Behind the Scenes of Sports, Data Never Takes a Break

February 2, 2026

The World Anti Doping Agency suffered a data breach in 2016¾a vivid illustration that even the most prominent sporting institutions are not immune to cyber incidents. The authorities have now formalized what was previously just an observation: In a bulletin published in 2024, the Canadian Centre for Cyber Security warned that the entire sports ecosystem—spectators, athletes, organizations and government representatives—is the target of cyberattack campaigns.

Malicious actors will attempt extortion through business email compromise, ransomware attacks, phishing, malicious websites and search engine poisoning, among others. Take heed, as when an incident occurs that is serious enough to require a report to the authorities, it is often too late to establish sound governance and engage in due diligence.

The sporting competitions of today are producing massive amounts of data. The quantity is staggering, and the data itself almost Orwellian. Check the tables below to see for yourself.

Collecte sur les athlètes GIF ENGLISH

Collecte de renseignements sur les clients (en ligne) GIF ENGLISH

How leagues are structured

Regarding privacy and personal information, we must look at how sports leagues are organized to understand who does what. In most cases, sports leagues are non-profit organizations or corporations. An entire framework of rules is built around these structures, defining both how governance is done and what business model is used.

First, there are the articles of association and by-laws, which dictate governance, team admissions, voting rights, and the powers of the commissioner or board of directors. There are also the sporting and competition regulations regarding eligibility, game schedules, transfers, drafts, salary caps and cost control mechanisms. The leagues also adopt integrity and security policies against doping, betting and manipulation, harassment and abuse, as well as commercial agreements covering broadcasting, sponsorships, ticketing and data leveraging, among others. There can also be collective agreements with players’ associations and formal dispute resolution mechanisms.

In this environment, the league plays a central role. It generally has the power to adopt, interpret and amend its rules; admit teams; manage expansion and relocation projects and changes of control; as well as the power to impose sanctions such as fines, point deductions, suspensions or exclusions. It also centralizes strategic commercial rights, media rights, trademarks and data, and it implements revenue-sharing policies designed to maintain a competitive balance between teams.

Personal information: the roles of each

Teams

In day-to-day relations with athletes and customers, teams are generally the main point of contact. They sign contracts with players, sell tickets, manage subscriptions and operate online stores and loyalty programs. In practice, teams are often the ones that collect personal information, that explain what the information is used for, that decide what information needs to be collected and that put in place security and incident management measures.

Teams must therefore be able to clearly inform athletes and customers about the purposes for which personal information is collected, the means by which it is collected, the categories of information collected, who receives the information, and the rights that athletes and customers have. Teams must limit collection to what is necessary. They must ensure that information is accurate; they must obtain valid, manifest, free, informed and explicit consent for sensitive information such as health or biometric data; they must implement security measures adapted to risks; they must manage and report confidentiality incidents likely to cause serious harm; they must respond to requests for access and rectification; and they must stringently govern the sharing of information with service providers and mandataries.

Athletes and customers often see the team as the true holder of their data.

Leagues

The role leagues play regarding personal information is more difficult to understand, as it varies depending on activities. When a league directly collects information from an individual, for example through an official application, a broadcasting platform or a transactional site for its own purposes, it must assume responsibilities comparable to those a team has. This is what MLB Advanced Media does, for example, defining itself as a “data controller” with respect to its customers’ data.

But in many cases, the league acts behind the scenes. In some respects, it acts as a mandatary for the teams, negotiating and signing technology contracts, broadcasting agreements and other commercial agreements that will be used by the teams. In other respects, it acts as a service provider, offering centralized technology platforms, ticketing systems, data infrastructure and shared administrative services.

Under Quebec law, these two roles—mandatary and service provider—are treated the same: The team can transmit to the league the information it needs to perform the mandate or service contract without having to ask for the consent of each person again, provided that a written agreement imposes clear measures to protect privacy, limits the use of data to the sole purposes of the mandate or service and governs data retention. The league must also promptly inform a team’s privacy officer of any privacy breach or attempted privacy breach and allow the officer to conduct checks.

