Statutory provision as a legal base for data transfers to third countries for anti-doping purposes, under EU and German law

Abstract

Whenever (national) anti-doping organisations ((N)ADOs) based in the European Union (EU) wish to transfer personal data related to athletes to their partners in “third countries” (countries outside the EU), a set of specific and exacting legal requirements must be met. One of these requirements is the demonstration of a valid legal base. While a previous article focussed on the use of consent, this article weighs the advantages and drawbacks of statutory provision, under EU and German law.

This is a preview of subscription content, access via your institution.

Notes

  1. 1.

    Kornbeck (2017a).

  2. 2.

    Ibid., pp. 68–69, for a justification of the choice of Germany.

  3. 3.

    Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance). OJ L 119, 4.5.2016, pp. 1–88.

  4. 4.

    Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. OJ L 281, 23.11.1995, pp. 31–50.

  5. 5.

    Ministry of Health, Welfare and Sport [The Netherlands] (2016).

  6. 6.

    T.M.C. Asser Instituut (2010), Houlihan and Garcia (2012), Parzeller et al. (2009), Sloot et al. (2017), pp. 52–56.

  7. 7.

    Mortsiefer (2010), Nolte (2010a, b), Niewalda (2011), Lambertz (2015), Neuendorf (2015), Herber (2017).

  8. 8.

    Flueckiger (2008).

  9. 9.

    For an example of an otherwise well-informed contribution by a US legal author, erroneously purporting that “the right to personal data protection is not set out in any EU treaty, but is considered important when compared ‘to its function in society’”, see Goodman (2018).

  10. 10.

    Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance). OJ L 119, 4.5.2016, pp. 1–88.

  11. 11.

    For an exposition of typical US views (which may, however, be challenged by some US voices), see Whitman (2004). For a solid empirical demonstration of the influence of European (in opposition to US) data privacy standards outside Europe, by an Australian legal scholar, see Greenleaf (2012).

  12. 12.

    See WP29: Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC. Adopted on 9 April 2014. WP 217. https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp217_en.pdf, p. 16; Sloot et al. (2017), p. 84; discussed in Kornbeck (2017a, b). EDPB Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679, https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_2_2018_derogations_en.pdf, pp. 8–10.

  13. 13.

    Self-reported by Finland and the UK, see Sloot et al. (2017), p. 72. But note also—apart from the caveats referred to in the previous footnote, that “to assess the validity of a contract in the context of [Art. 6(1)(b) GDPR], civil law requirements will have to be taken into account”. Ibid., p. 83.

  14. 14.

    The abbreviation “MS” is set within square brackets “[MS]” whenever the expression “Member State(s)” appears within a quotation set between quotation markets. This is to ensure that the abbreviation is used consistently within the paper, while also recognising that it was not used in the text quoted.

  15. 15.

    See e.g. Art. 14.5 WADC: “WADA shall act as a central clearinghouse for Doping Control Testing data and results, including, in particular, Athlete Biological Passport data for International-Level Athletes and National-Level Athletes and whereabouts information for Athletes including those in Registered Testing Pools. To facilitate coordinated test distribution planning and to avoid unnecessary duplication in Testing by various Anti-Doping Organizations, each Anti-Doping Organization shall report all In-Competition and Out-of-Competition tests on such Athletes to the WADA clearinghouse, using ADAMS or another system approved by WADA, as soon as possible after such tests”. Ibid., Introduction, p. 16: Each Signatory shall establish rules and procedures to ensure that all Athletes or other Persons under the authority of the Signatory and its member organizations consent to the dissemination of their private data as required or authorized by the Code, and are bound by and compliant with Code anti-doping rules, and that the appropriate Consequences are imposed on those Athletes or other Persons who are not in conformity with those rules have been conducted. This information will be made accessible, where appropriate and in accordance with the applicable rules, to the Athlete, the Athlete’s National Anti-Doping Organization and International Federation, and any other Anti-Doping Organizations with Testing authority over the Athlete”.

  16. 16.

    Supra, 2.1.

  17. 17.

    Anti-Doping Convention. Strasbourg, 16.11.1989. European Treaty Series—No. 135. https://rm.coe.int/CoERMPublicCommonSearchServices/DisplayDCTMContent?documentId=090000168007b0e0.

  18. 18.

    International Convention against Doping in Sport 2005. Paris, 19 October 2005. http://portal.unesco.org/en/ev.php-URL_ID=31037&URL_DO=DO_TOPIC&URL_SECTION=201.html.

  19. 19.

    “In order for processing to be lawful, personal data should be processed on the basis of the consent of the data subject concerned or some other legitimate basis, laid down by law, either in this Regulation or in other Union or [MS] law as referred to in this Regulation, including the necessity for compliance with the legal obligation to which the controller is subject or the necessity for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”. Recital 40 GDPR.

  20. 20.

    “Where this Regulation refers to a legal basis or a legislative measure, this does not necessarily require a legislative act adopted by a parliament, without prejudice to requirements pursuant to the constitutional order of the [MS] concerned. However, such a legal basis or legislative measure should be clear and precise and its application should be foreseeable to persons subject to it, in accordance with the case law of the Court of Justice of the European Union (the ‘Court of Justice’) and the European Court of Human Rights”. Recital 41 GDPR.

  21. 21.

    Simitis (2011), p. 502, at 19.

  22. 22.

    For an early example of his scholarship, see Simitis (1984).

  23. 23.

    Simitis (2011), p. 502, at 19.

  24. 24.

    Anti-Doping-Gesetz (AntiDopG): Gesetz zur Bekämpfung von Doping im Sport vom 10. Dezember 2015. BGBl. I, Nr. 5, 17.12.2015, S. 2210–2217.

  25. 25.

    See Opinion of AG Mengozzi, 1 February 2018, in Tietosuojavaltuutettu v Jehovan todistajat—uskonnollinen yhdyskunta (Request for a preliminary ruling from the Korkein hallinto-oikeus (Finland)). Case C-25/17. ECLI:EU:C:2018:57.

  26. 26.

    Judgment of the Court (Second Chamber) of 20 December 2017. Peter Nowak v Data Protection Commissioner (Request for a preliminary ruling from the Supreme Court). Case C-434/16. Published in the electronic Reports of Cases (Court Reports—general). ECLI:EU:C:2017:994.

  27. 27.

    For a comparison, see Swire et al. (2012), pp. 34–44; Sloot (2018), pp. 63–136.

  28. 28.

    Greenleaf (2012, 2018).

  29. 29.

    Opinin of AG Bot, 24 October 2017 in Case C-210/16 Unabhängiges Landeszentrum für Datenschutz Schleswig–Holstein v Wirtschaftsakademie Schleswig–Holstein GmbH, in the presence of Facebook Ireland Ltd, Vertreter des Bundesinteresses beim Bundesverwaltungsgericht (Request for a preliminary ruling from the Bundesverwaltungsgericht (Federal Administrative Court, Germany)), ECLI:EU:C:2017:796, sec. 137 (1).

  30. 30.

    Ibid, sec. 137 (2).

  31. 31.

    Ibid, sec. 137 (3).

  32. 32.

    Ibid, sec. 137 (3).

  33. 33.

    Anti-Doping-Gesetz (AntiDopG): Gesetz zur Bekämpfung von Doping im Sport vom 10. Dezember 2015. BGBl. I, Nr. 5, 17.12.2015, S. 2210–2217.

  34. 34.

    LfD & ULD (2014).

  35. 35.

    For a discussion of the system of bans, and of the implications, see Kornbeck (2013).

  36. 36.

    E.g. Schültke (2016).

  37. 37.

    Advocated by Sumner (2017) but opposed by Kornbeck and Kayser (2018), as well as by HM Government (2017).

  38. 38.

    Wedde (2011), pp. 151–152.

  39. 39.

    “The processing of personal data for purposes other than those for which the personal data were initially collected should be allowed only where the processing is compatible with the purposes for which the personal data were initially collected. In such a case, no legal basis separate from that which allowed the collection of the personal data is required. If the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, Union or [MS] law may determine and specify the tasks and purposes for which the further processing should be regarded as compatible and lawful. […]”.

  40. 40.

    “Personal data shall be […] collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes ('purpose limitation')”.

  41. 41.

    “Personal data shall be […] adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘Data Minimisation’)”.

  42. 42.

    Zu dem sich die Bundesregierung im Gesetzesentwurf ausdrücklich bekannt hat, vgl. Deutscher Bundestag (2015), p. 38. See also Frenzel in Paal et al. (2018), sec. 38: “Mit dem Grundsatz der Datenminimierung korrespondieren Regelungen der DS-GVO wie das Recht auf Einschränkung der Verarbeitung, Art. 18. Allerdings ist die Bindung an diesen Grundsatz nicht von der Geltendmachung eines Rechts des Betroffenen abhängig; der Grundsatz gilt wie die anderen objektiv und ist von Vornherein zu beachten”.

  43. 43.

    Nakashima and Warrick (2013): “Rather than look for a single needle in the haystack, [the] approach was, ‘Let’s collect the whole haystack’”.

  44. 44.

    Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC. OJ L 105, 13.4.2006, p. 54–63.

  45. 45.

    Joined cases C-293/12 (Digital Rights Ireland) and C-594/12 (Seitlinger), at 65.

  46. 46.

    Translation J.K.

  47. 47.

    LfD & ULD (2014).

  48. 48.

    See WP29: Opinion 2/2017 on data processing at work. Adopted on 8 June 2017. WP249. http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=610169, p. 3: “[…] employers should always bear in mind the fundamental data protection principles, irrespective of the technology used; the contents of electronic communications made from business premises enjoy the same fundamental rights protections as analogue communications; consent is highly unlikely to be a legal basis for data processing at work, unless employees can refuse without adverse consequence; performance of a contract and legitimate interests can sometimes be invoked, provided the processing is strictly necessary for a legitimate purpose and complies with the principles of proportionality and subsidiarity; employees should receive effective information about the monitoring that takes place; and any international transfer of employee data should take place only where an adequate level of protection is ensured”.

