is that they ignore a key aspect of the right to information privacy—that is, the right to have one’s personal information processed on a valid legal ground. It cannot be presumed that the valid legal ground that authorizes the processing of personal data for anti-doping purposes (if one existsFootnote 109) extends to the processing of personal data for the purpose of administering sex-based eligibility regulations. For example, national anti-doping legislation that provides a legal basis for the processing of personal data for anti-doping purposes will not apply to the processing of personal data for eligibility purposes. Similarly, consent that is specifically obtained to process data for anti-doping purposes will not authorize the subsequent processing of the personal data for purposes that are incompatible with anti-doping purposes, making it necessary for an IF to obtain separate consent for the secondary data processing.Footnote 110

On this issue of ensuring that a valid legal base exists to use doping control data to administer sex-based eligibility regulations, little direction or guidance can be found in the WADC, the International Standards, or WADA’s privacy policies. For example, in WADA’s privacy policy for ADAMS it states that, where an anti-doping organization uses data contained in ADAMS for other purposes, including to monitor compliance with eligibility regulations, this falls outside of WADA’s control or responsibility and outside the scope of the WADC and the International Standards.Footnote 111 This is seemingly at odds with the requirements in the ISPPPI for disclosing personal data, which apply to WADA as an anti-doping organization that discloses doping control data through ADAMS. As noted above, the ISPPPI provides that the disclosing organization must ensure that the receiving organization has a right, authority or need to obtain the personal information, and that the disclosure is permitted under applicable law. WADA’s defence to this apparent non-compliance with the ISPPPI may be that requirements in the ISPPPI only apply to the processing of personal data in the context of anti-doping activities, and not to other activities.Footnote 112 Finally, with respect to WADA’s template doping control form, WADA’s non-binding instructions for using the form encourage anti-doping organizations to make adjustments to meet requirements under applicable laws or to reflect an anti-doping organization’s data processing practices, including the intended use of doping control data for non-anti-doping purposes under eligibility regulations.Footnote 113

There is a clear disconnect between WADA’s explicit allowance in the WADC and the International Standards for IFs to use doping control data in ADAMS to administer eligibility regulations and WADA’s laissez-faire stance on whether such data processing is and must be based on a valid legal ground that is permitted under data protection laws. This dissonance is particularly concerning since WADA is the data controller or custodian disclosing the data to anti-doping organizations through ADAMS and therefore acting as the catalyst for the use of doping control information for sex-based eligibility purposes.

The anti-doping rules and privacy policies of IFs are similarly vague and conflicting on the purported legal ground for using doping control data to administer sex-based eligibility regulations. For example, the anti-doping rules adopted by World Athletics state that doping control data may be used for any legitimate purpose under World Athletics’ other rules or regulations, including the monitoring of eligibility.Footnote 114 Given the contractual nature of an IF’s anti-doping rules it is reasonable to assume that the inclusion of such a provision in World Athletics’ anti-doping rules reflects an intent to rely on athlete consent for the processing of doping control data for eligibility purposes. However, the privacy policy of World Athletics’ Integrity Unit asserts a different legal ground for the use of doping control data to administer sex-based eligibility regulations that invokes World Athletics’ “legitimate interests.”Footnote 115

In summary, based on a review of the data protection rules and practices utilized in the anti-doping system, it does not appear that the use of doping control data to administer sex-based eligibility regulations is based on a valid legal ground that complies with data protection laws. The subsequent two sections of this paper examine this issue with reference to Canada’s PIPEDA (which applies to WADA’s disclosure of doping control data to IFs through ADAMS) and the EU’s GDPR (which applies in varying degrees to the use of doping control data by IFs to administer sex-based eligibility regulations).

3 Canada’s PIPEDA

3.1 Application and scope

PIPEDA was enacted by the Canadian government on April 13, 2000. The statute regulates a private organization’s processing of personal informationFootnote 116 in Canada in the course of commercial activities.Footnote 117 One of the objectives of the Canadian Government in enacting PIPEDA was to reassure the EU that Canadian privacy laws provided an adequate level of protection of personal data being transferred from the EU to Canada.Footnote 118 In 2001, the European Commission issued a decision pursuant to article 25(2) of Data Privacy Directive 95/46/EC (the “1995 Directive”) confirming the adequate level of protection afforded by PIPEDA.Footnote 119 The adequacy decision was reaffirmed in 2006, and again in May 2018 pursuant to the GDPR (which repealed and replaced the 1995 Directive).Footnote 120

In 2015, PIPEDA was amended to specifically regulate WADA’s processing of personal information for interprovincial and international activities. The amendments were requested by WADA after it consulted the EU’s Article 29 Working PartyFootnote 121 on the ISPPPI and its compliance with the 1995 Directive.Footnote 122 One of the concerns raised by the Article 29 Working Party was that ADAMS was subject to Quebec’s privacy legislation, and not PIPEDA.Footnote 123 It was not subject to PIPEDA because WADA’s processing of personal data in ADAMS was not for a commercial activity. This was problematic for two reasons. First, Quebec’s privacy legislation only applied to data processing activities within Quebec, and ADAMS allowed for the processing of data internationally. Second, Quebec’s privacy legislation had not been subject to a decision from the European Commission that it provided an adequate level of protection for the personal data transferred from the EU to Canada. The Canadian Government heeded WADA’s request to be subject to PIPEDA and amended the statute accordingly.Footnote 124 The amendment was significant as it set a precedent to broaden the application of PIPEDA to regulate the data processing activities of a specific private organization (i.e., WADA) for non-commercial activities.Footnote 125

PIPEDA requires organizations to follow ten fair information principles,Footnote 126 two of which relate to an individual’s right to have their personal information processed on a valid legal ground: (1) processing personal information only for an appropriate purpose, and (2) processing personal information with an individual’s meaningful consent. The following sections apply these principles to WADA’s disclosure of doping control data in ADAMS to an IF for the purpose of the IF’s administration of sex-based eligibility regulations.Footnote 127

