The World Anti Doping Agency suffered a data breach in 2016­—a vivid illustration that even the most prominent sporting institutions are not immune to cyber incidents. The authorities have now formalized what was previously just an observation: In a bulletin published in 2024, the Canadian Centre for Cyber Security warned that the entire sports ecosystem—spectators, athletes, organizations and government representatives—is the target of cyberattack campaigns.  Malicious actors will attempt extortion through business email compromise, ransomware attacks, phishing, malicious websites and search engine poisoning, among others. Take heed, as when an incident occurs that is serious enough to require a report to the authorities, it is often too late to establish sound governance and engage in due diligence. The sporting competitions of today are producing massive amounts of data. The quantity is staggering, and the data itself almost Orwellian. Check the tables below to see for yourself. Data collected on athletes  League Information collected NFL Performance data (statistics, position and movement metrics, speed, and passing, rushing and receiving yards) Medical and/or health data (examinations, injuries, concussion protocols) Substance screening data Data on disciplinary actions and investigations Professional and contractual data Travel, logistics and security data NHL Performance data Medical and/or health data (examinations, injuries, concussion protocols) Substance screening data Data on disciplinary actions and investigations Professional and contractual data Travel, logistics and security data MLB Performance data Medical and/or health data (examinations, injuries, concussion protocols) Substance screening data Data on disciplinary actions and investigations Professional and contractual data Travel, logistics and security data   Collection of customer information online  League Information collected NFL  Information provided by individuals  Identifiers: name, email, address, telephone number, date of birth; unique identifiers (username, password, SSN and other government identifiers if required, e.g. for awards) Demographic data and other protected categories: gender, race, ethnicity, sexual orientation Financial and commercial information: payment data, purchase history Real-time geolocation; precise geolocation Communication and marketing preferences Favorite team and inferences about preferences Audio, electronic and visual information (e.g., photos provided) Biometric data, if you opt for biometric authentication at the stadium; with consent and additional notice if required Information about your contacts (name, email) that you share; if authorized, access to your contacts, calendars and photos Search queries Content posted (comments, forums) Professional and employment information Education information Information that may be health-related (e.g., accessible seating) Correspondence, waivers, consents and other information sent Automatic collection  Device and network identifiers and technical data: IP address, MAC address, advertising identifiers, device type, browser, OS Usage: page views, links clicked, browsing journeys, application usage data Tracking and emails: cookies, pixels, tags, interaction with emails (opened emails, clicks) Social media (if linked): data received according to your settings and the platform’s policy Logs and traffic: server logs, stadium Wi-Fi traffic Video and audio recordings: CCTV and pictures taken or video recorded during events   NHL  Information provided by individuals Identifiers and contact information (name, email, telephone number, address, date of birth) Commercial information (payments, purchases, services) Demographic data (language, age, gender, race, ethnicity, household composition and income) Preferences (favourite team, favourite players) Photos and/or videos Content, feedback (comments, surveys) Contact information of friends Application data (resume, references, checks permitted) Automatic collection Activity and interactions (content viewed, bids, purchases, time spent, cookies, tags), access methods (browser, OS, IP address, browsing history before and after) Device information and identifiers (type, unique identifiers, local content if allowed) Location (GPS, Bluetooth, Wi-Fi, cells) Inferences about preferences Commercial information about transactions (e.g., timestamps) Collection from third parties Member clubs (ticketing, login credential, usage logs) Fanatics, NHL Shop, NHL Auctions (name, email, items purchased; marketing engagement statistics) Other business partners, public sources, commercial sources (data brokers) Connected social media (according to the platform’s settings and policies) NHL teams* Contact information: name, email address, home address, gender, date of birth, telephone number (e.g., ticket purchase, ticket transfer, account creation, inquiries, contests, promotions) Demographic data and preferences (age group, race, gender; preferred events, preferred products, e.g., surveys) Health data related to accessibility needs Video surveillance in venues (security; sharing limited by law) Anonymous traffic analysis and device counting (cameras, technological devices; Wi-Fi); statistics that can be shared with partners Depersonalized web analytics (Google Analytics); opt-out option Online advertising and/or remarketing (Google, Facebook, LinkedIn, etc.) through cookies; opt-out mechanisms (platform settings; DAAC) Geolocation through applications if enabled Social media: profile data and authorized interactions Technical data (IP, browser, OS, resolution, location, language, origin, keywords, pages viewed, data entered, ads viewed), identifiers (IDFA, AAID), connection information (operator, ISP, Wi-Fi); ability to recognize a device) MLB Information provided by individuals Identifiers and contact information: full name, email address, home address, telephone numbers, date of birth Security and authentication: password Payments: payment details Demographic data: demographic characteristics Content and recordings: voice recordings, audiovisual recordings Preferences and interests: information about your interests and preferences Activity and event related data: information requested for an activity or event (e.g., emergency contact) Sensitive personal information: as defined by applicable laws (e.g., racial or ethnic origin; health information such as disabilities or allergies) Automatic collection  Technical and usage data: IP addresses, device data, usage data Location and contacts: location data; contacts saved on your mobile device Collection from third parties Data from third parties and integrations: information provided by other companies if individuals connect their services * This data is collected about website users, people who visit venues, people who apply for jobs or participate in contests, people who submit drafts.   