  49. 49.

    Cf. Gola et al. (2015), pp. 115–116. See also WP29: Opinion 8/2001 on the processing of personal data in the employment context. Adopted on 13 September 2001. WP 48. https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2001/wp48_en.pdf, p. 3.

  50. 50.

    As a rule, under the highly decentralised rules and structures of Germany, for this type of data processing operations the DPA in charge can be assumed to be that of one of the 16 states (Länder). In the case of transfers from the servers of the main seat if the German NADO, this would mean the DPA of the state of North Rhine-Westphalia.

  51. 51.

    2002/2/EC: Commission Decision of 20 December 2001 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data provided by the Canadian Personal Information Protection and Electronic Documents Act (notified under document number C(2001) 4539). OJ L 2, 4.1.2002, pp. 13–16.

  52. 52.

    But note the outspoken language of WP29, taking stock of the Schrems judgment and insisting on “full implementation”: WP29 (2016) Opinion 4/2016, p. 3: “In particular, the Working Party 29 regrets that the Commission has not carried out an in-depth assessment of the conditions under which public authorities in the third countries concerned access personal data transferred on the basis of the relevant decisions on adequacy. In this context, the WP29 notes that the current decisions on adequacy concern, in particular, the level of protection of personal data provided by the Canadian Personal Information Protection and Electronic Documents Act, as well as countries including Switzerland, Argentina, the State of Israel, the Eastern Republic of Uruguay and New Zealand. In order to ensure their compliance with the fundamental rights to respect for private life and protection of personal data, the Working Party 29 insists that the draft decisions on adequacy must assess whether public authorities of these third countries responsible for national security, law enforcement or other public interests do not interfere with the rights of individuals to privacy and to protection of their personal data beyond what is strictly necessary, and that there is effective legal protection against such interferences”. (Emphasis added: J.K.).

  53. 53.

    2000/518/EC: Commission Decision of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data provided in Switzerland (notified under document number C(2000) 2304) (Text with EEA relevance.). OJ L 215, 25.8.2000, pp. 1–3.

  54. 54.

    European Data Protection Supervisor (EDPS): Opinion 2/2015. Opinion on the EU–Switzerland agreement on the automatic exchange of tax information. https://edps.europa.eu/data-protection/our-work/publications/opinions/eu-switzerland-agreement-automatic-exchange-tax_en, at 17: “[…] we are critical of the envisaged possibility to use the information for additional purposes, when this is possible under the laws of the supplying jurisdiction and there is the authorization of the competent authority of such jurisdiction. We consider that the problem is not so much that alternative uses are possible in the supplying jurisdiction as the fact that, in application of this provision, alternative uses become possible in the receiving jurisdiction, in a way which is potentially harmful to individual rights”.

  55. 55.

    Ibid., at 18: “[…] purpose elasticity restricts the individual rights to protection of personal data, as the purpose for data processing should be specified, explicit and legitimate and disclosed ex ante to the data subject. Further processing for additional purposes may only take place if such purposes are compatible with the original purpose (Article 6 of the Data Protection Directive)”.

  56. 56.

    Thus the press released published in English: Federal Data Protection and Information Commissioner (FDPIC): Combating doping in sport and personal data transfers abroad [2013]. https://www.edoeb.admin.ch/dokumentation/00153/01073/01080/index.html?lang=en. Also note the very explicit language used in the French-language annual report 2012-13: « Le service qui envoie les données ne doit transmettre aucune donnée qui impliquerait une violation des droits de la personnalité, notamment si l’organisme destinataire ne peut garantir une protection des données suffisante. La protection est réputée suffisante lorsque le pays destinataire dispose d’un niveau suffisant de protection des données ou si une réglementation contractuelle est prévue. » (PFPDT 2013, 26) « La nouvelle loi fédérale sur l’encouragement du sport et de l’activité physique (LESp) règle sous le titre ‘Mesures de lutte contre le dopage’, la saisie, le traitement et l’échange de données personnelles dans le cadre de la lutte contre le dopage. » (ibid., 27) « Par contre, la nouvelle loi n’a pas simplifié l’exigence visant à assurer qu’un niveau de protection des données adéquat existe dans l’Etat destinataire lors des livraisons de données. Au contraire, l’article 25 alinéa 4 LESp dit clairement qu’une communication des données doit être refusée lorsque le destinataire n’assure pas un niveau de protection des données adéquat. Cette disposition réitère ainsi la règle générale de la loi fédérale sur la protection des données et précise que même la lutte justifiée contre le dopage ne doit pas mener à une situation mettant en danger la protection de la personnalité des personnes concernées. Nous avons informé les associations qui nous ont contactées que, même avec la nouvelle LESp, le niveau de protection des données devait être assuré par des dispositions contractuelles et que des accords avec l’AMA dans ce sens devaient donc être conclus, respectivement maintenus ». (ibid., 28).

  57. 57.

    See the numerous references to ADAMS in the WADC and International Standards.

  58. 58.

    Supra (n 18).

  59. 59.

    WADA: July 26, 2004. WADA signs agreement for development of Clearinghouse computer system. ADAMS System to Facilitate Worldwide Testing Coordination. https://www.wada-ama.org/en/media/news/2004-07/wada-signs-agreement-for-development-of-clearinghouse-computer-system.

  60. 60.

    CJEU, Judgment of the Court of 19 February 2002. J. C. J. Wouters, J. W. Savelbergh and Price Waterhouse Belastingadviseurs BV v Algemene Raad van de Nederlandse Orde van Advocaten, intervener: Raad van de Balies van de Europese Gemeenschap. Reference for a preliminary ruling: Raad van State—Netherlands. Case C-309/99. ECR 2002 I-01577. ECLI:EU:C:2002:98, at 97–110.

  61. 61.

    CJEU, Judgment of the Court (Third Chamber) of 18 July 2006. David Meca-Medina and Igor Majcen v Commission of the European Communities. Case C-519/04 P. ECR 2006 I-06991. ECLI:EU:C:2006:492, at 40.

  62. 62.

    Deutscher Bundestag (2015), p. 7.

  63. 63.

    Deutscher Bundestag (2015), p. 53. (Translation: J.K.).

  64. 64.

    See e.g. CJEU, Judgment of the Court (Grand Chamber) of 8 April 2014. Digital Rights Ireland Ltd (C-293/12) v Minister for Communications, Marine and Natural Resources and Others and Kärntner Landesregierung (C-594/12) and Others. References for a preliminary ruling: High Court Ireland, Verfassungsgerichtshof Austria. Joined cases C-293/12 and C-594/12. ECLI:EU:C:2014:238. Judgment of the Court (Second Chamber) of 19 October 2016. Patrick Breyer v Bundesrepublik Deutschland. Request for a preliminary ruling from the Bundesgerichtshof. Case C-582/14. ECLI:EU:C:2016:779.

  65. 65.

    Deutscher Bundestag (2015), p. 38.

  66. 66.

    Deutscher Bundestag (2015), p. 38: “Die NADA wird ihre Möglichkeiten nutzen, damit dem Schutz von Gesundheitsdaten bei der Übermittlung an Verbände und Veranstalter mit Sitz im Ausland Rechnung getragen wird, ohne dass dabei die Vorgaben des WADC verletzt werden. Dies kann z. B. dadurch erfolgen, dass die NADA besonders sensible Kategorien von Gesundheitsdaten nicht im automatisierten Datenverarbeitungssystem der WADA speichert, sondern lediglich auf der Basis bilateraler Vereinbarungen mit dem jeweiligen Verband oder Veranstalter mit Sitz im Ausland an diese übermittelt”.

  67. 67.

    For the authoritative voice of a retired federal constitutional judge, see Steiner (2016). See also the summary of discussions, between various high-ranking legal experts, at a meeting convened in Bonn, by the Federal Ministry of the Interior (in charge of sport, inter alia), during the preparatory phase prior to the tabling oft he anti-doping bill: Bundesministerium des Innern (2013).

  68. 68.

    Jahn (2018).

  69. 69.

    See the initial optimism of Hecker (2017).

  70. 70.

    Landgericht Köln, 8. Große Strafkammer, Beschluss v. 10.01.2019; Az. 108 KLs 17/18, unofficial publication in the journal Sport & Recht (SpuRt), 2, 2019, pp. 83–84.

  71. 71.

    Comments to the Proposed EU Data Protection Regulation. Agenda Item # 5.1. Attachment 1. (undated WADA meeting table document) http://www.coe.int/t/dghl/standardsetting/dataprotection/TPD_documents/T-DO%20-%20Item_5_1_Attach_1_WADA_Comments_to_DP_Regulation-EU_Presidency_FINAL.pdf.

  72. 72.

    dpa (2012), EOC EU Office (2015).

  73. 73.

    Kuschewsky (2014), p. 261.

  74. 74.

    dpa (2012), EOC EU Office (2015).

  75. 75.

    CJEU, Judgment of the Court (Grand Chamber) of 9 November 2010. Volker und Markus Schecke. GbR (C-92/09) and Hartmut Eifert (C-93/09) v Land Hessen. References for a preliminary ruling: Verwaltungsgericht Wiesbaden—Germany. Joined cases C-92/09 and C-93/09. ELR 2010 I-11063. ECLI:EU:C:2010:662, at 48…

  76. 76.

    See Docksey (2014, 2016).

  77. 77.

    CJEU, Judgment of the Court (Grand Chamber) of 29 June 2010. European Commission v The Bavarian Lager Co. Ltd. Case C-28/08 P. ELR 2010 I-06055. ECLI:EU:C:2010:378.

  78. 78.

    GAFAM: Google, Apple, Facebook, Amazon, Microsoft. A variety of alternatives exist, sometimes includes company names like Yahoo, Twitter, LinkedIn, while the Chinese equivalent is sometimes referred to as BATX: Baidu, Alibaba, Tencent, Xiaomi.

  79. 79.

    CJEU, Judgment of the Court (Grand Chamber) of 13 May 2014. Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González. Reference for a preliminary ruling: Audiencia Nacional—Spain. Case C-131/12. ECLI:EU:C:2014:317.