3.2 Appropriate purpose

Subsection 5(3) of PIPEDA states that an organization may process personal information only for purposes that a reasonable person would consider appropriate in the circumstances. The provision has been described by Canada’s Privacy Commissioner as follows:

Subsection 5(3) [...] is a critical gateway that either allows or prohibits organizations to collect, use or disclose personal information, depending on their purposes for doing so. It is the legal boundary that protects individuals from the inappropriate data practices of companies. It separates those legitimate information management practices that organizations may undertake in compliance with the law, from those areas in which organizations cannot venture, also known as “No-go zones”.Footnote 128

Importantly, compliance with subsection 5(3) of PIPEDA is an overarching requirement that applies even if an organization is compliant with all other provisions in the statute.Footnote 129 For example, if an organization has an individual’s consent to process their personal information for a specific purpose, such processing will still violate PIPEDA if the purpose is considered inappropriate.Footnote 130 The requirement to have an appropriate purpose for the processing of personal data is therefore superimposed on the obligation to have a valid legal ground for the data processing and is part of the broader privacy principle of lawfulness.

3.2.1 Factors to Assess the Appropriateness of a Purpose

Canadian courts have stated that subsection 5(3) of PIPEDA must be interpreted in light of the underlying purpose of the statute, which is to balance an individual’s right to the privacy of their personal information with an organization’s need to process that information.Footnote 131 This balancing of interests is “viewed through the eyes of a reasonable person”Footnote 132 and is reflected in the following five factors used by Canadian courts to determine whether a purpose is inappropriate:

  1. 1.

    The degree of sensitivity of the personal information at issue;

  2. 2.

    Whether the organization’s purpose represents a legitimate need / bona fide interest;

  3. 3.

    Whether the processing would be effective in meeting the organization’s needs;

  4. 4.

    Whether there are less invasive means of achieving the same ends at comparable cost and with comparable benefits; and

  5. 5.

    Whether the loss of privacy is proportional to the benefits.Footnote 133

The application of the above factors must be conducted in a contextual manner and look at the particular facts surrounding the data processing, as those facts exist today.Footnote 134

When applying the above five factors to WADA’s disclosure of doping control data in ADAMS to an IF for the purpose of the IF’s administration of sex-based eligibility regulations, it is clear that the purpose of WADA’s disclosure is inappropriate. With respect to the first factor, the doping control data in ADAMS is highly sensitive personal health information. It includes an athlete’s blood parameters obtained from doping control tests and an athlete’s biological passport, including serum testosterone levels.Footnote 135 This information is also classified as sensitive personal data by WADA.Footnote 136

With respect to the second factor, WADA does not have a legitimate need or bona fide interest in disclosing the personal information for the purpose of assisting an IF to administer sex-based eligibility regulations. WADA’s responsibilities are specific to overseeing anti-doping programs and do not include determining, or assisting in the determination of, athlete eligibility for international competitions based on sex or gender characteristics. This distinction between anti-doping rules and eligibility rules was described by a panel of the Court of Arbitration for Sport (CAS) in the arbitration proceeding between Dutee Chand and World Athletics (then known as the International Association of Athletics Federations).Footnote 137 In that case, Chand unsuccessfully argued that eligibility regulations that seek to regulate an athlete’s level of endogenous testosterone as a condition of eligibility amounted to an impermissible ban on naturally-occurring testosterone that violated the WADC. In rejecting this argument, the CAS panel noted that eligibility rules “establish objective conditions that regulate the ability of individual athletes to participate in particular categories of athletic competition” and, by contrast, “anti-doping sanctions seek to punish and deter certain prohibited conduct, namely the deliberate or inadvertent ingestion of performance enhancing substances.”Footnote 138 Accordingly, the CAS panel concluded that the IAAF’s eligibility regulations had “nothing to do with doping.”Footnote 139

The fact that an IF receiving doping control data from WADA through ADAMS may have a legitimate need or bona fide interest to collect and use the information to administer its eligibility regulations is not relevant to the PIPEDA analysis, as the focus is on WADA as the disclosing organization. WADA neither has a legal duty nor an organizational objective to disclose doping control data to an IF for the purpose of the IF’s administration of eligibility regulations, particularly eligibility regulations that regulate serum testosterone levels that are naturally-occurring in many cases.Footnote 140 In fact, a disclosure for such a purpose would be inconsistent with the intrinsic value that, according to WADA, underpins anti-doping programs, which is the ethical pursuit of human excellence through the dedicated perfection of an athlete’s natural talents.Footnote 141

Concerning the third factor that assesses whether the disclosure would be effective in meeting the organization’s needs, the analysis and conclusion are similar to that of the second factor. More specifically, because WADA’s organizational needs are specific to anti-doping and therefore unrelated to an IF’s need to administer sex-based eligibility regulations, it follows that the disclosure is not effective in meeting WADA’s organizational needs. Again, the analysis of this factor would be different if WADA had an institutional role in the sport system that extended beyond anti-doping to include broader principles relevant to sex-based eligibility regulations, but it does not. As a comparison, it is helpful to consider the unique institutional roles of the IOC or associations of IFs and how they differ from WADA. The IOC, for example, is the supreme authority of the Olympic Movement and, pursuant to the Olympic Charter, is tasked with ensuring that certain fundamental principles are respected in sports belonging to the Olympic Movement, such as the principles of fair play and non-discrimination.Footnote 142 In accordance with this institutional role, the IOC has issued the Framework on Fairness, Inclusion and Non-Discrimination on the Basis of Gender Identity and Sex Variations to guide IFs in their development and implementation of eligibility regulations.Footnote 143 Similarly, associations of IFs, such as the Association of Summer Olympic International Federations, have missions and objectives to support their member federations in independently and autonomously governing their respective sports, including determining athlete eligibility for such sports.Footnote 144