How leagues are structured Regarding privacy and personal information, we must look at how sports leagues are organized to understand who does what. In most cases, sports leagues are non-profit organizations or corporations. An entire framework of rules is built around these structures, defining both how governance is done and what business model is used. First, there are the articles of association and by-laws, which dictate governance, team admissions, voting rights, and the powers of the commissioner or board of directors. There are also the sporting and competition regulations regarding eligibility, game schedules, transfers, drafts, salary caps and cost control mechanisms. The leagues also adopt integrity and security policies against doping, betting and manipulation, harassment and abuse, as well as commercial agreements covering broadcasting, sponsorships, ticketing and data leveraging, among others. There can also be collective agreements with players’ associations and formal dispute resolution mechanisms. In this environment, the league plays a central role. It generally has the power to adopt, interpret and amend its rules; admit teams; manage expansion and relocation projects and changes of control; as well as the power to impose sanctions such as fines, point deductions, suspensions or exclusions. It also centralizes strategic commercial rights, media rights, trademarks and data, and it implements revenue-sharing policies designed to maintain a competitive balance between teams. Personal information: the roles of each Teams In day-to-day relations with athletes and customers, teams are generally the main point of contact. They sign contracts with players, sell tickets, manage subscriptions and operate online stores and loyalty programs. In practice, teams are often the ones that collect personal information, that explain what the information is used for, that decide what information needs to be collected and that put in place security and incident management measures. Teams must therefore be able to clearly inform athletes and customers about the purposes for which personal information is collected, the means by which it is collected, the categories of information collected, who receives the information, and the rights that  athletes and customers have. Teams must limit collection to what is necessary. They must ensure that information is accurate; they must obtain valid, manifest, free, informed and explicit consent for sensitive information such as health or biometric data; they must implement security measures adapted to risks; they must manage and report confidentiality incidents likely to cause serious harm; they must respond to requests for access and rectification; and they must stringently govern the sharing of information with service providers and mandataries. Athletes and customers often see the team as the true holder of their data. Leagues The role leagues play regarding personal information is more difficult to understand, as it varies depending on activities. When a league directly collects information from an individual, for example through an official application, a broadcasting platform or a transactional site for its own purposes, it must assume responsibilities comparable to those a team has. This is what MLB Advanced Media does, for example, defining itself as a “data controller” with respect to its customers’ data. But in many cases, the league acts behind the scenes. In some respects, it acts as a mandatary for the teams, negotiating and signing technology contracts, broadcasting agreements and other commercial agreements that will be used by the teams. In other respects, it acts as a service provider, offering centralized technology platforms, ticketing systems, data infrastructure and shared administrative services. Under Quebec law, these two roles—mandatary and service provider—are treated the same: The team can transmit to the league the information it needs to perform the mandate or service contract without having to ask for the consent of each person again, provided that a written agreement imposes clear measures to protect privacy, limits the use of data to the sole purposes of the mandate or service and governs data retention. The league must also promptly inform a team’s privacy officer of any privacy breach or attempted privacy breach and allow the officer to conduct checks. Also, teams and the league can always choose to base certain exchanges of information on the explicit consent of athletes or customers. However, such consent must be genuinely explicit, free, informed, given for specific purposes and presented separately when asked to be given in writing. Conclusion Although professional leagues are the ones in the spotlight, the same logic applies to amateur or non-professional sports organizations. In all cases, the relationship between the league, the team and the athlete or customer must be clearly governed from a privacy standpoint. Sports organizations should map the flow of personal information, harmonize the information messages they give to the those concerned, establish a standard agreement governing the sharing of information between teams and the league, provide simple mechanisms for access and rectification, and have key employees trained in privacy matters. Incorporating these points into articles of association, by-laws and team and league agreements will reduce risks and strengthen the confidence of athletes, parents, fans and business partners. Yet, a fundamental question still remains: Given that by law, data can only be collected for serious and legitimate reasons (necessity criterion), is the mass of information currently collected in the sports ecosystem really warranted? Sports organizations will have no choice but to delve into this strategic issue. 

