Dr Emma Grech LL.D. (Melit.)
The General Data Protection Regulation (the “GDPR”)(1) is set to become enforceable on 25 May 2018. It requires businesses to carry out an entire reassessment of their data processing architecture. Business-to-consumer (B2C) remote gaming operators in particular have, in view of their trans-border, player-transacting nature, been tasked with an arduous compliance project in advance of the now imminent deadline. While, generally speaking, in the same compliance boat as other online businesses, remote gambling companies – navigating a web of heterogeneous national gambling law rulebooks across the EU Member States, as well as operating in strong reliance of the personal data they collect – face an array of unique challenges in the face of the GDPR.
1. 2018: THE E-INFORMATION SOCIETY
It was in 1995 – 23 years ago – that the EU welcomed the Data Protection Directive (the “DPD”)(2). The DPD has borne witness to countless technological advancements, many of which, in some way or another, implicate and, or impact, personal data. In the meantime, the Internet itself – an aggressive data-sharing engine – has become modernity’s most workable medium, replacing the brick-and-mortar. The cloud, artificial intelligence, as well as data analytics are hyper-connecting companies and people across the globe. In full realization that the 1995 rules were not reflective of what had effectively become today’s ‘e- information society’, the text for the DPD’s directly applicable successor – the GDPR – was finally approved in 2015.
2. THE SALIENT CHANGES
The GDPR builds on the DPD(3), and seeks to address many of the DPD’s limitations. Set against the backdrop of a data-driven world, the GDPR places a newfound emphasis on accountability, compelling businesses, generally, to maintain an audit trail that essentially records how they collect the personal data, what they do with such data, and for how long they retain that data. Inspiring accountability are the steep fines for privacy infringements which entities processing data now face; that is a maximum of 20 million Euro or four percent of the relevant entity’s annual global turnover, whichever is greater.
Paying homage to the borderless online era, the GDPR has also widened and clarified the DPD’s territorial scope. In general terms, it will apply to an entity processing the personal data of data subjects residing in the EU, whether or not that entity is situated in the EU. On a related note, the transfer of data to third countries under the GDPR – similarly to the DPD – poses challenges. The GDPR maintains that the transfer of personal data outside the EU will only be permitted if certain additional requirements are met: in particular, on the basis of the individual’s consent; Standard Data Protection Clauses; Codes or Conduct; or an accepted Certification (4).
Where data is collected on the basis of consent (for instance, for the purpose of e-mail marketing), the requirements for the obtainment and granting of that consent have been tightened: data subject consent must be informed, unambiguous, and provided by way of ‘clear, affirmative action(5)’. Indeed, the GDPR works to enhance data subject protection. It introduces novel data subject rights; for example, the controversial ‘data portability’, by virtue of which individuals may demand the receipt as well as porting of their personal data across different service providers – the latter of which may very well be competitors. In addition, the GDPR mandates that entities processing data notify a data privacy breach to the relevant supervisory authority in writing, without undue delay, and not later than 72 hours after the discovery of such breach.
The GDPR has, without a doubt, become user-centric.
3. THE GDPR AND ONLINE GAMING OPERATORS: KEY CONSIDERATIONS
While the GDPR will naturally apply across all organisations that process personal data and fall within its remit, the online gambling industry – as mentioned further above – brings with it sector-specific characteristics that merit focused attention.
The iGaming industry is wrought with diversity. Smaller B2C companies may be able to by- pass some of the GDPR’s requirements. An operator employing less than 250 persons will not be required to maintain such detailed records unless the relevant processing poses a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes certain categories of data. Further, those entities that provide business- to-business (B2B) services may find themselves largely unaffected by the GDPR in view of the fact that they will almost certainly not be processing personal data on a large-scale.
There is, therefore, no such thing as a standard approach to the GDPR in the online gambling space. The larger B2C entities in particular will need to look inwards to assess the extent of the impact the GDPR is to have on their activities. Naturally, as the staple business of gaming operators comprises the processing of player data – whether at onboarding stage, the active play stage, and, or via the monitoring of player conduct for the purpose of augmenting or personalising the customer experience – preparation is vital. In this regard, an important step for operators, as part of their data mapping exercise, would be to formulate a personal data inventory. Other than serving to form part of the now crucial compliance audit trail, this would, going forward, assist operators in their decision-making on matters connected with the GDPR.