With respect to the fourth factor that considers whether there are less invasive means of achieving the same ends at a comparable cost and with comparable benefits, again, the analysis must consider the perspective of WADA, and not IFs. From the perspective of WADA, disclosing data in ADAMS for the purpose of enabling IFs to administer sex-based eligibility regulations would avoid the need for IFs to collect the testosterone-level data through other means—such as, a separate testing regime. This alternative scenario would arguably have little to no impact on WADA from an operational or financial perspective. While a theoretical argument could be made that a separate testing regime for eligibility purposes could have an indirect impact on the anti-doping programs overseen by WADA due to the potential for conflict between anti-doping and eligibility testing authorities or a strain on finite laboratory resources, there is no evidence to support such a claim. From a data privacy perspective, a separate eligibility testing regime would actually be advantageous to WADA as it would mitigate WADA’s risk of non-compliance with data protection laws if an IF did not have authority to collect and use the doping control data in ADAMS for eligibility purposesFootnote 145 or if the IF committed a privacy breach due to the greater number of staff who require access to the data to monitor compliance with eligibility regulations.Footnote 146 This risk previously materialized for WADA when it was held responsible for a privacy breach involving ADAMS that arose from the hacking of two ADAMS user accounts associated with the IOC that were not properly overseen by WADA.Footnote 147

Lastly, with regard to the fifth and final factor, it is necessary to consider whether the loss of privacy that arises from WADA’s disclosure of doping control data in ADAMS for eligibility purposes is proportional to the benefits. As WADA does not have a legitimate or bona fide interest in disclosing doping control data for the purpose of enabling IFs to administer sex-based eligibility regulations, there are no clear benefits to WADA and certainly no benefits that would outweigh the loss of privacy experienced by athletes. The loss of privacy experienced by athletes is considerable. Although the data at issue is already collected and used for anti-doping purposes, the data takes a different form in the context of sex-based eligibility regulations. In the anti-doping context, there are no consequences for an intersex athlete with naturally-occurring high testosterone levels or a trans woman athlete with certain testosterone levels from gender-affirming hormone therapy permitted under a therapeutic use exemption. However, in the eligibility context, the data could be used to subject intersex and trans women athletes to embarrassing and intrusive physical examinations, exclude them from competing in international events, and force them to disclose their status as intersex or trans. As further explained below in Sect. 3.2.2, such outcomes could cause significant harms to an athlete, including humiliation, damage to reputation or relationships, and loss of business or professional opportunities.

In summary, WADA’s disclosure of doping control data to an IF for the purpose of the IF’s administration of sex-based eligibility regulations violates subsection 5(3) of PIPEDA as the disclosure is not directed to a legitimate or bona fide interest of WADA, and any benefit that WADA obtains from the disclosure is disproportionate to the loss of privacy for intersex and trans women athletes.

3.2.2 “No-Go Zones”

Further support for the above conclusion may be found by considering the Privacy Commissioner of Canada’s guidance on the types of purposes that would generally be considered inappropriate by a reasonable person, and therefore violate subsection 5(3) of PIPEDA. The Privacy Commissioner has described these types of inappropriate purposes as “no-go zones” and they are informed by past investigative findings, consultations with stakeholders, and focus groups with individuals across Canada.Footnote 148 Two types of no-go zones are relevant to this paper.

The first type of no-go zone that is relevant is data processing that results in inferences being made about individuals with a view to profiling or categorizing them in ways that could lead to discriminatory treatment contrary to human rights law or unfair or unethical treatment.Footnote 149 The Privacy Commissioner has stated that profiling or categorizing that leads to discrimination in violation of human rights law will always be inappropriate under subsection 5(3) of PIPEDA, whereas a case-by-case assessment is required for unfair or unethical treatment.Footnote 150

As discussed earlier, the sex-based eligibility regulations of several IFs require the collection and use of data relating to an athlete’s serum testosterone levels. Intersex and trans women athletes with testosterone levels above certain thresholds are required to reduce their testosterone levels in order to be eligible to compete internationally in the female category for a specific sport, discipline, or event. Athletes are therefore determined to be eligible (or ineligible) based primarily on their serum testosterone levels, which can lead to discriminatory, unfair, or unethical treatment. The discriminatory nature of sex-based eligibility regulations has been recognized by legal scholars,Footnote 151 human rights specialists,Footnote 152 and adjudicators.Footnote 153 For example, in the aforementioned case of Dutee Chand, the CAS panel concluded that World Athletics’ eligibility regulations for female athletes with hyperandrogenism were discriminatory in violation of applicable human rights laws.Footnote 154 More recently, in the case of Caster Semenya concerning the eligibility regulations of World Athletics for intersex athletes (which replaced the aforementioned hyperandrogenism regulations), the European Court of Human Rights found that there were well-substantiated and credible arguments that the regulations were discriminatory, and was unable to conclude that there was an objective and reasonable justification for such discrimination.Footnote 155 Although these adjudicative findings of discrimination were specific to eligibility regulations that applied to intersex athletes, the findings were based, in part, on the lack of scientific evidence or scientific consensus that intersex athletes with endogenous testosterone levels above a certain threshold (and who experience a material androgenizing effect from such testosterone) have a performance advantage over other female athletes that ought to exclude intersex athletes from the women’s competition category to ensure a level playing field.Footnote 156 A similar lack of scientific evidence or consensus exists to justify the exclusionary aspects of eligibility regulations that apply to trans women athletes—such as the ineligibility of those who have transitioned after male puberty or who have transitioned prior to male puberty but whose testosterone levels are not below certain thresholds.Footnote 157 As a result, a strong argument can be made that eligibility regulations for trans women athletes, as they exist today, also violate the right to non-discrimination in human rights laws.Footnote 158

Even in the absence of an adjudicative finding that a particular IF’s eligibility regulations for intersex or trans women athletes are discriminatory, a case-by-case assessment reveals that the regulations lead to unfair and unethical treatment that ought to render any related data processing inappropriate. An oft-cited example of this unfairness is that the eligibility regulations primarily focus on one biological trait (i.e., testosterone) as contributing to sport performance, while ignoring other biological factors (e.g., height, weight) or social factors (e.g., financial resources, access to nutrition and training) that also impact sport performance.Footnote 159 This disproportionate emphasis on testosterone also leads to ethical concerns. Eligibility regulations effectively require intersex and trans women athletes to maintain their testosterone levels below certain thresholds through medical interventions, such as oral contraceptives or gonadotropin-releasing hormone agonists (in the case of intersex athletes) and testosterone suppression via gender-affirming hormone therapy or gonadectomy (in the case of trans athletes).Footnote 160 These medical interventions have been found to be unethical in relation to intersex athletes who have no medical need to reduce their naturally-occurring testosterone,Footnote 161 and potentially dangerous for trans women athletes who may require their testosterone levels to be above an allowable threshold to maintain overall health.Footnote 162