We invite you to our upcoming webinar: “Understanding the Legal Framework for User-Generated Content (UGC).” Learn directly from Sylvain Pierrard and Ghiles Helli as they reveal their best practices and winning strategies. Moderator France Camille De Mers will facilitate this panel discussion, ensuring a rich and dynamic dialogue.  Together, we’ll explore how to legally frame your UGC strategy. We’ll tackle the complex issues of intellectual property and the critical challenges of personal data protection, illustrating every concept with concrete, real-world examples.  The right legal framework for user-generated content (UGC) is your essential defence in the current digital landscape, protecting your business and users while building transparency and trust online. This framework covers aspects such as the use of content protected by intellectual property rights and compliance with applicable privacy laws. Understanding the legal implications of using Terms of Use is crucial to effectively navigating this evolving environment.  When: November 26th, 2025, From 10 A.M. to 11 P.M. In order to receive an attestation of attendance for continuing education purposes, please use your professional email address for registration and be sure to attend the entire webinar. Register

Blind spots to watch for when anonymizing data Anonymization has become a crucial step in unlocking the value of data for innovation, particularly in artificial intelligence. But without a properly executed anonymization process, organizations risk financial penalties, legal action and serious reputational harm, with potentially significant consequences for their operations. Understanding the anonymization process What the law says Under Quebec’s Act respecting the protection of personal information in the private sector (the “Private Sector Act”) and the Act respecting Access to documents held by public bodies and the Protection of personal information (the “Access Act”), information concerning a natural person is considered anonymized if it irreversibly no longer allows the person to be identified directly or indirectly. Since anonymized information no longer qualifies as personal information, this distinction is of crucial importance. However, beyond this definition, neither Act provides details on how anonymization should actually be performed. To fill this gap, the government adopted the Regulation respecting the anonymization of personal information (the “Regulation”), which sets out the criteria and framework for anonymization, grounded in high standards of privacy protection. What organizations need to know before starting Under the Regulation, before beginning any anonymization process, organizations must clearly define the “serious and legitimate purposes” for which the data will be used. These purposes must comply with either the Private Sector Act or the Access Act, as applicable, and any new purpose must meet the same requirement. The process must also be supervised by a qualified professional with the expertise to select and apply appropriate anonymization techniques. This supervision ensures both the proper implementation of the chosen methods and the ongoing validation of technological choices and security measures. The four key steps of data anonymization   DepersonalizationThe first step is to remove or replace all personal identifiers, such as names, addresses and phone numbers, with pseudonyms. It is essential to anticipate how different data sets might interact, in order to minimize the risk of re-identifying individuals through cross-referencing. Preliminary risk assessmentNext comes a preliminary analysis of re-identification risks. This step relies on three main criteria: individualization (inability to isolate a person within a dataset), correlation (inability to connect datasets concerning the same person) and inference (inability to infer personal information from other available information). Common anonymization techniques include aggregation, deletion, generalization and data perturbation. Organizations should also apply strong protective measures, such as advanced encryption and restrictive access controls, to minimize the likelihood of re-identification. In-depth risk analysisAfter the preliminary phase, a deeper risk analysis must be conducted. While no anonymization process can eliminate all risk, that risk must be reduced to the lowest possible level, taking into account factors such as data sensitivity, the availability of public datasets and the effort required to attempt re-identification. To sustain this low level of risk, organizations should perform periodic reassessments that account for technological advances that could make re-identification easier over time. Documentation and record-keepingFinally, organizations must keep a detailed record describing the anonymized information, its intended purposes, the techniques and security measures used, and the dates of any analyses or updates. This documentation strengthens transparency and demonstrates that the organization has fulfilled its legal obligations regarding anonymization.