3.2 The Data Protection Officer
It is envisaged that the majority of B2C online gaming operators will need to appoint a data protection officer (“DPO”). The GDPR maintains that an entity operating, as its core activity, a business which, by virtue of its nature, scope and, or purpose, requires regular and systematic monitoring of data subjects on a large scale, will need to appoint a DPO. The DPO will be responsible for providing guidance to the operator as to its obligations under the GDPR; monitoring GDPR-compliance; providing the point of contact for players in the case of queries or complaints relating to data privacy; and liaising with the local supervisory authority, amongst other things. The DPO must be adequately qualified and experienced. Notably, the GDPR allows the DPO role to be outsourced.
3.3 Data Portability
Data portability is one of the major concerns facing online gambling operators in the wake of the GDPR. Players divulge a great deal of personal data to operators: including, of course, their basic identification details; playing history; payment transactions; and playing habits. In terms of the GDPR, and generally, a player shall not only have the right to request receipt of such data from the operator in a structured, commonly used and machine-readable format, but may also demand that that data be transferred to another operator. Rather disconcertingly, this means that operators may attempt to target players belonging to other companies by enticing them away with more attractive packages or bonuses.
Data portability will, in simple terms, increase operator expenditure. Apart from having to stealthily dedicate more resources to player retention methodologies, operators will also need to find ways and means of executing the data portability obligation – or face the consequences of not doing so.
3.4 Problem Gambling: and the Right to be Forgotten
Operators will need to be careful about the manner in which they process erasure requests under the GDPR’s right to be forgotten, particularly in view of any applicable self-exclusion or self-barring mechanisms in place under the relevant gambling legislation. In the scenario where an existing self-excluded player demands that all personal data held about him be deleted, it must be borne in mind that the right to be forgotten is not an absolute right. When the personal data is being used to satisfy a legal obligation (such as, for instance, ensuring that a self-excluded player does not participate in any games throughout the relevant period of self-exclusion), the operator may be required to retain that data.
The GDPR has catapulted the ‘operator-affiliate’ relationship into the limelight. Depending on whether they process data themselves or on an operators’ behalf, affiliates may be viewed as either data controllers or data processors. It is noteworthy that the DPD does not entertain a statutory obligation for processors to comply with data protection rules with respect to the processing they carry out on behalf of data controllers. Unlike the DPD, however, the GDPR entertains a relatively level playing field for both controllers and processors – resultantly, affiliates that are processors will, under the GDPR, become directly liable for compliance. Depending on the circumstances, players may thus be able to file claims for privacy breaches against both the gaming operator and, or its affiliates. Moreover, and due to the GDPR’s extended territorial scope, affiliates situated outside the EU will likewise be affected.
In order to ascertain, as far as possible, the correct attribution of responsibility among operators and affiliates, operators should ensure that any intermediary agreements entered into with its affiliates – whether these are situated within or outside the EU – expressly lay down the requirement for compliance with the same gambling, advertising and data protection legislation that binds the operator; and, in addition to this, and where applicable, contain the mandatory processing terms as stipulated in the GDPR (6).
4. THE FUTURE
While the personal data of players is not treated as a ‘special category’ of data under the GDPR(7), the gambling sector has always presented unethical connotations associated with gambling addiction, spendthrift behavior, and resulting negative repercussions. As a result, a privacy breach in the realm of online gambling could have dire implications for all parties involved, inclusive of damage to one’s reputation. For data controllers, and other than the risk to reputation, the possibility of making undesirable headlines, and the resultant potential loss in business, the implications of a privacy breach are various, inclusive – depending on the applicable gambling legislation – of the loss of the online gambling licence itself.
This only means that data controllers operating in the area would do well to pay due regard to the GDPR’s requirements. After all, there’s a good chance that non-compliance will prove costlier than doing it right the first time around.
1 Regulation (EU) 2016/679.
2 Directive 95/46/EC.
3 The GDPR does not amend the DPD’s underlying rationale for the protection of personally identifiable data. The core data protection principles found in the DPD have essentially remained unchanged (Article 6, DPD and Article 5, GDPR). Technically speaking, therefore, businesses that have properly adhered to the DPD’s provisions should not be far off from achieving GDPR-compliant status.
4 Articles 40-50, GDPR.
5 Article 4(11), GDPR.
6 Articles 28-36, GDPR.
7 Article 9, GDPR.
The information provided herein is not intended to constitute advice of any nature whatsoever. While every effort has been made to ascertain correctness, the author assumes no responsibility for errors, inaccuracies, omissions or any other inconsistencies herein.