The second type of no-go zone that is relevant is data processing for purposes that are known or likely to cause significant harm to an individual.Footnote 163 Canada’s Privacy Commissioner has interpreted “significant harm” to include bodily harm, humiliation, damage to reputation or relationships, and loss of business or professional opportunities.Footnote 164 All of these harms can be experienced by intersex and trans women athletes when attempting to comply with eligibility regulations. In the case of intersex athletes, bodily harm can result from reducing testosterone levels with medications that are medically unnecessary, provide no therapeutic value, and can have harmful physical side effects.Footnote 165 As noted above, bodily harm can also be experienced by trans women athletes if they are required to maintain their testosterone levels below arbitrary thresholds that are not evidence-based.Footnote 166 Humiliation and damage to reputation can be experienced by intersex and trans women athletes due to a relentless focus on their gender and sex characteristics that can make them targets of verbal abuse, stigmatization, marginalization, and bullying.Footnote 167 Further, the regulations may require athletes to undergo invasive physical examinations to assess their degree of virilization.Footnote 168 Athletes, human rights specialists, advocacy groups, and adjudicators, have described such examinations as degrading, humiliating, and capable of inflicting psychological harm.Footnote 169 Finally, a loss of business and professional opportunities will arise if an athlete is unable to comply with the regulations and becomes ineligible to compete in their particular sport, discipline or event at the international level.Footnote 170

In summary, WADA’s disclosure of doping control data in ADAMS to an IF for the purpose of the IF’s administration of sex-based eligibility regulations is a no-go zone that is prohibited under subsection 5(3) of PIPEDA.

3.3 Meaningful consent

Under PIPEDA, the valid legal grounds for the processing of personal information are circumscribed. Organizations must generally obtain an individual’s consent in order to process the individual’s personal information.Footnote 171 In order for consent to be valid under PIPEDA, it must satisfy several key requirements relating to voluntariness, knowledge, and format. First, consent must be provided voluntarily without coercion, such as a threat of disciplinary measures for those who do not consent.Footnote 172 Second, an individual must have knowledge of the nature, purpose and consequences of the data processing to which they are consenting.Footnote 173 This requires organizations to inform data subjects about what personal information is being collected, to which parties the personal information is being disclosed, the purposes for which the personal information is being processed, and the risks of harm that might arise from the data processingFootnote 174—specifically, residual risks of harm that remain after the organization has applied mitigation measures to minimize the occurrence and impact of potential harms.Footnote 175 Third, the format of an individual’s consent must be explicit, and not implied, if the personal information is sensitive, the personal information is being processed outside the reasonable expectations of the individual, or the processing of the personal information creates a meaningful residual risk of significant harm.Footnote 176

WADA does not appear to comply with the above requirements when disclosing doping control data in ADAMS to an IF for the purpose of the IF’s administration of sex-based eligibility regulations. This non-compliance stems from WADA’s delegation of responsibility to IFs (and other anti-doping organizations) to obtain the consent of athletes for the processing of their personal data for anti-doping and other purposes.Footnote 177 As noted in Sect. 2, during the sample collection process, anti-doping organizations are required to record an athlete’s acknowledgement of the processing of their personal data for anti-doping purposes.Footnote 178 WADA provides a template doping control form for this purpose,Footnote 179 along with instructions to anti-doping organizations for modifying and completing the form to reflect their data processing activities (including using doping control data for eligibility purposes).Footnote 180 Arguably, this process does not comply with the requirements in PIPEDA for obtaining valid consent, which makes WADA’s disclosure of doping control data in ADAMS to IFs for sex-based eligibility purposes unlawful for not having a valid legal basis.

With respect to the first requirement for valid consent (voluntariness), WADA’s reliance on the doping control form to obtain consent is inherently flawed. The form provides an “all or nothing” proposition for an athlete to either consent to the processing of their personal data for anti-doping purposes and an IF’s additional purpose of administering sex-based eligibility regulations, or not consenting at all, which may result in an anti-doping violation. The threat of an anti-doping rule violation is a coercive measure that vitiates the athlete’s consent to the processing of their personal data for the purpose of administering sex-based eligibility regulations.Footnote 181

With respect to the second requirement for valid consent (knowledge), WADA does not appear to be satisfying its obligations as it is relying solely on IFs to provide the necessary information regarding the use of doping control data for eligibility purposes without adequate oversight. The Privacy Commissioner of Canada has held that, in the context of disclosures of personal data from one organization to a third party, the disclosing organization may, in appropriate circumstances, rely on consent obtained by the third party.Footnote 182 However, the disclosing organization relying on consent obtained by the third party must take reasonable measures to ensure that the third party is obtaining knowledgeable and meaningful consentFootnote 183—which requires communicating the purposes of the data processing and the residual risks of harm that may result from the data processing. Reasonable measures include requiring the third party to provide this information to data subjects and auditing the third party’s compliance with that requirement. There are strong grounds to believe that WADA is not engaging in such measures. First, there is no contractual obligation in the WADC, the International Standards, or WADA’s Terms of Use for ADAMS that requires IFs to provide this information to athletes. Instead, only non-binding guidance is provided through the instructions for using WADA’s optional template doping control form. WADA’s guidance is also under-inclusive as it does not direct IFs to communicate the harms that may result from using doping control data to administer sex-based eligibility regulations.Footnote 184 Second, even if such contractual obligations existed, there is reason to doubt WADA’s enforcement of them. In a previous investigation of WADA that was conducted by Canada’s Privacy Commissioner, it was found that WADA did not have sufficient contractual arrangements with anti-doping organizations to audit their access to ADAMS and ensure their compliance with security and privacy policies.Footnote 185 While it is possible that WADA has since improved its oversight of anti-doping organizations, the privacy policies of some IFs indicate that they are not providing this information to athletes and are not even purporting to rely on the legal ground of consent to use doping control data for sex-based eligibility purposes.Footnote 186