  80. 80.

    CJEU, Judgment of the Court (Grand Chamber) of 6 October 2015. Maximillian Schrems v Data Protection Commissioner. Request for a preliminary ruling from the High Court (Ireland). Case C-362/14. ECLI:EU:C:2015:650.

  81. 81.

    WP29: Opinion 04/2014 on surveillance of electronic communications for intelligence and national security purposes. Adopted on 10 April 2014. WP 215. https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp215_en.pdf, p. 3.

  82. 82.

    WP29: Working Document 01/2016 on the justification of interferences with the fundamental rights to privacy and data protection through surveillance measures when transferring personal data (European Essential Guarantees). Adopted on 13 April 2016. WP 237. https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2016/wp237_en.pdf, p. 6.

  83. 83.

    Ibid., p. 12.

  84. 84.

    Judgment of the Court (Second Chamber) of 19 October 2016. Patrick Breyer v Bundesrepublik Deutschland. Request for a preliminary ruling from the Bundesgerichtshof. Case C-582/14. ECLI:EU:C:2016:779, at 27–28. Ibid., at 64: “[…] Article 7(f) of Directive 95/46 must be interpreted as meaning that it precludes the legislation of a Member State under which an online media services provider may collect and use personal data relating to a user of those service, without his consent, only in so far as the collection and use of that information are necessary to facilitate and charge for the specific use of those services by that user, even though the objective aiming to ensure the general operability of those services may justify the use of those data after consultation of those websites”.

  85. 85.

    “To illustrate the breadth of UEFA's testing work, in the 2015/16 season, 2242 samples were collected within the framework of the EURO 2016 testing programme, and a total of 2542 samples were collected by UEFA in its other club and national team competitions. UEFA’s doping controls are all conducted by UEFA’s own doping control officers (DCOs), a group of 55 medical doctors from 27 different countries. New DCOs follow UEFA’s in-depth training programme, while all DCOs undergo regular auditing to ensure improvements where necessary in the quality of doping controls, and a uniformly high standard of procedure”. Last updated: 15/07/17 13.31CET. See Anti-doping. Last updated: 05/10/15 14.05CET, http://www.uefa.org/protecting-the-game/anti-doping/.

  86. 86.

    Deutscher Bundestag (2014), p. 23.

  87. 87.

    Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA. OJ L 119, 4.5.2016, pp. 89–131.

  88. 88.

    Directive (EU) 2016/681 of the European Parliament and of the Council of 27 April 2016 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime. OJ L 119, 4.5.2016, pp. 132–149.

  89. 89.

    Judgment of the Court (Second Chamber) of 19 October 2016. Patrick Breyer v Bundesrepublik Deutschland. Request for a preliminary ruling from the Bundesgerichtshof. Case C-582/14. ECLI:EU:C:2016:779.

  90. 90.

    Judgment of the Court (Grand Chamber) of 8 April 2014. Digital Rights Ireland Ltd (C-293/12) v Minister for Communications, Marine and Natural Resources and Others and Kärntner Landesregierung (C-594/12) and Others. References for a preliminary ruling: High Court—Ireland, Verfassungsgerichtshof—Austria. Joined cases C-293/12 and C-594/12. ECLI:EU:C:2014:238, at 65.

  91. 91.

    “Die Übermittlung von Daten an staatliche Stellen im Ausland unterliegt den allgemeinen verfassungsrechtlichen Grundsätzen von Zweckänderung und Zweckbindung. Bei der Beurteilung der neuen Verwendung ist die Eigenständigkeit der anderen Rechtsordnung zu achten. Eine Übermittlung von Daten ins Ausland verlangt eine Vergewisserung darüber, dass ein hinreichend rechtsstaatlicher Umgang mit den Daten im Empfängerstaat zu erwarten ist”. BVerfG, Urteil des Ersten Senats vom 20. April 2016—1 BvR 966/09—Rn. (1-29), Leitsätze, Rdnr. 3.

  92. 92.

    See SIS II Supervision Coordination Group: A Guide for exercising the right of access. Issued in October 2014—Updated in October 2015, https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Cooperation/Large_IT_systems/SIS/15-10-12_SIS_II_GUIDE_OF_ACCESS_UPDATED_2015_EN.pdf.

  93. 93.

    Sloot et al. (2017).

  94. 94.

    Ibid., p. 24.

  95. 95.

    Ibid., p. 72: “Most NADOs mentioned consent as a legal basis for processing personal data [Austria, Estonia, Spain, Finland, Croatia, Netherlands, Poland]. In [Austria] and [the Netherlands], it was noted that consent was currently the sole basis relied upon, although in both Member States, legislation is anticipated which will provide explicitly for the processing by the NADO in the public interest. In the other Member States where consent was mentioned, other bases were also mentioned. 2 NADOs (UK, [Finland]) mentioned as a possible legal basis the necessity of the performance of a contract to which the data subject is party (corresponding to Art 6(1)(b) [performance of a contract] GDPR). However, both also mentioned other grounds. Compliance with a legal obligation was mentioned by several NADOs [Cyprus, Estonia, Spain, Poland], although [Cyprus] was the only NADO referring to this as the only possible basis. No NADO mentioned a legal basis corresponding to (d) [vital interest of the data subject]”.

  96. 96.

    Ibid., p. 72 (Austria); infra, 4.1.

  97. 97.

    T.M.C. Asser Instituut (2010), Houlihan and Garcia (2012), Parzeller et al. (2009), Sloot et al. (2017), pp. 52–56.

  98. 98.

    Sloot et al. (2017), p. 72.

  99. 99.

    Ibid., p. 62.

  100. 100.

    Ibid., p. 65: “Slightly over half of the MS refer to the data protection regulation as a framework within which anti-doping has to take place. Most Member States have transposed the core provisions relevant for the processing of athletes' personal data for anti-doping purposes without significant material differences. This in particular concerns the requirements regarding processing ground and its elements (e.g. consent, vital interest, public interest), sensitive personal data, data regarding minors, and transfer of personal data to third countries. The regulation at the level of the Member States is mostly silent about the legal foundation for the processing of personal data in the context of anti-doping. The general provisions (based on/referring to art. 7 DPD and art. 6 WADA IPPPI) are often mentioned, but which concrete processing ground is deemed appropriate or legitimate for the processing of personal data regarding athletes is lacking in most cases”.

  101. 101.

    § 2, Lov om fremme af dopingfri idræt. Lov nr 1438 af 22/12/2004, https://w0.dk/~chlor/www.retsinformation.dk/lov/l11948.html.

  102. 102.

    2010 No. 1955. The Serious Organised Crime and Police Act 2005 (Disclosure of Information by SOCA) Order 2010. 2nd August 2010. https://www.legislation.gov.uk/ukdsi/2010/9780111490945/contents.

  103. 103.

    Serious Organised Crime and Police Act 2005 (c. 15). https://www.legislation.gov.uk/ukpga/2005/15/contents.

  104. 104.

    See also Report of a Privacy Impact Assessment conducted by UK Anti-Doping in relation to Personal Information disclosed to it by the Serious Organised Crime Agency. Final 15 January 2010. http://www.ukad.org.uk/resources/document-download/privacy-impact-assessment/.

  105. 105.

    Data Protection Bill [HL] 13 December 2017 Volume 787, https://hansard.parliament.uk/lords/2017-12-13/debates/9622571E-8F1E-43F8-B018-C409A3129553/DataProtectionBill(HL), Column 1557, Lord Moynihan (Con): “The second point is the principle of strict liability. All athletes are solely responsible for any banned substance, regardless of how it got there or whether or not it was the intention of an athlete to cheat. Under the anti-doping programme, you are effectively guilty until proven innocent. The fact that athletes have to adhere to those two requirements of data management makes it incumbent on this House to ensure that the situation under which someone could be tested, or under which UKAD can operate, is very clearly defined in the Bill. Regrettably, I do not believe that it is at the moment”. […] “The wording in the Bill is very broad; I argue that it is too broad. We need UKAD to provide some clarity and interpretation and the Secretary of State to come forward with subsequent secondary legislation to set out the powers and responsibilities of UKAD and its relationship with the governing bodies”.

  106. 106.

    Faber and Sjerps (2009).

  107. 107.

    Apart from the fact that David Davis chose to sue HM Government together with a Labour MP, Tom Watson, it also is not without irony that the main plaintiff had, by the time this prejudicial matter was adjudicated by the CJEU, become the UK Secretary of State for Exiting the European Union, in the media known as the “Brexit Secretary”, while the Home Secretary whose legislation he had challenged (together with a Labour MP and a rather centre-left NGO) had meanwhile become Prime Minister of the UK. At least Mr Davis thereby provided an edifying illustration of the positive power of the EU to protect citizens’ fundamental rights and freedoms from intrusive and arbitrary governmental surveillance. That Mr Davis had meanwhile chosen to lead the UK’s exit from the EU cannot undo his determination to use EU law to quash a piece of legislation originating from his own political party (“Ye shall know them by their fruits” (Matthew 7:16-20)?), a role which from Mr Davis later chose to resign, to join the Conservative backbenchers.

  108. 108.

    Data Retention and Investigatory Powers Act 2014 c.27. https://services.parliament.uk/bills/2014-15/dataretentionandinvestigatorypowers/documents.html.

  109. 109.

    See Order of the President of the Court, 1 February 2016, In Case C-698/15, in the proceedings Secretary of State for the Home Department v David Davis, Tom Watson, Peter Brice, Geoffrey Lewis, intervening parties: Open Rights Group, Privacy International, The Law Society of England and Wales. ECLI:EU:C:2016:70. Adjudicated by: Judgment of the Court (Grand Chamber), 21 December 2016, In Joined Cases C‑203/15 and C‑698/15, Tele2 Sverige AB (C‑203/15) v Post- och telestyrelsen, and Secretary of State for the Home Department (C‑698/15) v Tom Watson, Peter Brice, Geoffrey Lewis, interveners: Open Rights Group, Privacy International, The Law Society of England and Wales. ECLI:EU:C:2016:970.