Also, teams and the league can always choose to base certain exchanges of information on the explicit consent of athletes or customers. However, such consent must be genuinely explicit, free, informed, given for specific purposes and presented separately when asked to be given in writing.

Conclusion

Although professional leagues are the ones in the spotlight, the same logic applies to amateur or non-professional sports organizations. In all cases, the relationship between the league, the team and the athlete or customer must be clearly governed from a privacy standpoint. Sports organizations should map the flow of personal information, harmonize the information messages they give to the those concerned, establish a standard agreement governing the sharing of information between teams and the league, provide simple mechanisms for access and rectification, and have key employees trained in privacy matters.

Incorporating these points into articles of association, by-laws and team and league agreements will reduce risks and strengthen the confidence of athletes, parents, fans and business partners. Yet, a fundamental question still remains: Given that by law, data can only be collected for serious and legitimate reasons (necessity criterion), is the mass of information currently collected in the sports ecosystem really warranted? Sports organizations will have no choice but to delve into this strategic issue.

Back to the publications list

Written by

Eric Lavallée
Partner, Lawyer and Trademark Agent
Ghiles Helli
Lawyer

Stay tuned for the latest legal news. Subscribe to our newsletter.

Subscribe to publications

September 25, 2025

Lavery's expertise recognized by Chambers Global 2026

We are pleased to announce that Lavery has once again been recognized in the 2026 edition of Chambers in the following sectors: Coporate/Commercial (Quebec, Band 1) Employment & Labor (Quebec , Band 2) Energy & Natural Ressources : Mining (Nation wide Canada, Band 3) Intellectual Property (Nationwide Canada, Band 4) Insurance : Dispute Resolution (Nationwide Canada, Band 5) These recognitions are further demonstration of the expertise and quality of legal services that characterize Lavery's professionals. Nine lawyers have been recognized as leaders in their respective areas of practice in the 2026 edition of the Chambers Global guide. Areas of expertise in which they are recognized: René Branchaud : Energy & Natural Ressources : Mining (Nationwide Canada, Band 5) Brittany Carson: Employment & Labour (Up and Coming) Nicolas Gagnon: Construction (Nationwide Canada, Band 2) Édith Jacques: Corporate/Commercial (Québec, Band 5) Marie-Hélène Jolicoeur: Employment & Labour (Québec, Band 4) Guy Lavoie: Employment & Labour (Québec, Band 2) Martin Pichette: Insurance: Dispute Resolution (Nationwide Canada, Band 3) Sébastien Vézina: Energy & Natural Ressources : Mining (Nationwide Canada, Band 5) Camille Rioux: Employment & Labour (Associates to watch) About Chambers Since 1990, Chambers and Partners' ranks the best law firms and lawyers across 200 jurisdictions throughout the world. The lawyers and law firms profiled in Chambers are selected following through a rigorous process of research and interviews with a broad spectrum of lawyers and their clients. The final selection is based on clearly defined criteria such as the quality of client service, legal expertise, and commercial astuteness. About Lavery Lavery is the leading independent law firm in Québec. Its more than 200 professionals, based in Montréal, Québec City, Sherbrooke and Trois-Rivières, work every day to offer a full range of legal services to organizations doing business in Québec. Recognized by the most prestigious legal directories, Lavery professionals are at the heart of what is happening in the business world and are actively involved in their communities. The firm's expertise is frequently sought after by numerous national and international partners to provide support in cases under Québec jurisdiction.