In regard to the third key requirement for valid consent under PIPEDA (form of consent), WADA is not ensuring that the doping control form obtains an athlete’s explicit consent to the use of their doping control data for eligibility purposes. Explicit consent, and not implied consent, is required based on the factors described above. More specifically, the doping control data stored in ADAMS is highly sensitive health information as it includes data about an athlete’s blood parameters.Footnote 187 Further, athletes would not reasonably expect that doping control data would be used for unrelated purposes, including administering eligibility regulations that are not based on anti-doping rule violations. Finally, the use of doping control data to administer sex-based eligibility regulations could lead to the significant risks of harm previously discussed in Sect. 3.2.2 of this paper.

The explicit consent of athletes to the use of their doping control data for sex-based eligibility purposes is not being obtained through WADA’s doping control form because athletes do not have a clear option to grant or withhold consent without refusing to participate in the sample collection process altogether. In other words, by participating in the sample collection process, athletes are presumed to have read the privacy statement included in the form and to have consented to data processing for secondary purposes unrelated to anti-doping. In contrast, consent to data processing for anti-doping research purposes is obtained in the doping control form with checkboxes that allow an athlete to clearly and explicitly grant or withhold consent, without impacting their participation in (and compliance with) the doping control process. Moreover, if neither checkbox is checked by the athlete, then it is assumed that the athlete does not consent to the use of their personal data for anti-doping research.Footnote 188

To summarize, WADA is not complying with its obligations under PIPEDA to obtain meaningful consent to disclose doping control data in ADAMS to an IF for the purpose of the IF’s administration of sex-based eligibility regulations. WADA is relying on IFs to obtain this consent through the doping control form, with inadequate direction and oversight. In the absence of an athlete’s meaningful consent, WADA’s disclosure to an IF would not be based on a valid legal ground and would be unlawful under PIPEDA. While WADA could take corrective actions to ensure that IFs are obtaining the meaningful consent of athletes, WADA’s disclosure would still be for an inappropriate purpose for the reasons stated in Sect. 3.2, and therefore WADA would remain non-compliant with PIPEDA.

3.4 Complaints, investigations, and enforcement

There are robust investigative, administrative law, and judicial processes in Canada that would allow athletes to hold WADA accountable for violating the principle of lawfulness under PIPEDA when disclosing doping control data to an IF for the purpose of the IF’s administration of sex-based eligibility regulations.

Any individualFootnote 189 may file a written complaint with the Office of the Privacy Commissioner (OPC) against an organization for violating the appropriate purpose and consent requirements in PIPEDA.Footnote 190 The individual does not need to have a particular legal standing to make the complaint, such as being the individual whose privacy rights have been violated.Footnote 191 As a result, in the context of a complaint against WADA, the complainant could be an athlete, a coach, or an individual representing an athlete advocacy organization. However, before filing a complaint against an organization with the OPC, an individual is encouraged to first contact the organization to try to resolve their concerns,Footnote 192 as a failure to do so may result in the Privacy Commissioner declining to conduct an investigation into the complaint.Footnote 193 Accordingly, it would be advisable for an athlete or other complainant to first raise their privacy concerns with WADA before filing a formal complaint with the OPC.

If an investigation of a complaint against WADA is commenced by the OPC, then the Commissioner and their investigatorsFootnote 194 have broad powers to gather information, including the power to issue summonses to compel persons to give oral or written evidence under oath and to produce records, and the power to enter the premises of an organization to examine or obtain copies of records relevant to the investigation.Footnote 195 For example, in a 2016 investigation into a privacy breach involving ADAMS, the OPC exercised its powers to obtain documentation and representations from WADA, conduct a site visit at WADA’s headquarters in Montreal, and interview legal, administrative and technical personnel employed by WADA and employees of the IOC.Footnote 196

If an investigation of WADA revealed that a complaint is substantiated or well-founded, then the Commissioner would issue a report to the complainant and WADA that includes the Commissioner’s findings and recommendations for WADA’s compliance with PIPEDA.Footnote 197 If the complainant disagreed with certain findings or recommendations of the Commissioner regarding WADA, then they could apply to the Federal Court of Canada for a hearing of the matter.Footnote 198 The Commissioner’s recommendations could be accompanied by a request that WADA notify the Commissioner, by a specified deadline, of actions taken or proposed to be taken by WADA to implement the recommendations in the Commissioner’s report.Footnote 199 Alternatively, the recommendations of the Commissioner could be agreed to by WADA in a voluntary compliance agreement under which WADA agrees to adopt certain remedial measures.Footnote 200 WADA and Canada’s Privacy Commissioner entered into such a voluntary compliance agreement following the 2016 investigation noted above.Footnote 201

If WADA failed to comply with the recommendations in the Commissioner’s report or in a voluntary compliance agreement, then the Commissioner could apply to the Federal Court of Canada for an order mandating WADA’s compliance with PIPEDA or the voluntary compliance agreement, as the case may be.Footnote 202 The Federal Court could also award damages to the complainant, including damages for any humiliation that the complainant has suffered.Footnote 203 This judicial remedy is particularly relevant in light of the harms described above in Sect. 3.2.2 that may arise from WADA’s disclosure of doping control data to IFs for sex-based eligibility purposes.