  110. 110.

    . BVerfG, Urteil des Ersten Senats vom 20. April 2016. 1 BvR 966/09. http://www.bverfg.de/e/rs20160420_1bvr096609.html.

  111. 111.

    Judgment of the Court (Second Chamber) of 19 October 2016. Patrick Breyer v Bundesrepublik Deutschland. Request for a preliminary ruling from the Bundesgerichtshof. Case C-582/14. ECLI:EU:C:2016:779.

  112. 112.

    Bundesgesetz über die Bekämpfung von Doping im Sport (Anti-Doping-Bundesgesetz 2007—ADBG 2007) (Bundesrecht konsolidiert: Gesamte Rechtsvorschrift für Anti-Doping-Bundesgesetz 2007, Fassung vom 20.02.2018).

  113. 113.

    Murphy (2013).

  114. 114.

    International Convention against Doping in Sport 2005. Paris, 19 October 2005. http://portal.unesco.org/en/ev.php-URL_ID=31037&URL_DO=DO_TOPIC&URL_SECTION=201.html.

  115. 115.

    “§ 1. (1) Doping widerspricht durch die Beeinflussung der sportlichen Leistungsfähigkeit sowohl dem Grundsatz der Fairness im sportlichen Wettbewerb als auch dem wahren, mit dem Sport ursprünglich verbundenen Wert (Sportsgeist) und kann außerdem der Gesundheit schaden. Das von der UNESCO angenommene Internationale Übereinkommen gegen Doping im Sport, BGBl. III Nr. 108/2007, (in der Folge: UNESCO-Übereinkommen) verpflichtet Österreich die in diesem Übereinkommen vorgesehenen Maßnahmen im Kampf gegen Doping insbesondere auch durch Datenaustausch zwischen den Anti-Doping-Organisationen zu unterstützen. Die in diesem Bundesgesetz normierten Maßnahmen und Datenverarbeitungen von personenbezogenen Daten dienen der Umsetzung dieser völkerrechtlichen Verpflichtung und liegen daher im öffentlichen Interesse”. (Emphasis added, J.K.).

  116. 116.

    International Convention against Doping in Sport 2005. Paris, 19 October 2005. http://portal.unesco.org/en/ev.php-URL_ID=31037&URL_DO=DO_TOPIC&URL_SECTION=201.html, Article 3: “In order to achieve the purpose of the Convention, States Parties undertake to: (a) adopt appropriate measures at the national and international levels which are consistent with the principles of the Code”, Ibid., Article 4(2): “The Code and the most current version of Appendices 2 and 3 are reproduced for information purposes and are not an integral part of this Convention. The Appendices as such do not create any binding obligations under international law for States Parties”. Ibid., Article 5: “In abiding by the obligations contained in this Convention, each State Party undertakes to adopt appropriate measures. Such measures may include legislation, regulation, policies or administrative practices”.

  117. 117.

    ECtHR, Fifth Section, 18 January 2018. Fédération Nationale des Syndicats Sportifs (FNASS) and Others v France. Joint cases 48151/11 and 77769/13. For a discussion, see Kornbeck (2018).

  118. 118.

    Ibid., at 54: “As the WADC is not binding on States because the instruments adopted by WADA are governed by private law, it was decided to draw up an international Convention in order to provide an internationally recognised legal framework allowing States to incorporate the Code into their domestic legislation. […]” Ibid., at 165: “The Court considers at the outset that the applicants have done nothing to demonstrate that efforts to combat doping are dictated by economic interests. […] As regards the first aim referred to, namely the protection of “health”, the Court observes, […] that this aim is enshrined in the relevant international instruments and that all the evidence in the file is consistent with that aim. The Council of Europe Convention […], the WADC […], the UNESCO Convention […] and the [French] Sports Code […] are unanimous in presenting efforts to combat doping as a health concern which the sporting world is seeking to address […]”. Ibid, at 179: “The Court thus observes that the gradual construction of anti-doping programmes has resulted in an international legal framework of which the WADC is the main instrument. It notes in that regard that the most recent revision of that Code, which was adopted in 2015, demonstrates a trend towards strengthening and intensifying doping controls that apply not only to the athletes in the testing pools […]”.

  119. 119.

    “Verfassungsbestimmung: Die Europäische Menschenrechtskonvention und das 1. Zusatzprotokoll sind gemäß BVG BGBl. Nr. 59/1964 mit Verfassungsrang ausgestattet”. See https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=Bundesnormen&Gesetzesnummer=10000308.

  120. 120.

    For a discussion, see Waddington (2010).

  121. 121.

    “14. Meldesystem: Ein den Sportlern zur Wahrnehmung ihrer Meldepflichten zur Verfügung gestelltes, elektronisches Datenbankmanagementinstrument zur Verwendung dieser Daten entsprechend den Bestimmungen des Datenschutzgesetzes 2000 (DSG 2000), BGBl. I Nr.165/1999”;

  122. 122.

    “13. Meldepflichtversäumnis: Versäumnis eines Sportlers des Nationalen Testpools (§ 5), seine Daten zur Erreichbarkeit und zum Aufenthalt der Unabhängigen Dopingkontrolleinrichtung pflichtgemäß zu melden”;

  123. 123.

    The distinction data controller/data processor refers to the fact that, while one legal entity, the data controller (Art. 4(7) GDPR) will always be liable to data subjects for the processing of their data, this legal entity may (or may not) have chosen to outsource the relevant operations to another legal entity, the data processor (Art. 4(8) GDPR). However, in the given context it is not obvious why the ADBG would refer to the latter (which may not always exist) instead of to the former (which always exists).

  124. 124.

    “(6) Die Unabhängige Dopingkontrolleinrichtung, die Unabhängige Österreichische Anti-Doping Rechtskommission (§ 4a) und die Unabhängige Schiedskommission (§ 4b) gelten bei der Wahrnehmung ihrer Aufgaben nach diesem Gesetz als Auftraggeber im Sinne des § 4 Z 4 des Datenschutzgesetzes 2000—DSG 2000, BGBl. I Nr. 165/1999 (Verantwortliche gemäß Art. 4 Z 7 der Verordnung (EU) 2016/679 zum Schutz natürlicher Personen bei der Verarbeitung personenbezogener Daten, zum freien Datenverkehr und zur Aufhebung der Richtlinie 95/46/EG (Datenschutz-Grundverordnung), ABl. Nr. L 119 vom 4.5.2016 S. 1) und haben für die Einhaltung der Datenverwendungsgrundsätze sowie der Datensicherheitsmaßnahmen zu sorgen. Sie dürfen personenbezogene Daten verarbeiten, soweit dies für die wirksame Umsetzung der Anti-Doping-Regelungen des WADC erforderlich ist und die Betroffenen sich vertraglich zur Einhaltung des WADC verpflichtet haben; außerdem dürfen folgende Daten personenbezogen übermittelt werden”:

  125. 125.

    WP29: Opinion 8/2001 on the processing of personal data in the employment context. Adopted on 13 September 2001. WP 48. https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2001/wp48_en.pdf, p. 3: “[…] where as a necessary and unavoidable consequence of the employment relationship an employer has to process personal data it is misleading if it seeks to legitimise this processing through consent. Reliance on consent should be confined to cases where the worker has a genuine free choice and is subsequently able to withdraw the consent without detriment”.

  126. 126.

    Judgment of the Court (Fourth Chamber) of 17 October 2013. Michael Schwarz v Stadt Bochum. Request for a preliminary ruling from the Verwaltungsgericht Gelsenkirchen. Case C-291/12. ECLI:EU:C:2013:670.17, at 32.

  127. 127.

    Gola, Klug, Körffer, Schomerus (2015), pp. 115–116.

  128. 128.

    “[…] die bei der Wahrnehmung der Aufgaben angefallenen personenbezogenen Daten, mit Ausnahme von Gesundheitsdaten, bei begründetem Ersuchen an Gerichte und Behörden, soweit die Daten für die Vollziehung der jeweiligen gesetzlich übertragenen Aufgaben eine wesentliche Voraussetzung bilden und die Übermittlung bundes- oder landesgesetzlich vorgesehen ist”;

  129. 129.

    “Analyseergebnisse von Dopingkontrollen, Entscheidungen in Anti-Doping-Verfahren und erteilte medizinische Ausnahmegenehmigungen (§ 8) an den jeweils zuständigen internationalen Sportfachverband und der WADA, soweit dies im WADC vorgesehen ist”;

  130. 130.

    “[…] der WADA auf begründeten Ersuchen alle Daten inklusive der personenbezogenen Gesundheitsdaten, die einer erteilten medizinischen Ausnahmegenehmigung gemäß § 8 zugrunde gelegt wurden, soweit dies im WADC vorgesehen ist”..

  131. 131.

    “Die Unabhängige Dopingkontrolleinrichtung hat ihre Aufgaben entsprechend der international anerkannten Standards in der Anti-Doping-Arbeit, insbesondere der Regelwerke der WADA, wahrzunehmen, soweit bundesgesetzliche oder unionsrechtliche Bestimmungen nicht entgegenstehen”..

  132. 132.

    For example, Entwurf eines Bundesgesetzes, mit dem das Anti-Doping-Bundesgesetz 2007 geändert wird. Stellungnahme des Datenschutzrates. 6. Oktober 2014. http://archiv.bundeskanzleramt.at/DocView.axd?CobId=57250.

  133. 133.

    Stellungnahme der Datenschutzbehörde zum do. Entwurf eines Bundesgesetzes, mit welchem ein Bundesgesetz betreffend die Förderung des Sports (Bundes-Sportförderungsgesetz 2017—BSFG 2017) erlassen und das Bundesgesetz über die Neuorganisation der Bundes-Sporteinrichtungen—BSEOG sowie das Anti-Doping-Bundesgesetz 2007—ADBG 2007 geändert werden; do. GZ S91017/2-ELeg/2017 (1). 11. Mai 2017. https://www.parlament.gv.at/PAKT/VHG/XXV/SNME/SNME_11671/imfname_634992.pdf.