Read more

Publications that might interest you

October 28, 2025

Export controls: implications in a world of knowledge sharing

Introduction When we hear the term “export controls,” we may think it only applies to weapons and other highly sensitive technologies, but that is not the case. There are a multitude of circumstances—some unexpected—to which it is important to know that export controls apply. This is especially true if you are involved in research or in the design and development of seemingly innocuous solutions that are not necessarily tangible objects. Today, technological knowledge is shared not only through conventional partnerships between businesses or universities, but also through data sharing or access to databases that feed large language models. Artificial intelligence is, in itself, a means of sharing knowledge. Feeding such algorithms with sensitive data, or data that can become sensitive when combined, carries a risk of violating the applicable legal framework. Here are some key concepts. Overview of the federal export control framework The Export and Import Permits Act In Canada, the Export and Import Permits Act (the “EIPA”) establishes the primary framework governing the export of controlled goods and technologies. The EIPA gives the Minister of Foreign Affairs the power to issue, to any resident of Canada who applies for one, a permit authorizing the export or transfer of a wide range of items included on the Export Control List (the “ECL”) or destined for a country listed on the Area Control List. In other words, the EIPA regulates, and at times prohibits, the trade of critical goods and technologies outside Canada. The Export Control List To get the full picture of the ECL, we need to refer to the Guide to Canada's Export Control Listas published by the Department with its successive amendments, the most recent of which date back to May 2025 (the “Guide”). In summary, the Guide includes military goods and technologies, strategic goods and dual-use (civilian and military) goods and technology that are controlled in accordance with Canada’s commitments made in multilateral regimes, such as the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies, bilateral agreements, and certain unilateral controls implemented by Canada as part of its defence policy. The Guide also includes forest products, agricultural and food products, apparel goods and vehicles. Other laws that affect exports Also to take into account are the sanctions that Canada imposes under laws that affect exports, such as: the United Nations Act the Special Economic Measures Act the Justice for Victims of Corrupt Foreign Officials Act These sanctions against specific countries, organizations or persons include a number of measures, including restricting or prohibiting trade, financial transactions or other economic activities with Canada, or the freezing of property located in Canada.1 Finally, in order for an individual (or an organization) to transfer controlled goods outside Canada, they must register with the Controlled Goods Program (the “CGP”) to obtain an export permit, unless exempt. Key concepts Did you know? Certain goods and technologies are referred to as “dual-use” goods and technologies. This means that even though they were initially designed for civilian use or appear harmless, they may be subject to export controls if they can be used for military purposes or to produce military items. A “technology” is broadly defined to include technical data, technical assistance and information necessary for the development, production or use of an item listed on the ECL. Also included in this notion, albeit indirectly, are the technologies referred to in any of the regulations associated with the laws listed above, which make certain countries subject to specific technology transfer restrictions. A “transfer” in relation to a technology, means to dispose of it (e.g. sell it) or disclose its content in any manner from a place in Canada to a place outside Canada. This definition stems from legislative amendments to the EIPA, which expanded the scope of the law to include the mere transfer of intangible technologies by various means, thereby broadening the circumstances to which permits apply as regards transfers.2 Regarding trade relations with the United States, Canadian exporters may face additional restrictions and considerable challenges, particularly in situations where their employees or other stakeholders involved are foreign nationals.The International Traffic in Arms Regulations (“ITAR”) and the Export Administration Regulations(“EAR”) are two key sets of rules that govern exports from the United States.3 They protect both similar and distinct interests. While the ITAR aim to protect defence articles and defence services (including weapons and information), the EAR govern dual-use items.4 Both prevent exports5 in a broad sense, i.e., up to and including the transfer of information to so-called “foreign” persons, except with the permission of the authorities. It is thus quite possible that Canadian exporters will be required to comply with these American regulations, which, in addition to targeting territories, target the national origin of individuals. This is diametrically opposed to Canada’s export regime, which rather centres on prohibiting trade with a country or anyone located there. In this regard, note that Quebec’s Charter of Human Rights and Freedoms considers national origin to be a ground for discrimination. 6 A Quebec business can thus find itself struggling to balance its contractual obligations under a contract with an American company with the requirements of the Quebec Charter. Artificial intelligence: novel challenges The development of large language models in the field of artificial intelligence represents a new challenge from an export control standpoint, and a significant one at that. For example, if a large language model is trained using restricted data, a state subject to the aforementioned sanctions might attempt to use the large language model to indirectly obtain information to which it would not otherwise have had direct access. As a result, training a large language model on plans, technical specifications or textual descriptions of technologies covered by transfer restrictions (which can include knowledge transfers) can create a risk of non-compliance with the law. The same applies to accessing such data for retrieval-augmented generation, a widely used technique to expand and improve large language model responses. To limit the risk during research and development, a company that trains a large language models on such data or allows access to such data for retrieval-augmented generation will need to consider where the data will be hosted and processed. Similarly, once the artificial intelligence application is developed, it will be important to restrict access to it in a manner consistent with the law, both in terms of locating the servers on which the large language model will be installed and in terms of user access. Sanctions Any person or organization that contravenes any provision of the EIPA or its regulations commits an offence punishable by fine and/or imprisonment, as applicable. Also, failure to register with the CGPmay constitute an offence under federal laws that can lead to prosecution and substantial sanctions against the offender(s).7 Conclusion Canada’s export controls are quite complex, not only in how they are structured, but also in how they must be implemented. With the changing geopolitical and commercial landscape, it is advisable to periodically read the resources made available by the relevant authorities and put in place appropriate policies and measures, or to seek professional advice in this regard. Government of Canada, “Types of sanctions” (date modified: 2024-09-10): Types of sanctions Martha L. Harrison & Tonya Hughes, “Understanding Exports: A Primer on Canada’s Export Control Regime” (2010) 8(2) Canadian International Lawyer, 97 The ITAR and EAR are included in the Code of Federal Regulations (“CFR”). Austin D. Michel, “Hiring in the Export-Control Context: A Framework to Explain How Some Institutions of High Education Are Discriminating against Job Applicants” (2021) 106:4 Iowa L Review, 1993 The ITAR and EAR also provide for restrictions on re-exportation. See Maroine Bendaoud, “Quand la sécurité nationale américaine fait fléchir le principe de non-discrimination en droit canadien : le cas de l'International Traffic in Arms Regulations (ITAR)” (2013) Les cahiers de droit, 54 (2–3), 549 Government of Canada, “Guideline on Controlled Goods Program registration” (date modified: 2025-05-08): Guideline on Controlled Goods Program registration – Canada.ca