3.5 Implications for WADA

If Canada’s Privacy Commissioner concludes that WADA is violating the principle of lawfulness under PIPEDA, then WADA would be ordered to stop disclosing doping control data through ADAMS to an IF for the purpose of the IF’s administration of sex-based eligibility regulations. WADA could comply with this direction by amending the WADC, the International Standards, and the Terms of Use for ADAMS to explicitly prohibit an IF from collecting doping control data through ADAMS for sex-based eligibility purposes. The rationale for this corrective action is that, if there is no collection of data through ADAMS for eligibility purposes, then there is no disclosure of data by WADA for eligibility purposes that violates PIPEDA. Importantly, this corrective action would not restrict an IF from accessing ADAMS for anti-doping purposes. It would also not prevent an IF from collecting doping control data outside of ADAMS for eligibility purposes (e.g., collecting anti-doping analytical results directly from a laboratory), as WADA would not be disclosing the data in this scenario. However, this corrective action may still present a risk of non-compliance with PIPEDA for WADA as it may be difficult to ensure that an IF’s use of doping control data for eligibility purposes arises solely from its collection of data outside of ADAMS, if the IF is still collecting data through ADAMS for anti-doping purposes. If the data used by the IF for eligibility purposes is collected from ADAMS, then that collection is for eligibility purposes and WADA is implicated as the disclosing organization. WADA would need to implement certain security safeguards in ADAMS to ensure that data collected through the system is not used for sex-based eligibility purposes, and then monitor compliance with those safeguards. Alternatively, WADA could amend the WADC and the International Standards to explicitly prohibit the use of doping control data to administer sex-based eligibility regulations, regardless of whether that use of data occurs through or outside of ADAMS. Such a prohibition would be consistent with the WADC prohibition on using an athlete’s whereabouts information for purposes other than anti-doping activities,Footnote 204 and may be more attractive to WADA from a risk management perspective.

4 EU’s GDPR

As noted above, PIPEDA applies to private organizations that process personal data in Canada in relation to commercial activities. However, no IFs are established or routinely operate in Canada, and an IF’s data processing for eligibility purposes does not relate to a commercial activity within the meaning of PIPEDA.Footnote 205 As a result, in order to assess an IF’s compliance with the privacy principle of lawfulness when it uses doping control data to administer sex-based eligibility regulations (whether through or outside of ADAMS), other data protection laws must be considered. Of these other data protection laws, the EU’s GDPR may be the most significant and relevant due to its broad territorial applicationFootnote 206 and its protection of personal data as an inalienable fundamental right.Footnote 207

The application of the GDPR to IFs in this context is particularly important if a complaint against WADA under PIPEDA does not result in WADA restricting IFs from using doping control data for the purpose of administering sex-based eligibility regulations. Such an outcome may arise if, as noted above, WADA is only required to cease disclosing doping control data through ADAMS to IFs for sex-based eligibility purposes, but IFs are still allowed to collect and use the data outside of ADAMS for eligibility purposes.

4.1 Application of GDPR

The GDPR was passed by European Parliament and the Council of the EU on April 27, 2016, came into force on May 25, 2018,Footnote 208 and had the effect of repealing and replacing the 1995 Directive.Footnote 209 The GDPR has broad territorial scope. It applies to the processing of personal data by organizationsFootnote 210 with establishmentsFootnote 211 in the EU, regardless of whether the processing takes place in the EU. The GDPR also applies to the processing of personal data of data subjects who are in the EU by an organization not located in the EU, where the processing relates to the offering of goods and services to such data subjects or the monitoring of their behaviour in the EU.Footnote 212 Accordingly, the GDPR applies to IFs with establishments in the EU that have sex-based eligibility regulations,Footnote 213 as well as IFs with establishments outside of the EU that apply sex-based eligibility regulations to athletes who reside in or compete at international competitions hosted in the EU.Footnote 214

4.2 Valid Legal Grounds Under GDPR

Similar to PIPEDA, the GDPR codifies several key privacy law principles, including the principle of lawfulness.Footnote 215 Under the GDPR, the principle of lawfulness requires organizations to have a valid legal ground when processing personal data—specifically, one or more of the valid legal grounds set out in the GDPR.Footnote 216 The lawfulness of data processing for anti-doping purposes by WADA and other anti-doping organizations has received considerable attention under the GDPR by the European Data Protection Board (EDPB),Footnote 217 and has influenced anti-doping privacy policies and processes, including WADA’s ISPPPI.Footnote 218 While concerns about the lawfulness of data processing for anti-doping activities under the GDPR remain,Footnote 219 it bears repeating that the lawfulness asserted by WADA and other anti-doping organizations is specific to the anti-doping context. As a result, the valid legal grounds in the GDPR that are relied upon to process personal data for anti-doping purposes do not necessarily apply to the use of doping control data to administer sex-based eligibility regulations.

As already explained, the doping control data used to administer sex-based eligibility regulations includes sensitive health information about an athlete. The GDPR prohibits an organization from processing such sensitive data, unless a valid ground set out in article 9(2) of the GDPR applies.Footnote 220 Importantly, the valid legal grounds set out in article 9(2) of the GDPR are narrower and more conditional than the valid legal grounds set out in article 6 of the GDPR that apply to the processing of non-sensitive personal data. With respect to article 9(2) of the GDPR, only two valid legal grounds are theoretically applicable to an IF’s use of doping control data to administer sex-based eligibility regulations:Footnote 221 (1) where the data subject has given explicit consent to the data processing, except where EU member state law does not permit this, and (2) where the data processing is necessary for reasons of substantial public interest, on the basis of EU or EU member state law, which shall be proportionate to the aim pursued, respect the essence of the right to data protection, and provide for suitable and specific measures to safeguard the fundamental rights and interests of data subjects.