  134. 134.

    Sautner (2019).

  135. 135.

    See Van Dijk and Van de Beek (2017).

  136. 136.

    Wet van 26 September 2018, houdende regels tot uitvoering van het antidopingbeleid en tot instelling van de Dopingautoriteit (Wet uitvoering antidopingbeleid). https://wetten.overheid.nl/BWBR0041439/2019-01-01#Opschrift.

  137. 137.

    Ibid., Art. 6(2): “Voorts is de Dopingautoriteit ter uitvoering van haar wettelijke taken bevoegd tot:

    a. het verwerken van persoonsgegevens, waaronder gegevens over gezondheid;

    b. het verzamelen en verwerken van verblijfsgegevens van de topsportgroep; en

    c. het verstrekken van persoonsgegevens, waaronder gegevens over gezondheid, aan sportorganisaties ten behoeve van de uitvoering van het dopingcontroleproces”.

  138. 138.

    Ibid., Art. 6(3).

  139. 139.

    Ibid., Art. 12(1). The provision uses the present tense: “verstrekt”.

  140. 140.

    Ibid., Art. 12(1).

  141. 141.

    Ibid., Art. 12(2)(a).

  142. 142.

    Ibid., Art. 12(2)(b).

  143. 143.

    Ibid., Art. 12(3).

  144. 144.

    Ibid., Art. 12(4).

  145. 145.

    Ibid., Art. 12(5).

  146. 146.

    Ibid., Art. 12(6): “indien de persoonlijke levenssfeer van de betrokkenen daardoor onevenredig wordt geschaad”.

  147. 147.

    ECtHR, Fifth Section, 18 January 2018. Fédération Nationale des Syndicats Sportifs (FNASS) and Others v France. Joint cases 48151/11 and 77769/13. For a discussion, see Kornbeck (2018).

  148. 148.

    Art. 12(7)(a)–(b).

  149. 149.

    Art. 5(1)(b) GDPR. But note that for law enforcement services the Data Protection Law Enforcement Directive applies in conjunction with national legislation (see subsequent footnote).

  150. 150.

    Art. 4(2)(b) Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA. OJ L 119, 4.5.2016, pp. 89–131.

  151. 151.

    Art. 13(1) GDPR.

  152. 152.

    Art. 13(2) GDPR.

  153. 153.

    Anti-Doping Convention. Strasbourg, 16.XI.1989. ETS 135. https://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/135.

  154. 154.

    European Convention on Spectator Violence and Misbehaviour at Sports Events and in particular at Football Matches. Strasbourg, 19.VIII.1985. ETS 120. https://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/120. Council of Europe Convention on an Integrated Safety, Security and Service Approach at Football Matches and Other Sports Events. Saint-Denis, 03/07/2016. ETS 135. https://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/218.

  155. 155.

    Council of Europe Convention on the Manipulation of Sports Competitions. Magglingen, 18/09/2014. ETS 215. https://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/215.

  156. 156.

    ECtHR, 9 November 2017. Hentschel and Stark v Germany. Application no. 47274/15.

  157. 157.

    Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. Strasbourg, 28/01/1981. https://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/108.

  158. 158.

    Wood (2016).

  159. 159.

    See section 2.1 (supra).

  160. 160.

    CK Consulting & STICHTING VU-VUmc (2017), p. 8: “Public authorities: Include the prevention of manipulation of sports competitions in the possible exemptions for storage and exchange of data in data protection legislation and rules. […] Set up a legal framework governing data protection and data use for the national platforms. Set up Guidelines for all stakeholders within the national platform for disclosing information”.

  161. 161.

    For a discussion of the probability of inadvertent doping, see de Hon (2016), pp. 74–95. Ibid., p. 93: “The current system seems to be able to sieve out an approximate 60% of all identified cases. It should be a matter of further debate what the exact place of the other 40% of cases should be within the anti-doping framework”. Another recent Ph.D. thesis discussing the potential for “false positives” on numerous occasions is that of Kayser (2018).

  162. 162.

    Viret (2016), p. 318: “False positives—and their counterpart, false negatives—in their narrowest meaning are inherent in any methods of analytical detection, irrespective of a perfect compliance with procedures and good practices”.

  163. 163.

    Ibid., p. 322.

  164. 164.

    Ibid., p. 173.

  165. 165.

    See Kornbeck (2015a). This reticence might come as a surprise as one might expect SGBs and governments funding WADA and NADOs to insist on evidence that the system is working. In point of fact, the system’s efficiency has been met with serious challenges, including from some academics. For an economic perspective, see Maennig (2014). For a scientific perspective, see Hermann and Henneberg (2014).

  166. 166.

    Viret (2016) p. 322.

  167. 167.

    Ibid., p. 176.

  168. 168.

    Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA. OJ L 119, 4.5.2016, pp. 89–131.

  169. 169.

    Kornbeck (2016).

  170. 170.

    International Standard for Code Compliance by Signatories (ISCCS). January 2018. https://www.wada-ama.org/sites/default/files/resources/files/isccs_april_2018_0.pdf.

  171. 171.

    Hecker (2017).

  172. 172.

    Bundesministerium des Innern (2013), 28–30, 50.

  173. 173.

    Ludwig (2015).

  174. 174.

    LfD & ULD (2011).

  175. 175.

    Lehner (2015).

  176. 176.

    Schültke (2016).

  177. 177.

    See Sumner (2017) and the references to proposals and other political signals contained in that paper.

  178. 178.

    dpa (2014).

  179. 179.

    Gesetz zum Schutz des olympischen Emblems und der olympischen Bezeichnungen vom 31. März 2004 (BGBl. I S. 479), das durch Artikel 5 Absatz 8 des Gesetzes vom 10. Oktober 2013 (BGBl. I S. 3799) geändert worden ist (OlympSchG).

  180. 180.

    § 1 Abs. 3 OlympSchG: “Die olympischen Bezeichnungen sind die Wörter ‚Olympiade‘, ‚Olympia‘, ‚olympisch‘, alle diese Wörter allein oder in Zusammensetzung sowie die entsprechenden Wörter oder Wortgruppen in einer anderen Sprache. (“The Olympic denominations are the words ‘Olympiade,’ ‘Olympia,’ ‘olympisch,’ all of these words individually or incorporated into corresponding words of groups of words in another language.”)

  181. 181.

    OLG München, Urteil vom 07.12.2017, Az. 29 U 2233/17.

  182. 182.

    Loi no. 2018-202 du 26 mars 2018 relative à l'organisation des jeux Olympiques et Paralympiques de 2024. JORF 72, 27 mars 2018, texte no. 1, https://www.legifrance.gouv.fr/jo_pdf.do?id=JORFTEXT000036742943.

  183. 183.

    For a recent example, suggesting that EU judges need “re-education”, see Bender (2016).

  184. 184.

    For a classic contribution setting out this US position, see Whitman (2004).

  185. 185.

    Swire et al. (2012), S. 34–45.

  186. 186.

    Greenleaf (2012).

  187. 187.

    Ibid., p. 92.

  188. 188.

    Kornbeck (2015b).

  189. 189.

    Koops (2014).

  190. 190.

    Kuner (2015).

  191. 191.

    Taylor (2015).

  192. 192.

    As early as in 1995, the state DPA of Berlin took action with regard to a BahnCard (railpass) offered by Citicorp in New York to the customers of Deutsche Bahn, as reported by Simitis (2011), 511, at 49.

  193. 193.

    Schaar (2015).

  194. 194.

    Simitis (2011), 125.

  195. 195.

    Kornbeck (2015a).

  196. 196.

    Moston et al. (2015), Efverström et al. (2016).

  197. 197.

    Ryan (2015).

  198. 198.

    Tokarski and Steinbach (2001).

  199. 199.

    WP29: Working Document: Transfers of personal data to third countries: Applying Articles 25 and 26 of the EU data protection directive. Adopted by the Working Party on 24 July 1998. DG XV D/5025/98. WP 12. https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/1998/wp12_en.pdf, p. 2: “These exemptions, which are tightly drawn, for the most part concern cases where risks to the data subject are relatively small or where other interests (public interests or those of the data subject himself) override the data subject’s right to privacy. As exemptions from a general principle, they must be interpreted restrictively. Furthermore, [MS] may provide in domestic law for the exemptions not to apply in particular cases. This might be the case, for example, where it is necessary to protect particularly vulnerable groups of individuals, such as workers or patients”. (Emphasis: J.K.).

  200. 200.

    WP29: Working document on a common interpretation of Article 26(1) of Directive 95/46/EC of 24 October 1995. Adopted on 25 November 2005. WP114. https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2005/wp114_en.pdf, p. 7: “This exercise must be led by the rule that, as previously indicated by the Working Party in its working document WP12 mentioned above, the interpretation of Article 26(1) must necessarily be strict”. (Emphasis: J.K.)

  201. 201.

    Council of Europe (2001), p. 6, sec. 31: “The parties have discretion to determine derogations from the principle of an adequate level of protection. The relevant domestic law provisions must nevertheless respect the

    principle inherent in European law that clauses making exceptions are interpreted restrictively, so that the exception does not become the rule. Domestic law exceptions can therefore be made for a legitimate prevailing interest”. (Emphasis: J.K.)

  202. 202.

    For a German PhD thesis specifically addressing the juxtaposition of anti-doping requirements and individual fundamental rights, see Figura (2009).

  203. 203.

    See e.g. Duval (2016).

  204. 204.

    BGH: 7. Juni 2016—KZR 6/15. Nr. 97/2016 (Pechstein), Tenor, Punkt d).

  205. 205.

    Defined as “[the personality right] includes the authority of the individual to decide for himself, on the basis of the idea of self-determination, when and within what limits facts about his personal life shall be disclosed. The individual’s decisional authority needs special protection in view of the present and prospective conditions of automatic data processing”. BVerfGe 65,1; 1983 (Volkszählung), translation by Kommers and Miller (1997), p. 324.