Read more
October 21, 2025

Data Anonymization: Not as Simple as It Seems

Blind spots to watch for when anonymizing data Anonymization has become a crucial step in unlocking the value of data for innovation, particularly in artificial intelligence. But without a properly executed anonymization process, organizations risk financial penalties, legal action and serious reputational harm, with potentially significant consequences for their operations. Understanding the anonymization process What the law says Under Quebec’s Act respecting the protection of personal information in the private sector (the “Private Sector Act”) and the Act respecting Access to documents held by public bodies and the Protection of personal information (the “Access Act”), information concerning a natural person is considered anonymized if it irreversibly no longer allows the person to be identified directly or indirectly. Since anonymized information no longer qualifies as personal information, this distinction is of crucial importance. However, beyond this definition, neither Act provides details on how anonymization should actually be performed. To fill this gap, the government adopted the Regulation respecting the anonymization of personal information (the “Regulation”), which sets out the criteria and framework for anonymization, grounded in high standards of privacy protection. What organizations need to know before starting Under the Regulation, before beginning any anonymization process, organizations must clearly define the “serious and legitimate purposes” for which the data will be used. These purposes must comply with either the Private Sector Act or the Access Act, as applicable, and any new purpose must meet the same requirement. The process must also be supervised by a qualified professional with the expertise to select and apply appropriate anonymization techniques. This supervision ensures both the proper implementation of the chosen methods and the ongoing validation of technological choices and security measures. The four key steps of data anonymization DepersonalizationThe first step is to remove or replace all personal identifiers, such as names, addresses and phone numbers, with pseudonyms. It is essential to anticipate how different data sets might interact, in order to minimize the risk of re-identifying individuals through cross-referencing. Preliminary risk assessmentNext comes a preliminary analysis of re-identification risks. This step relies on three main criteria: individualization (inability to isolate a person within a dataset), correlation (inability to connect datasets concerning the same person) and inference (inability to infer personal information from other available information). Common anonymization techniques include aggregation, deletion, generalization and data perturbation. Organizations should also apply strong protective measures, such as advanced encryption and restrictive access controls, to minimize the likelihood of re-identification. In-depth risk analysisAfter the preliminary phase, a deeper risk analysis must be conducted. While no anonymization process can eliminate all risk, that risk must be reduced to the lowest possible level, taking into account factors such as data sensitivity, the availability of public datasets and the effort required to attempt re-identification. To sustain this low level of risk, organizations should perform periodic reassessments that account for technological advances that could make re-identification easier over time. Documentation and record-keepingFinally, organizations must keep a detailed record describing the anonymized information, its intended purposes, the techniques and security measures used, and the dates of any analyses or updates. This documentation strengthens transparency and demonstrates that the organization has fulfilled its legal obligations regarding anonymization.