4.2.1 Explicit Consent

With respect to the ground of explicit consent, recital 43 of the GDPR provides that, in cases where a clear imbalance exists between an organization and data subject, it is unlikely that consent can be freely given, and therefore consent should not provide a valid legal ground for the processing of personal data. This principle is directly applicable to the relationship between an athlete and their IF. An IF has monopolistic authority to make eligibility determinations for a sport, discipline, or event at the international level and an athlete is required to abide by those determinations.Footnote 222 An IF exercises authority over eligibility matters through regulations made by its internal decision-making bodies that are not comprised of adequate athlete representation, are not democratically accountable to athletes, and do not meaningfully consult with athletes.Footnote 223 Due to these factors, there is an unmistakable and significant power imbalance between an IF and an athlete that ought to deter an IF from seeking to rely on the legal ground of explicit consent to use doping control data for eligibility purposes, and ought to vitiate any (coerced) consent provided by an athlete.Footnote 224

Even if one were to accept the proposition that an IF could rely on the legal ground of explicit consent to use doping control data for sex-eligibility purposes, it does not appear that IFs are meeting the requirements for valid explicit consent. For example, if IFs are seeking an athlete’s explicit consent through doping control forms, then such consent is not valid for many of the reasons previously discussed in Sect. 3.3. The GDPR principle of granularity of consent supports this conclusion. This principle provides that an organization should not use a process for obtaining consent that does not allow a data subject to tailor their consent to the organization’s different data processing operations.Footnote 225 In other words, where an organization is seeking a data subject’s consent for multiple data processing activities, the data subject should have the ability to consent to some data processing operations but not others.Footnote 226 The template doping control form that IFs are encouraged to use does not respect the principle of granularity as the form does not allow athletes to make separate decisions about granting or withholding consent for data processing related to anti-doping activities and eligibility activities.Footnote 227

To the extent that IFs are seeking the explicit consent of athletes through means other than the doping control form, such as entry agreements for international competitions, the requirements for explicit consent under the GDPR may still not be met. It is not uncommon for an IF to require athletes seeking to participate in an international competition to sign an entry agreement that, among other things, requires the athlete to comply with the IF’s anti-doping rules that are incorporated by reference in the agreement. If the anti-doping rules describe the IF’s use of doping control data to monitor compliance with sex-based eligibility regulations,Footnote 228 then an entry agreement that incorporates by reference those anti-doping rules would become a method to obtain the athlete’s explicit consent. The GDPR does not permit this type of contractual practice because the consent that is sought for the data processing (which is for eligibility purposes) is unrelated to the performance of the contract (which is for anti-doping purposes), and thus the consent is not considered to have been given freely.Footnote 229

4.2.2 Substantial Public Interest on the Basis of EU or National Law

With respect to the second relevant ground for processing sensitive data (i.e., a substantial public interest on the basis of EU or national law), IFs are also unable to rely on this ground to use doping control data to administer sex-based eligibility regulations. This ground could be applicable if EU or EU member state law authorized or required an IF to process sensitive personal data for certain purposes, “subject to the provision of suitable privacy and data protection safeguards and based on a substantial national public interest.”Footnote 230 While such laws may exist in the form of national anti-doping laws,Footnote 231 they are specific to data processing for anti-doping purposes and would not apply to data processing for other purposes, such as administering sex-based eligibility regulations. No EU or EU member state law specifically authorizes an IF to use doping control data for the purpose of administering sex-based eligibility regulations.Footnote 232 Even if such a law exists, it is difficult to imagine how it would satisfy the other requirements in article 9(2) of the GDPR—specifically, be proportionate to the aim pursued, respect the essence of the right to data protection, and provide for suitable and specific measures to safeguard the fundamental rights and interests of data subjects.Footnote 233 This conclusion is based on the reasons already discussed in Sect. 3.2.2 regarding the harms that ought to render the use of doping control data for sex-based eligibility purposes inappropriate (and therefore unlawful) under PIPEDA.

4.3 Enforcement of GDPR

Like Canada, the EU has a comprehensive legal framework for enforcing the GDPR that could be used by a complainant to challenge an IF’s use of doping control information to administer sex-eligibility regulations. However, the territorial application of the GDPR across EU member states presents some unique enforcement considerations.

The GDPR is enforced by independent national data protection authorities (DPAs) in EU member states,Footnote 234 as well as national courts.Footnote 235 A DPA is specifically tasked with handling and investigating complaints lodged by a data subject and informing the complainant of the progress and outcome of an investigation.Footnote 236 A DPA has many of the same investigative and administrative law powers as Canada’s Privacy Commissioner. For example, a DPA has broad investigative powers to gather information, including the power to compel an organization to provide information and the power to access the premises of an organization or its data processing equipment.Footnote 237 DPAs also have corrective powers to issue warnings, reprimands and orders to an organization to ensure compliance with the GDPR, including bans on the processing of personal data.Footnote 238 DPAs can also bring legal proceedings in court to seek judicial assistance with the enforcement of the GDPR.Footnote 239 If a complainant disagrees with the legally binding decision of a DPA,Footnote 240 they have a right under the GDPR to an effective judicial remedy against the DPA in the national courts of the member state where the DPA is established, Footnote 241 which is similar to the rights of complainants under PIPEDA.

Unlike Canada’s Privacy Commissioner, DPAs are authorized to issue administrative fines against organizations that violate the GDPR.Footnote 242 There are two tiers of fines: for less severe infringements the fine is up to €10M or 2% of the organization’s worldwide revenue from the preceding financial year, whichever is higher; and, for more serious infringements (including not having a valid legal ground to process sensitive personal data, or not complying with conditions for consent), the fine can be up to €20M, or 4% of the organization’s worldwide annual revenue from the preceding financial year, whichever is higher.Footnote 243 Such a significant fine, if levied, would have a considerable general deterrent effect on IFs that violate the GDPR when processing personal data to administer sex-based eligibility regulations.

Where a complaint based on the GDPR relates to data processing that affects data subjects in more than one EU member state (which is likely to be the case for complaints against the data processing activities of an IF), the DPA where the organization has its establishment leads the investigation in cooperation with other affected DPAs.Footnote 244 If the organization’s establishment is outside of the EU (e.g., Switzerland), but is otherwise subject to the GDPR due to the nature of its data processing activities, then the location of the affected data subjects in EU member states determines which DPA has jurisdiction to conduct an investigation, and may result in multiple DPAs having jurisdiction.Footnote 245 A DPA’s investigation takes place under national procedural rules and the broad framework set out in the GDPR.Footnote 246 In the case of an investigation involving multiple DPAs, if the DPAs are unable to reach consensus on the application of the GDPR in relation to the complaint, then the GDPR provides for dispute resolution by the EDPB.Footnote 247