  206. 206.

    “Even if such legislation does not permit retention of the content of a communication and is not, therefore, such as to affect adversely the essence of those rights […,] the retention of traffic and location data could nonetheless have an effect on the use of means of electronic communication and, consequently, on the exercise by the users thereof of their freedom of expression, guaranteed in Article 11 of the Charter”. CJEU, Case C203/15 and C698/15 Tele2 Sverige, 2016, at 101.

  207. 207.

    Judgment of the Court (Grand Chamber) of 6 October 2015. Maximillian Schrems v Data Protection Commissioner. Request for a preliminary ruling from the High Court (Ireland). Case C-362/14. ECLI:EU:C:2015:650, at 95.

  208. 208.

    Ibid., at 94: “In particular, legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the Charter”.

  209. 209.

    Concurring Opinion of Judge Pettiti in ECtHR, Malone v. the UK, case 8691/79 [1984] ECHR 10 (2 August 1984): “Telephone tapping has during the last 30 years benefited from many "improvements" which have aggravated the dangers of interference in private life. The product of the interception can be stored on magnetic tapes and processed in postal or other centres equipped with the most sophisticated material. The amateurish tapping effected by police officers or post office employees now exists only as a memory of pre-war novels. The encoding of programmes and tapes, their decoding, and computer processing make it possible for interceptions to be multiplied a hundredfold and to be analysed in shorter and shorter time-spans, if need be by computer. Through use of the "mosaic" technique, a complete picture can be assembled of the life-style of even the "model" citizen”.

  210. 210.

    Ibid.: “The work of the Council of Europe (Orwell Colloquy in Strasbourg on 2 April 1984, and Data Bank Colloquy in Madrid on 13 June 1984) has been directed towards the same end, namely the protection of the individual threatened by methods of storing and transmission of information. The mission of the Council of Europe and of its organs is to prevent the establishment of systems and methods that would allow "Big Brother" to become master of the citizen’s private life. For it is just as serious to be made subject to measures of interception against one’s will as to be unable to stop such measures when they are illegal or unjustified, as was for example the case with Orwell’s character who, within his own home, was continually supervised by a television camera without being able to switch it off. […] In 1950, techniques for interfering in private life were still archaic; the meaning and import of the term interference as understood at that time cannot prevail over the current meaning. Consequently, interceptions which in previous times necessitated recourse to tapping must be classified as "interferences" in 1984, even if they have been effected without tapping thanks to "bugging" and long-distance listening techniques”.

  211. 211.

    Judgment of the Court (Grand Chamber) of 13 May 2014. Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González. Reference for a preliminary ruling: Audiencia Nacional—Spain. Case C-131/12. ECLI:EU:C:2014:317, at 97: On the fact that rights of the data subject override, as a rule, economic interests: “As the data subject may, in the light of his fundamental rights under Articles 7 and 8 of the Charter, request that the information in question no longer be made available to the general public by its inclusion in such a list of results, it should be held, as follows in particular from paragraph 81 of the present judgment, that those rights override, as a rule, not only the economic interest of the operator of the search engine but also the interest of the general public in finding that information upon a search relating to the data subject’s name. However, that would not be the case if it appeared, for particular reasons, such as the role played by the data subject in public life, that the interference with his fundamental rights is justified by the preponderant interest of the general public in having, on account of inclusion in the list of results, access to the information in question”.

  212. 212.

    For example, Subject: EDPB Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679, https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_2_2018_derogations_en.pdf.

  213. 213.

    Kornbeck (2017a).

  214. 214.

    According to sport law professor Marjan Olfers, athletes “have no freedom of choice. Any respectful organisation needs to have its regulations challenged again and again. Otherwise, it runs the risk of drifting away from its core objectives. There is currently too much tension between justice and efficiency”. See Ministry of Health, Welfare and Sport [The Netherlands] (2016).

  215. 215.

    WP29: Opinion 3/2008 on the World Anti-Doping Code Draft International Standard for the Protection of Privacy. Adopted on 1 August 2008. 1576-00-00-08/EN. WP 156. https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2008/wp156_en.pdf. WP29: Second opinion 4/2009 on the World Anti-Doping Agency (WADA) International Standard for the Protection of Privacy and Personal Information, on related provisions of the WADA Code and on other privacy issues in the context of the fight against doping in sport by WADA and (national) anti-doping organizations. Adopted on 6 April 2009. 0746/09/EN. WP 162. https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2009/wp162_en.pdf. WP29: Contribution of the Article 29 Working Party to the 3rd stage of WADA's consultation in the context of the review of the World Anti-Doping Code and its International Standards—Ref. Ares(2013)289160—05/03/2013. https://ec.europa.eu/justice/article-29/documentation/other-document/files/2013/20130305_letter-to-wada_annex_en.pdf. WP29: Opinion 7/2014 on the protection of personal data in Quebec. Adopted on 4 June 2014. 14/EN. WP 219. https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp219_en.pdf.

  216. 216.

    See WP29: Work programme 2016-2018 WP29 (2016) Work programme 2016-2018. Adopted on 2 February 2016. WP235. https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2016/wp235_en.pdf, pp. 3–4.

  217. 217.

    WP29: Statement on the 2016 action plan. WP29 (2016) Statement on the 2016 action plan for the implementation of the General Data Protection Regulation (GDPR). Adopted on 2 February 2016. WP 236. https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2016/wp236_en.pdf.

  218. 218.

    Cf. EOC EU Office (2015).

  219. 219.

    Judgment of the Court of 15 December 1995. Union royale belge des sociétés de football association ASBL v Jean-Marc Bosman, Royal club liégeois SA v Jean-Marc Bosman and others and Union des associations européennes de football (UEFA) v Jean-Marc Bosman. Case C-415/93. ECR 1995 I-04921. Judgment ECLI:EU:C:1995:463. Opinion ECLI:EU:C:1995:293.

  220. 220.

    Parensen (1998), pp…

  221. 221.

    Weatherill (2017), p…

  222. 222.

    Christopher Kuner interviewed by Marina Grushin: Top of Mind Interview. Excerpt from issue 67: Regulating Bug Tech Equity. 26 April 2018, http://www.kuner.com/my-publications-and-writing/untitled/kuner-goldman-sachs-intervi.pdf.

  223. 223.

    Opinion of the Court (Grand Chamber) of 26 July 2017. Opinion pursuant to Article 218(11) TFEU. ECLI:EU:C:2016:656.

  224. 224.

    As expressed by then-UEFA President in a 2007 Financial Times interview: “RB: And if the white paper effectively concludes ‘we don’t think we do this’, do you take your case to European leaders? MP: Yes, of course. I will fight. I will be in rebellion. You can’t kill the philosophy of 150 years of football, a social activity, because of a commissioner who has never played sport, because of the simple right that a sportsman is a worker. We have had millions of people who have been working for 100 years on that—and two people who will change everything? No, no, no”. (Blitz, 2007).

  225. 225.

    For an edifying example see Bender (2016).

  226. 226.

    European Data Protection Supervisor (EDPS) Opinion 4/2015. Towards a new digital ethics. Data, dignity and technology, https://edps.europa.eu/sites/edp/files/publication/15-09-11_data_ethics_en.pdf, p. 10.

  227. 227.

    Judgment of the Court (Grand Chamber) of 10 April 2018. Criminal proceedings against Uber France. Request for a preliminary ruling from the Tribunal de grande instance de Lille. Case C-320/16. ECLI:EU:C:2018:221.

  228. 228.

    [Central London Labour Tribunal] Case Numbers: 2202551/2015 & Others. Aslam v Uber BV [2016] EW Misc B68 (ET) (28 October 2016).

  229. 229.

    Kuner et al. (2017), p. 231.

  230. 230.

    Soros G (2018) Only the EU can break Facebook and Google's dominance. The Guardian, Thu 15 Feb 2018 15.31 GMT, https://www.theguardian.com/business/2018/feb/15/eu-facebook-google-dominance-george-soros.

  231. 231.

    Geeraert and Drieskens (2017).

  232. 232.

    García and Meier (2017).

  233. 233.

    See Padova (2019).

References

  1. Bender D (2016) Having mishandled safe harbor, will the CJEU do better with privacy shield? A US perspective. Int Data Privacy Law 6(2):117–138

    Google Scholar 

  2. Blitz R (2007) Platini: ‘we need to go where football has to go’. Financ Times. https://www.ft.com/content/ac3c4e0c-048a-11dc-80ed-000b5df10621. Accessed 20 May 2007

  3. Bundesministerium des Innern (2013) Bonn, den 10. Oktober 2013. Expertengespräch zur Dopinggesetzgebung am 26. September 2013 im Bundesministerium des Innern, Bonn. https://www.cycling4fans.de/fileadmin/user_upload/vermischtes/0_doping/2013_2014_Gesetz-Diskussion_Dokumente/2013_Bericht_BMI_Expertengespraech.pdf

  4. CK Consulting & STICHTING VU-VUmc (2017) The monitoring systems of sports betting and warning mechanisms between public and private actors. BETMONITALERT. HOME/2014/PPXX/AG/SPBX. May 2017. http://ethisport.com/wpcontent/uploads/sites/28/2017/06/Betmonitalert_Design-NB-DEF-2-06-2017.pdf

  5. de Hon O (2016) Striking the right balance. Effectiveness of anti-doping policies. Ph.D. thesis, Utrecht University. https://www.doping.nl/media/kb/4269/Thesis%20Olivier%20de%20Hon.pdf

  6. Deutscher Bundestag (2014) Das Dopingkontrollsystem in Deutschland. Rechtlich-regulative Grundlagen und Reformoptionen. WD 10—3000—084/14. https://www.bundestag.de/blob/410226/aa21e92fbf398877cb19faedb2be1809/wd-10-084-14-pdf-data.pdf. Accessed 03 Nov 2014