“Historical facts”1 are not protected by copyright. Referring to the Storming of the Bastille or the Battle of the Plains of Abraham will not get an author sued in Federal Court, but must these events have really happened to be considered “historical facts”? The Federal Court recently ruled on this issue in Winkler v. Hendley.2 In its decision, the Federal Court stated that if an author presents their literary work as a history book,3 as long as this assertion is plausible, the events that they describe must be treated as “historical facts” even if they are not. Therefore, the author cannot claim originality when an assessment is made of whether there has been a substantial taking of their work. Originality remains only in the selection and arrangement of the facts. Background This case deals with the following three books written about the Donnelly family, whose crimes made headlines in late 19th century Ontario: The Black Donnellys (hereinafter referred to as The Black Donnellys), a history book published in 1954 by Thomas P. Kelley (hereinafter referred to as Kelley); Vengeance of the Black Donnellys (hereinafter referred to as Vengeance), a work of fiction published in 1962 by Kelley (the same author); and  The Black Donnellys: The Outrageous Tale of Canada’s Deadliest Feud (hereinafter referred to as The Outrageous Tale), a history book published in 2004 by Nate Hendley (hereinafter referred to as Hendley). John Winkler (hereinafter referred to as Winkler), Kelley’s heir and copyright holder, accused Hendley of copying, in The Outrageous Tale, a substantial part of both The Black Donnellys and Vengeance. He argued that both works are fiction, as many of the events described in them are objectively false. Winkler claimed that Hendley repeated the same mistakes in his work. He also asserted that Hendley copied the structure, tone, theme, atmosphere and dialogue in his telling of events. For his part, Hendley admitted that he referred to both of Kelley’s literary works when writing The Outrageous Tale. However, he contended that The Black Donnellys should be considered a history book, as Kelley originally described and presented it as such. Given that “historical facts” are not protected by the Copyright Act4 (the “Act”), Hendley denied having copied Kelley’s work and claimed that The Outrageous Tale is an original literary work. In support of their motions for summary judgment, both parties filed affidavits. In addition, Winkler filed two expert reports. The first compared excerpts from The Black Donnellys and Vengeance to excerpts from The Outrageous Tale.The second was an analysis of the factual nature of The Black Donnellys. The Federal Court’s findings were as follows: Facts that are credibly presented by the author as historically factual must be excluded from copyright protection. Therefore, the author cannot claim originality when an assessment is made of whether there has been a substantial taking of their work. Hendley did not infringe Winkler’s copyright on The Black Donnellys by referring to “historical facts” without copying the structure, tone, theme, atmosphere or dialogue used in presenting them in The Outrageous Tale. Hendley did not infringe Winkler’s copyright on Vengeance, although he did copy various aspects of a fictional character in The Outrageous Tale in a non-literal way.This copying does not concern a substantial part of the literary work Vengeance whenviewed as a whole. Facts that are credibly presented by the author as historically factual must be considered as such The Federal Court ruled that The Black Donnellys was a history book, and, for all intents and purposes, considered it to be an account of “historical facts.” First, the Court relied on Kelly’s statement that he presented The Black Donnellys as “The True Story of Canada’s Most Barbaric Feud” when it was published.5 Second, the Court referred to the introduction in the original 1954 edition in which Kelly stated that the information that he used was gathered from old newspapers, police and court records, trips to the area, and other “unimpeachable sources.”6 The Court determined that it did not have to consider the conclusions of the expert report that the work was “two-thirds fiction.” The law is not a tool to ensure the accuracy of various historical accounts, and its role is not to decide between them based on an objective standard.7 Thus, the notion of “historical facts” must necessarily include those that the author plausibly presents as such.8 The Court has therefore introduced a subjective standard in the assessment of the factual nature of history books. The Federal Court found that Hendley was justified in relying on the version of events presented in The Black Donnellys. The purpose of the law is to maintain a balance between, on the one hand, protecting the talent and judgment of authors and, on the other hand, allowing ideas and material to remain in the public domain for all to build upon. To allow Kelley to present something as a “historical fact” and then allow Winkler to sue another author on the grounds that such “historical fact” is false would unduly