An investigation of an IF’s use of doping control data to administer sex-based eligibility regulations across EU member states has the potential to become unwieldy due to the number of DPAs involved. However, this concern may be addressed in several ways to ensure that an investigation of an IF proceeds expeditiously and has a timely enforcement outcome. First, provisional measures could be issued by a single DPA to stop the processing of personal information of data subjects within its territory.Footnote 248 Second, if a DPA believes that the competent DPA in a member state where an IF has its establishment (if applicable) has not taken an appropriate measure in a situation where there is an urgent need to act in order to protect the rights and freedoms of data subjects, then the first DPA may request an urgent opinion or an urgent binding decision from the EDPB. Third, a more streamlined and efficient investigation and enforcement process may be on the horizon due to a new regulation proposed by the European Commission to establish procedural rules for DPAs when applying the GDPR in more than one member state.Footnote 249

4.4 Implications for IFs

If the enforcement of the GDPR results in an IF no longer being able to use doping control data to administer sex-based eligibility regulations, then the IF may respond in one of several ways. First, the IF may decide to revoke its eligibility regulations if it believes it does not have sufficient data to implement and enforce the maximum serum testosterone thresholds in the regulations. Second, an IF may decide to amend its eligibility regulations by removing the serum testosterone thresholds and replacing them with alternative eligibility criteria. If the amended eligibility criteria are more restrictive than what they are today (e.g., criteria that results in the exclusion of all intersex and trans women athletes, regardless of their testosterone levels), then an athlete would be able to bring a discrimination claim to challenge such rules and the IF may have a difficult time justifying the discrimination as necessary, reasonable, and proportionate based on current scientific evidence.Footnote 250 Finally, an IF may decide to maintain its existing eligibility regulations and establish a testing regime that is separate and apart from the anti-doping system to collect the serum testosterone levels of intersex and trans women athletes. However, if this occurs, then athletes should continue to use the GDPR and other applicable data protection laws to challenge the IF’s data processing on the basis that it violates the principle of lawfulness. It is likely that the data processing would continue to violate the principle of lawfulness in the GDPR as the valid legal ground of explicit consent would remain unavailable due to the power imbalance between the IF and athletes, and because no EU law or EU member state law that meets the requirements in article 9(2) of the GDPR authorizes data processing for sex-based eligibility purposes.

5 Conclusion

An IF’s determination of the eligibility of intersex and trans women athletes for international competition that is based primarily on serum testosterone levels (and their androgenizing effect on the body) has the ability to violate several human rights, including the right to non-discrimination, the right to bodily integrity, and the right to information privacy. A handful of athletes have sought to enforce these human rights by commencing arbitration at CAS and litigation proceedings that challenge eligibility determinations and the regulations upon which they are based, with some success.Footnote 251 While the effect of these legal challenges on the recent proliferation of eligibility regulations adopted by IFs is not yet known,Footnote 252 it will likely be necessary for intersex and trans women athletes to continue pursuing legal remedies grounded in human rights to ensure their eligibility to compete. One aspect of the right to information privacy that may be leveraged by athletes is the right to have one’s personal information processed lawfully based on a valid legal ground. This principle of lawfulness is embedded in many data protection laws and could be used as a tool to challenge the implementation of sex-based eligibility regulations, alongside other legal tactics, such as a claim of discrimination.

The sex-based eligibility regulations of several IFs provide that an IF may use doping control data to monitor intersex and/or trans women athletes’ compliance with maximum serum testosterone thresholds prescribed in the regulations. The use of such doping control data has been facilitated by WADA through its WADC, International Standards, and web-based doping control database (ADAMS), with apparent disregard for the principle of lawfulness under applicable data protection laws, such as PIPEDA and the GDPR.

When an IF accesses doping control data in ADAMS for the purpose of administering its sex-based eligibility regulations, there is a disclosure of the data by WADA as the controller or custodian that manages ADAMS. This disclosure is subject to Canada’s PIPEDA and appears to violate PIPEDA’s requirements for disclosing personal data only for an appropriate purpose and with a data subject’s meaningful consent—both of which are expressions of the principle of lawfulness. A complaint about WADA’s disclosure practices could be made by an athlete or other individual to Canada’s Privacy Commissioner for investigation and for administrative law remedies that would require WADA to cease the data disclosures, and possibly require WADA to amend the WADC and International Standards to explicitly prohibit the use of doping control data (whether that use occurs through or outside of ADAMS) to administer sex-based eligibility regulations.Footnote 253 Financial compensation for the harms caused by WADA’s violation of PIPEDA could also be sought by an athlete in Canada’s Federal Court.

The EU’s GDPR is another data protection law that could be used to challenge the use of doping control data to monitor compliance with sex-based eligibility regulations. Unlike PIPEDA, the GDPR applies to IFs that have an establishment in the EU, as well as IFs with establishments outside of the EU that process the personal data of athletes who reside in or compete at international competitions hosted in the EU. With respect to the principle of lawfulness, the GDPR provides that an organization can only process certain types of sensitive personal data, such as health information, on valid legal grounds that are narrow and conditional. However, none of these valid legal grounds appear to authorize an IF’s use of doping control data to administer sex-based eligibility regulations.

A complaint about an IF’s data processing activities could be made by an athlete to a DPA for investigation and for administrative law remedies, including the imposition of a fine and an order requiring the IF to cease using the doping control data to administer sex-based eligibility regulations. However, if the IF’s data processing involves data subjects in multiple EU member states, then additional DPAs would need to be involved in any investigation and enforcement outcome.

The use of data protection laws, such as PIPEDA and the GDPR, to challenge the implementation of sex-based eligibility regulations would strongly reinforce that the right to information privacy is a fundamental human right that must be respected by international sport organizations. One of the advantages of data protection laws, compared to other sources of human rights,Footnote 254 is that they provide a mechanism to contest the practices of international sport organizations before national privacy regulators, instead of using arbitration at CAS. This is significant in light of concerns that CAS does not have the capacity to adequately address human rights violations in sport due to its structural and procedural limitations.Footnote 255 Accordingly, athletes and other sport stakeholders ought to consider the use of data protection laws to challenge the practices of international sport organizations in matters beyond sex-based eligibility regulations.