Read more
July 14, 2025

Full House v. NCAA: The Bet Pays Off for Athletes

Understanding the House Agreement On June 6, 2025, a landmark settlement catalyzed a major turning point and reshaped the dynamics of American collegiate sports. By approving the House v. NCAA settlement, U.S. courts authorized universities to directly compensate their athletes for the use of their name, image, and likeness (NIL), which represents a significant departure from previous restrictions. In practical terms, NIL rights grant athletes’ exclusive control over their personal brand, enabling them to generate revenue from the commercial use of their identity. In addition to establishing a new legal framework, this settlement provides for a retroactive payout of $2.8 billion to be shared among Division I athletes, the National Collegiate Athletic Association (NCAA)’s top tier, who have competed since 2016. Building on the Supreme Court’s 2021 ruling in NCAA v. Alston, this development stems from the Court's determination that the NCAA’s restrictions on certain education-related benefits constituted antitrust violations. While Alston laid the groundwork for the commercialization of NIL agreements, the subsequent years were plagued by legal uncertainty and a lack of consistency in regulations surrounding the compensation of collegiate athletes. As states and universities implemented divergent policies and internal rules, former Alabama head coach Nick Saban posed a question that remains unanswered to this day: “Where does it end?” A Uniform National Framework at Last The House v. NCAA settlement establishes the first nationwide framework for compensating collegiate athletes. Starting in the 2025-2026 academic year, Division I programs will be permitted to allocate up to $20.5 million annually distributed among their athletes, covering both athletic potential and NIL monetization. This represents a major shift, as universities themselves, not just third-party sponsors, will now be able to directly fund their athletes. Simultaneously, an independent entity, the College Sports Commission LLC, has been established to oversee NIL agreements valued at $600 or more. The Commission will have the authority to approve, modify or reject deals that exceed fair market value or deviate from their intended purpose. For instance, NIL deals cannot reward athletic performance, influence recruitment or transfer decisions, nor serve as disguised salaries, practices commonly known as pay-for-play incentives. To ensure prompt and confidential resolution of disputes, the agreement introduces an expedited arbitration mechanism. Managed by an independent panel, this procedure requires parties to submit their documents within a short timeframe, with decisions to be rendered within 45 days of case initiation, and with no possibility for appeal. The goal is to safeguard athletes’ rights while preventing an overload of NIL-related cases in civil courts. In the wake of this recognition, the introduction of direct payments and the consolidation of the NIL framework are also reshaping traditional career paths for collegiate athletes. Increasingly, collegiate athletes are choosing to delay their entry into professional drafts, particularly in the NBA and NFL, to benefit from the financial and strategic advantages that college sports now offer. For athletes who are not guaranteed an early draft selection, staying in school can mean earning substantial income, sometimes comparable to that of professional athletes, while retaining greater control over the development of their athletic careers. In an increasingly competitive market, this new leverage is redefining the balance of power between athletes, universities, and professional franchises. This reform also resonates with the journeys of several Quebec athletes who came up through the NCAA, such as Bennedict Mathurin and Luguentz Dort, both of whom reached this year’s NBA Finals. Their stories illustrate how American college sports can serve as a powerful gateway that now financially recognizes and rewards its athletes. The fact that these players grew up in Montréal-North before rising through the NCAA makes it clear that Quebec is claiming its place in this evolving landscape, not only as a pool of talent, but also as a fertile soil for cultivating collegiate careers that are both inspiring and financially profitable. What Lies Ahead? While this reform represents a milestone, it also prompts significant new legal challenges. A pending appeal challenges the $2.8 billion retroactive payout, arguing that it could violate Title IX’s mandate for gender equity in federally funded education programs. Critics warn that, without clear safeguards, the distribution may exacerbate rather than reduce existing disparities between men’s and women’s sports. Furthermore, the Johnson v. NCAA case is currently pending before the U.S. District Court for the Eastern District of Pennsylvania, where collegiate athletes are seeking to be recognized as university employees, which would entitle them to a minimum wage and other labour protections. With over 350 universities and approximately 200,000 athletes impacted, the implementation of this reform is likely to vary significantly across institutions. Collegiate athletics is entering a new era of remunerated athletes but remains for the moment in a state of transition and uncertainty.