impede the flow of ideas and disturb this fair balance.9In short, Winkler cannot seek to refute the historical nature of Kelley’s book and claim copyright over the fabricated facts it contains.10 Given that they are considered “historical facts,” Winkler cannot claim originality as part of the assessment of whether there has been a copying of a substantial part of his work. Hendley did not copy a substantial part of Kelley’s work The Federal Court reiterated that the law protects original literary, dramatic, musical and artistic work. Thus, copyright protection exists whether a literary work is a history book or a piece of fiction. However, in the case of a history book, the protection does not extend to “facts of history” or their chronological sequence.11 The originality of Kelley’s work lies solely in the means of expression and thus in the selection and arrangement of facts. Consequently, the Court analyzed the copying of structure, tone, theme, atmosphere and dialogue in the telling of “historical facts,” not the facts themselves. The Supreme Court advocated a holistic and comprehensive approach to determining whether a substantial part of a plaintiff’s work was copied by a defendant.12 However, given the format of the expert report, the Federal Court found it necessary to analyze every single excerpt and then assess whether their cumulative effect amounted to a substantial copying of each of Kelley’s works.13 A) The Outrageous Tale does not amount to a reproduction of a substantial part of The Black Donnellys The Federal Court concluded that the expert report did not demonstrate any significant similarities in the comparison of some twenty excerpts from The Black Donnellys with allegedly analogous excerpts from The Outrageous Tale. Winkler alleged that the mere copying of fictional events in The Outrageous Tale constituted an unauthorized reproduction. The Court rejected this argument because to consider The Black Donnellys a history book implies that the “historical facts” it contains are not part of the originality of the work.14 Consequently, the Federal Court excluded the 20 or so excerpts because they merely mentioned the same “historical facts.”15  As for the excerpts that show some significant similarities, the Federal Court criticized the expert’s method of analyzing isolated words out of context to demonstrate greater similarities between the two texts. Instead, the Court chose to rely on more complete passages taken directly from the works to assess similarities in the selection and arrangement of facts.  The reproduction of fictional events is more easily detectable. Indeed, describing the same “historical facts” means that some significant similarities are inevitable. The Federal Court said the following regarding the description of a street battle:   In the foregoing passage, the linguistic similarity—references to Flanagan, the gun, the road, the 17 men—are all important parts of the factual aspect of the event. There may be a vast number of ways in which to recount facts. However, it would be difficult if not impossible to describe an event in which Flanagan, carrying a shotgun, went down the road with 17 men without using those terms. Here, the lack of copyright in “facts,” whether actually factual or simply asserted to be factual, becomes particularly important. If these descriptions of a fight were found in two works of fiction, there would be a stronger case that copying these elements contributed to a substantial taking. In a work of nonfiction, these factual elements are not part of the work’s originality.16 The Federal Court rejected the allegations of copying in the other passages based on the same argument. It concluded that the analysis carried out on the structure, tone, theme, atmosphere and dialogue of the work does not demonstrate that Hendley copied in The Outrageous Tale any substantial part of The Black Donnellys.  The decision is surprising in that the protection given to works under copyright and the assessment of whether there has been a substantial taking of the work should be objective: Was a substantial part of the first work copied in the second work in terms of quality? A fact is either historical or it is not. That an author may reasonably believe that such fact is historical should not affect the originality of the first work, nor should it affect the issue of “substantial taking” in the second work. While one understands that the judge was trying to achieve a fair outcome, one might question whether the legal means adopted were adequat For the purposes of this text, “historical facts” refer to events of a factual nature. 2021 FC 498 In this text, the notion of “history book” refers to a work of “history,” understood as the branch of knowledge that studies the past and seeks to reconstruct “historical facts.”  R.S.C., 1985, c. C-42 Winkler v. Hendley, supra note 2, para. 72 Id., para. 73 Id., para. 96 Id., para. 92 Id., para. 92 Id., para. 92 Id., para.  56 Cinar Corporation v. Robinson, 2013 SCC 73; Copyright Act, supra note 6, s. 3  Id., para. 113 Winkler v. Hendley, supra note 2, para. 58 Id. Id., para. 122