  7. Deutscher Bundestag (2015) Drucksache 18/4898. 13.05.2015. Gesetzentwurf der Bundesregierung. Entwurf eines Gesetzes zur Bekämpfung von Doping im Sport. http://dip21.bundestag.de/dip21/btd/18/048/1804898.pdf

  8. Docksey C (2014) Articles 7 and 8 of the EU charter: two distinct fundamental rights. In: Grosjean J (ed) Les enjeux européens et mondiaux de la protection des données personnelles. Larcier, Brussels, pp 63–89

    Google Scholar 

  9. Docksey C (2016) Four fundamental rights: finding the balance. Int Data Privacy Law 6(3):195–209

    Google Scholar 

  10. dpa (2012) WADA befürchtet Schaden durch EU-Datenschutzreform, 21.05.2012, 20:09 Uhr, dpa. http://www.t-online.de/sport/id_56593646/wada-befuerchtet-schaden-durch-eu-datenschutzreform.html

  11. dpa (2014) De Maizière: Anti-Doping-Gesetz gut für Olympia-Chancen. dpa—Mi., 12. Nov, https://de.nachrichten.yahoo.com/maizi%C3%A8re-anti-doping-gesetz-gut-f%C3%BCr-olympia-chancen-104816726.html

  12. Duval A (2016) The BGH’s Pechstein decision: a surrealist ruling. Asser Int Sports Law Blog. http://www.asser.nl/SportsLaw/Blog/post/the-bgh-s-pechstein-decision-a-surrealist-ruling. Accessed 8 June 2016

  13. Efverström A, Ahmadi N, Hoff D, Bäckström Å (2016) Anti-doping and legitimacy: an international survey of elite athletes’ perceptions. Int J Sport Policy Polit 8(3):491–514

    Google Scholar 

  14. EOC EU Office (2015) The EOC EU Office discusses the data protection reform with EU institutions. Created on Friday, 17 Apr 2015 00:00:00. http://www.euoffice.eurolympic.org/blog/eoc-eu-office-discusses-data-protection-reform-eu-institutions

  15. Faber K, Sjerps M (2009) Anti-doping researchers should conform to certain statistical standards from forensic science. Sci Justice 49(3):214–215

    Google Scholar 

  16. Figura L (2009) Doping: Zwischen Freiheitsrecht und notwendigem Verbot. Meyer & Meyer, Aachen

    Google Scholar 

  17. Flueckiger C (2008) Dopage, santé des sportifs professionnels et protection des données médicales. Schulthess, Geneva

    Google Scholar 

  18. García B, Meier HE (2017) Global sport power Europe? The efficacy of the European Union in global sport regulation. J Common Mark Stud 55(4):850–870

    Google Scholar 

  19. Geeraert A, Drieskens E (2017) Normative market Europe: the EU as a force for good in international sports governance? J Eur Integr 39(1):79–94

    Google Scholar 

  20. Gola P, Klug C, Körffer B, Schomerus R (2015) BDSG Bundesdatenschutzgesetz Kommentar, 12th edn. C.H.Beck, Munich

    Google Scholar 

  21. Goodman S (2018) A game changer in the personal data protection in the EU. Mich State Univ Int Law Rev. https://www.msuilr.org/msuilr-legalforum-blogs/2018/2/19/a-game-changer-in-the-personal-data-protection-in-the-eu. Accessed 29 Jan 2018

  22. Greenleaf G (2012) The influence of European data privacy standards outside Europe: implications for globalization of Convention 108. Int Data Privacy Law 2(2):68–92

    Google Scholar 

  23. Greenleaf G (2018) 2017–2018 Further update to Graham Greenleaf’s Asian data privacy laws—trade and human rights perspectives. Available at SSRN: https://ssrn.com/abstract=3285086. Accessed 15 Nov 2018

  24. Hecker A (2017) Anti-doping Gesetz. Strafbefehl für zwei Ringer. Frankfurter Allgemeine Zeitung. http://www.faz.net/aktuell/sport/mehr-sport/anti-doping-gesetz-strafbefehl-fuer-zwei-ringer-14613450.html. Accessed 11 Jan 2017

  25. Herber TJ (2017) Datenschutzrechtliche Grenzen des deutschen Dopingkontrollsystems Überprüfung der deutschen Anti-Doping Kontrollpraxis unter Berücksichtigung von Handlungsalternativen. Datenschutz und Datensicherheit (DuD) 41(12):735–739

    Google Scholar 

  26. Hermann A, Henneberg M (2014) Anti-doping systems in sports are doomed to fail: a probability and cost analysis. J Sports Med Doping Stud 4(5):1–12

    Google Scholar 

  27. HM Government, Department for Digital, Media, Culture and Sport (2017) Review of criminalisation of doping in sport. https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/654240/Review_of_Criminalisation_of_Doping_in_Sport.pdf. Accessed Oct 2017

  28. Houlihan B, Garcia B (2012) The use of legislation in relation to controlling the production, movement, importation, distribution and supply of performance-enhancing drugs in sport (PEDS). Loughborough University: WADA-UNESCO. http://www.wada-ama.org/Documents/World_Anti-Doping_Program/WADP-Legal_Library/National_Legislation/UNESCO-Legislative-Research-Report-FINAL.pdf. Accessed 1 Aug 2019

  29. Jahn M (2018) Wir haben alles. Außer Strafverfahren. Erste Praxiserfahrungen mit der Rundumstrafbarkeit nach dem Anti-Doping-Gesetz in Deutschland. In: Hoven E, Kubiciel M (eds) Korruption im Sport. Nomos (Schriftenreihe zum deutschen, europäischen und internationalen Wirtschaftsstrafrecht; 35), Baden-Baden, pp 117–124

    Google Scholar 

  30. Kayser B (2018) Ethical aspects of doping and anti-doping: in search of an alternative policy. Ph.D. thesis, KU Leuven. https://serval.unil.ch/resource/serval:BIB_B9C6372028C7.P001/REF. Accessed 1 Aug 2019

  31. Kommers DP, Miller RA (1997) The constitutional jurisprudence of the Federal Republic of Germany, 2nd edn. Duke University Press, Durham

    Google Scholar 

  32. Koops BJ (2014) The trouble with European data protection law. Int Data Privacy Law 4(4):250–261

    Google Scholar 

  33. Kornbeck J (2013) The naked spirit of sport: a framework for revisiting the system of bans and justifications in the world anti-doping code. Sport Ethics Philos 7(3):313–330

    Google Scholar 

  34. Kornbeck J (2015a) Private regulation and public trust: why increased transparency could strengthen the fight against doping. Deutsche Zeitschrift für Sportmedizin 66(5):121–127

    Google Scholar 

  35. Kornbeck J (2015b) The stamina of the Bosman legacy: the European Union and the revision of the world anti-doping code (2011–13). Maastricht J Eur Comp Law 22(2):283–304

    Google Scholar 

  36. Kornbeck J (2016) Transferring athletes’ personal data from the EU to third countries for anti-doping purposes: applying Recital 112 GDPR in the post-Schrems era. Int Data Privacy Law 6(4):291–298

    Google Scholar 

  37. Kornbeck J (2017a) Athlete consent as a legal base for data transfers to third countries for anti-doping purposes, under EU and German law. Int Sports Law J 17(1–2):68–85

    Google Scholar 

  38. Kornbeck J (2017b) Einwilligung oder gesetzliche Regelung? Die Wahl der Rechtsgrundlage bei Datenübermittlungen der NADA Deutschland in Drittländer zu Anti-Doping-Zwecken gemäß EU-Datenschutz-Generalverordnung. Datenschutz Nachrichten 40(1):17–30

    Google Scholar 

  39. Kornbeck J (2018) An exemplary illustration of the distinction between private life and data protection (Art. 7–8 CFR): the ECtHR’s joint decision in FNASS v France and Longo v France (Art. 8 ECHR). J Data Prot Privacy 2(2):116–130

    Google Scholar 

  40. Kornbeck J, Kayser B (2018) Do public perception and the ‘spirit of sport’ justify criminalisation of doping? A reply to Claire Sumner. Int Sports Law J. https://link.springer.com/article/10.1007%2Fs40318-018-0120-4. Accessed 05 March 2018

  41. Kuner C (2015) Extraterritoriality and regulation of international data transfers in EU data protection law. Int Data Privacy Law 5(4):235–245

    Google Scholar 

  42. Kuner C, Jerker D, Svantesson B, Cate FH, Lynskey O, Millard C, Loideain NN (2017) The GDPR as a chance to break down borders. Int Data Privacy Law 7(4):231–232

    Google Scholar 

  43. Kuschewsky K (2014) European Union. In: Kuschewsky K (ed) Data protection and privacy: jurisdictional comparisons, 2nd edn. Thomson Reuters, London, pp 255–289

    Google Scholar 

  44. Lambertz P (2015) Problematische Namensveröffentlichungsregelung in Dopingfällen gemäss WADA-Code. Causa Sport 2015(4):369–373

    Google Scholar 

  45. Lehner M (2015) Fehlende Verfassungskonformität des geplanten Anti-Doping-Gesetzes. Causa Sport 2015(2):130–135

    Google Scholar 

  46. LfD & ULD [Landesbeauftragte für Datenschutz Rheinland-Pfalz und Schleswig-Holstein] (2011) Positionspapier des Landesbeauftragten für den Datenschutz Rheinland Pfalz und des Unabhängigen Landeszentrums für Datenschutz Schleswig-Holstein (ULD). Mainz und Kiel, 26. Juli 2011. Datenschutz und Dopingbekämpfung, https://www.datenschutzzentrum.de/allgemein/20110726-positionspapier-dopingbekaempfung.html. Accessed 21 March 2019

  47. LfD & ULD [Landesbeauftragte für Datenschutz Rheinland-Pfalz und Schleswig-Holstein] (2014) Stellungnahme der Datenschutzbeauftragten der Länder Rheinland-Pfalz und Schleswig-Holstein zum Referentenentwurf des Bundesministeriums der Justiz und für Verbraucherschutz und des Bundesministeriums des Innern Entwurf eines Gesetzes zur Bekämpfung von Doping im Sport (nicht veröffentlichte Version, Bearbeitungsstand 01.09.2014). https://www.datenschutz.rlp.de/de/aktuell/2014/images/Anti-Doping-GE_RLP_SH.pdf