Read more
March 27, 2025

Businesses: Four tips to avoid dependency or vulnerability in your use of AI

While the world is focused on how the tariff war is affecting various products, it may be overlooking the risks the war is posing to information technology. Yet, many businesses rely on artificial intelligence to provide their services, and many of these technologies are powered by large language models, such as the widely-used ChatGPT. It is relevant to ask whether businesses should rely on purely US-based technology service providers. There is talk of using Chinese alternatives, such as DeepSeek, but their use raises questions about data security and the associated control over information. Back in 2023, Professor Teresa Scassa wrote that, when it comes to artificial intelligence, sovereignty can take on many forms, such as state sovereignty, community sovereignty over data and individual sovereignty.1 Others have even suggested that AI will force the recalibration of international interests.2 In our current context, how can businesses protect themselves from the volatility caused by the actions of foreign governments? We believe that it’s precisely by exercising a certain degree of sovereignty over their own affairs that businesses can guard against such volatility. A few tips: Understand Intellectual property issues: Large language models underlying the majority of artificial intelligence technologies are sometimes offered under open-source licenses, but certain technologies are distributed under restrictive commercial licenses. It is important to understand the limits imposed by the licenses under which these technologies are offered. Some language model owners reserve the right to alter or restrict the technology’s functionality without notice. Conversely, permissive open-source licenses allow a language model to be used without time restrictions. From a strategic standpoint, businesses should keep intellectual property rights over their data compilations that can be integrated into artificial intelligence solutions. Consider other options: Whenever technology is used to process personal information, a privacy impact assessment is required by law before such technology is acquired, developed or redesigned.[3] Even if a privacy impact assessment is not legally required, it is prudent to assess the risks associated with technological choices. If you are dealing with a technology that your service provider integrates, check whether there are alternatives. Would you be able to quickly migrate to one of these if you faced issues? If you are dealing with custom solution, check whether it is limited to a single large language model. Adopt a modular approach: When a business chooses an external service provider to provide a large language model, it is often because the provider offers a solution that is integrated to other applications that the business already uses, or because it provides an application programming interface developed specifically for the business. In making such a choice, you should determine whether the service provider can replace the language model or application if problems were to arise. If the technology in question is a fully integrated solution from a service provider, find out whether the provider offers sufficient guarantees that it could replace a language model if it were no longer available. If it is a custom solution, find out whether the service provider can, right from the design stage, provide for the possibility of replacing one language model with another. Make a proportionate choice: Not all applications require the most powerful language models. If your technological objective is middle-of-the-road, you can consider more possibilities, including solutions hosted on local servers that use open-source language models. As a bonus, if you choose a language model proportionate to your needs, you are helping to reduce the environmental footprint of these technologies in terms of energy consumption. These tips each require different steps to be put into practice. Remember to take legal considerations, in addition to technological constraints, into account. Licenses, intellectual property, privacy impact assessments and limited liability clauses imposed by certain service providers are all aspects that need to be considered before making any changes. This isn’t just about being prudent—it’s about taking advantage of the opportunity our businesses have to show they are technologically innovative and exercise greater control over their futures. Scassa, T. 2023. “Sovereignty and the governance of artificial intelligence.” 71 UCLA L. Rev. Disc. 214. Xu, W., Wang, S., & Zuo, X. 2025. “Whose victory? A perspective on shifts in US-China cross-border data flow rules in the AI era.” The Pacific Review, 1–27. See in particular the Act respecting the protection of personal information in the private sector, CQLR c. P-39.1, s. 3.3.

Read more