  48. Ludwig K (2015) ARGE Sportrecht des DAV, Frankfurt a.M., 4./5. September 2015. Causa Sport 2015(3):334–335

    Google Scholar 

  49. Maennig W (2014) Inefficiency of the anti-doping system: cost reduction proposals. Subst Use Misuse 49:1201–1205

    Google Scholar 

  50. Ministry of Health, Welfare and Sport [The Netherlands] (2016) Report on EU anti-doping conference, 15 June 2016 in Amsterdam: “The fight against doping in the EU legal framework: balance between effective anti-doping measures and fundamental rights.” Organised by the Ministry of Health, Welfare and Sport in the context of the EU Presidency of the Netherlands. http://auteurs.allesoversport.nl/wp-content/uploads/2016/06/Report-on-the-anti-doping-conference-15-June-2016-1.pdf

  51. Mortsiefer L (2010) Datenschutz im Anti-Doping-Kampf. Gardez, Bonn

    Google Scholar 

  52. Moston S, Engelberg T, Skinner J (2015) Athletes’ and coaches’ perceptions of deterrents to performance-enhancing drug use. Int J Sport Policy Polit 7(4):623–636

    Google Scholar 

  53. Murphy J (2013) Where in the world is doping a crime? (doping in sports pt. 6). https://www.aph.gov.au/About_Parliament/Parliamentary_Departments/Parliamentary_Library/FlagPost/2013/April/Where_in_the_world_is_doping_a_crime_doping_in_sports_pt_6. Accessed 24 April 2013

  54. Nakashima E, Warrick J (2013) For NSA chief, terrorist threat drives passion to ‘collect it all’. Washington Post. https://www.washingtonpost.com/world/national-security/for-nsa-chief-terrorist-threat-drives-passion-to-collect-it-all/2013/07/14/3d26ef80-ea49-11e2-a301-ea5a8116d211_story.html. Accessed July 14

  55. Neuendorf S (2015) Datenschutzrechtliche Konflikte im Anti-Doping-System. Am Beispiel des Anti-Doping Administration and Management Systems ADAMS. Nomos, Baden-Baden

    Google Scholar 

  56. Niewalda J (2011) Dopingkontrollen im Konflikt mit allgemeinem Persönlichkeitsrecht und Datenschutz. Duncker & Humblodt, Berlin

    Google Scholar 

  57. Nolte M (2010a) Datenschutzrechtliche Grenzen von Anti-Doping-Meldepflichten. Causa Sport 2010(4):309–316

    Google Scholar 

  58. Nolte M (2010b) Anti-Doping-Meldepflichten im Lichte des Datenschutzrechts. In: Deutsche Vereinigung für Sportrecht (ed) Neue Bedrohungen für die Persönlichkeitsrechte von Sportlern. Boorberg, Stuttgart, pp 59–73

    Google Scholar 

  59. Paal BP, Pauly DA, Ernst S, Frenzel EM, Gräber T, Hennemann M, Körffer B, Martini M, Nolden C (2018) Datenschutz-Grundverordnung Bundesdatenschutzgesetz: DS-GVO BDSG 2. Aufl. Beck, Munich

    Google Scholar 

  60. Padova Y (2019) Is the right to be forgotten a universal, regional, or ‘glocal’ right? Int Data Privacy Law. https://doi.org/10.1093/idpl/ipy025. Accessed 25 Jan

  61. Parensen A (1998) Die Fußball-Bundesliga und das Bosman-Urteil. In: Tokarski W (ed) EU-Recht und Sport. Aachen, Meyer & Meyer, pp 70–150

    Google Scholar 

  62. Parzeller M, Prittwitz C et al (2009) Rechtsvergleich der strafrechtlichen Normen und der strafprozessualen Verfolgung des Dopings im Leistungs- und Spitzensport in Deutschland, Italien, Frankreich. Schweiz und Spanien. BISp-Jahrbuch 10:315–326

    Google Scholar 

  63. PFPDT [Préposé fédéral à la protection des données et à la transparence] [Suisse] (2013) 20e Rapport d’activités 2012/2013. PFPDT, Berne. https://www.edoeb.admin.ch/dokumentation/00153/01073/index.html?lang=fr

  64. Ryan K (2015) Doping and anti-doping: the excesses of enterprise and the tyranny of transparency. Int J Sport Policy Polit 7(4):637–653

    Google Scholar 

  65. Sautner J (2019) Anti-Doping-Recht. Dopingbekämpfung im Lichte der Bundesverfassung und der Europäischen Menschenrechtskonvention. Verlag Österreich (SPRINT. Schriftenreihe zum Sportrecht an der Universität Innsbruck; 13), Vienna

    Google Scholar 

  66. Schaar P (2015) Globale Überwachung und digitale Souveränität. Zeitschrift für Außen- und Sicherheitspolitik 8(4):447–459

    Google Scholar 

  67. Schültke A (2016) Beschwerde vor dem Bundesverfassungsgericht. Ist das Anti-Doping-Gesetz verfassungswidrig? Deutschlandfunk, 20.03.2016. http://www.deutschlandfunk.de/beschwerde-vor-dem-bundesverfassungsgericht-ist-das-anti.1346.de.html?dram:article_id=348923

  68. Simitis S (1984) Die informationelle Selbstbestimmung—Grundbedingung einer verfassungskonformen Informationsordnung. Neue Juristische Wochenschrift 8:398–405

    Google Scholar 

  69. Simitis S (ed) (2011) Bundesdatenschutzgesetz. Kommentar. 7. Auflage. Nomos 2014, Baden-Baden

    Google Scholar 

  70. Sloot B (2018) Privacy from a legal perspective. In: Sloot B, Groot A (eds) The handbook of privacy studies. Amsterdam University Press, Amsterdam

    Google Scholar 

  71. Sloot B, Paun M, Leenes R, McNally P, Ypma P (2017) Anti-doping and data protection: an evaluation of the anti-doping laws and practices in the EU Member States in light of the General Data Protection Regulation. Publications Office of the European Union, Luxembourg. https://publications.europa.eu/en/publication-detail/-/publication/50083cbb-b544-11e7-837e-01aa75ed71a1/language-en/format-PDF/source-44694285. Accessed 1 Aug 2019

  72. Steiner U (2016) Die Bekämpfung der Sportmanipulation mit den Mitteln des Strafrechts aus verfassungsrechtlicher Sicht. In: Württembergischer Fußballverband (ed) 40 Jahre wfv-Sportrechtsseminare: 1975–2015. Nomos, Baden-Baden, pp 17–29

    Google Scholar 

  73. Sumner C (2017) The spirit of sport: the case for criminalisation of doping in the UK. Int Sports Law J 16(3–4):217–227

    Google Scholar 

  74. Swire PS, Ahmad K, McQuay T (2012) Foundations of information privacy and data protection: a survey of global concepts, laws and practice. IAPP, Portsmouth

    Google Scholar 

  75. T.M.C. Asser Instituut (2010) The implementation of the WADA Code in the European Union. Report commissioned by the Flemish Minister responsible for Sport in view of the Belgian Presidency of the European Union in the second half of 2010. T.M.C. Asser Instituut, The Hague. http://www.asser.nl/upload/documents/9202010_100013rapport%20Asserstudie%20(Engels).pdf. Accessed 1 Aug 2019

  76. Taylor M (2015) The EU’s human rights obligations in relation to its data protection laws with extraterritorial effect. Int Data Privacy Law 5(4):246–256

    Google Scholar 

  77. Tokarski W, Steinbach D (2001) Spuren. Sportpolitik und Sportstrukturen in der Europäischen Union. Meyer & Meyer, Aachen

    Google Scholar 

  78. van Dijk M, van de Beek A (2017) The Dutch anti-doping policy implementation bill: privacy concerns. World Sports Advocate 13–16

  79. Viret M (2016) Evidence in anti-doping at the intersection of science and law. Asser Press, The Hague

    Google Scholar 

  80. Waddington I (2010) Surveillance and control in sport: a sociologist looks at the WADA whereabouts system. Int J Sport Policy Polit 2(3):255–274

    Google Scholar 

  81. Weatherill S (2017) Principles and practice in EU sports law. Oxford University Press (Oxford European Union Law Library), Oxford

    Google Scholar 

  82. Wedde P (2011) Rechtsgutachten zum Thema „Datenschutzrechtliche Bewertung der Melde- und Kontrollpflichten im Rahmen von Anti-Dopingprogrammen, die die von SP.IN vertretenen Athleten betreffen“. Erstattet von Prof. Dr. Peter Wedde. Eppstein/Ts., 5. September 2011. http://www.spinbb.net/uploads/media/Wedde_-_Gutachten_fu__r_SP.IN_per_5.9.2011.pdf

  83. Whitman JQ (2004) The two western cultures of privacy: dignity versus liberty. Yale Law J 113:1151–1221

    Google Scholar 

  84. Wood J (2016) Why malta is blocking a European effort to create match-fixing prevention standards. Sep 23, 2016 07:22 PDT. https://www.legalsportsreport.com/11657/malta-blocks-council-europe-convention-manipulation-sports-competitions/

Download references

Author information

Affiliations

Authors

Corresponding author

Correspondence to Jacob Kornbeck.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Jacob Kornbeck, B.Sc., M.A., Ph.D., LL.M., is an EU official, yet opinions expressed are strictly personal and do not render official positions of any EU institution. He is an external lecturer at the German Sport University (DSHS), Cologne.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Kornbeck, J. Statutory provision as a legal base for data transfers to third countries for anti-doping purposes, under EU and German law. Int Sports Law J 20, 55–81 (2020). https://doi.org/10.1007/s40318-019-00157-4

Download citation

Keywords

  • Anti-doping
  • Data protection
  • International data transfers
  • Lawfulness
  • European Union
  • Germany