The EU General Data Protection Regulation (“GDPR”) was approved by the European Parliament on 14 April 2016. Scheduled to come into force in mid-2018, replacing the current Data Protection Directive, it will be directly applicable in all EU member states without having to be transposed into national law.
It will introduce a much stricter data protection compliance regime and a tiered approach to financial penalties, enabling fines of up to 4% of annual
worldwide turnover (subject to a €20 million maximum) for the most serious infringements and 2% of annual worldwide turnover (subject to a €10 million maximum) for other infringements.
Even if the UK votes to leave the EU, UK businesses will be affected by the GDPR if they process data relating to EU subjects. In any event it will be vital for the digital economy that the UK’s data protection laws are of a comparable standard with other major jurisdictions, so businesses should not
assume the GDPR can be ignored.
Amongst the major consequences for gambling operators are the following.
Data protection officer
Data controllers and processors whose “core activities” involve “regular and systematic monitoring of data subjects on a large scale” will have to appoint a Data Protection Officer (“DPO”).
So what is the consequence for gambling operators, for whom regular and systematic monitoring (including behaviour tracking and profiling) of their customers – not only to ensure effective marketing but also to enable fulfillment of their AML and social responsibility functions – constitutes a core activity conducted on a large-scale?
It seems that, regardless of their size, they will have to appoint a DPO. I say “regardless of their size” because earlier drafts of the GDPR proposed that this requirement should only apply to businesses (a) processing data relating to more than 5,000 data subjects in any consecutive 12-month
period or (b) with over 250 employees, but neither derogation appears in the most recent version that has now been approved by the European Parliament.
This final version of the GDPR appears to encourage EU member states and their Supervisory Authorities “to take account of the specific needs of micro, small and medium-sized enterprises” (“SMEs”). However, it makes no mention of any derogation from the requirement to appoint a DPO and is considered instead to be encouraging Member States and Supervisory Authorities to publish guidance that specifically addresses the needs of SMEs, taking into account the resources of, processing activities of and likely risks attached to, them.
The GDPR requires that DPOs must have “expert knowledge of data protection law and practices”, which seems likely to mean that a DPO must have not only:
• sufficient expert knowledge of data protection law and practices (which in the case of many remote gambling operators will encompass not only the UK but also other EU member states); but also
• a sufficient level of technical proficiency to manage IT processes, data security and business continuity issues relating to the holding and processing of personal and sensitive data.
Such widely qualified and experienced people are going to be thin on the ground. Finding the right person for the job and setting up a workable structure are likely to present very considerable challenges, bearing in mind that DPOs:
• must be independent of the company that employs them or engages them under a service contract (somewhat easier to achieve in a large corporate set-up than in a small);
• will need to have resources made available for creation of their own support team and fulfillment of their and their team’s own ongoing training requirements; and
• will be protected from dismissal or penalty for performing their role. Gambling operators should therefore start planning their resourcing requirements very soon. In so doing, one of the most crucial decisions will be whether to appoint a DPO (or DPOs) from within their own employee base or, as no doubt will be the case with smaller sized operators, outsource the role to a third party provider of DPO services, given that the GDPR allows the DPO function to be performed by a third party service provider.
However, whichever option is pursued, it should be borne in mind that a DPO must have:
• access to the operator’s data processing personnel and operations;
• significant independence in the performance of their role; and
• a direct reporting line “to the highest management level”.
Either way, DPOs will have to ensure that other tasks and duties performed by them do not result in a conflict of interest, although it may be considered good business practice for a gambling operator to seek to ensure that its DPO, its Compliance Director, its MLRO and its Marketing and IT teams work together as a combined governance group overseeing all privacy activities to ensure that no confusion arises as to who has responsibility for what.
The “right to erasure”
A proposed strengthening of a data subject’s so-called “right to be forgotten” has been superseded in a more recent version of the GDPR by a more limited “right to erasure” without undue delay of their personal data.
When this occurs, an associated obligation is imposed on the data controller to take reasonable steps to inform relevant third parties of an individual’s request for the erasure of any links to, or copies of, the data in question.
This right is likely to require changes to operational processes and IT systems, but it will also cause issues for gambling operators in at least the two following respects:
(a) Customer self-exclusion:
Part 3.5 of the LCCP sets out requirements in relation to self-exclusion, including (in the case of remote gambling) the retention of records relating to a self-exclusion agreement for as long as is needed to enable the self-exclusion procedures to be implemented.
The LCCP also make provision for participation in multi-operator selfexclusion schemes. This will also give rise to issues relating to the sharing of data.
What then is an operator to do if it receives a request from a self-excluded customer to erase their data? It may be thought that overriding social responsibility obligations point towards a decision not to breach the LCCP, in which case, should:
i) a data controller be able to make a common-sense decision to retain merely information required for compliance with the LCCP?
ii) a licence-holder be able to avoid committing a data breach by obtaining explicit advance agreement from a selfexcluding customer:
to not to exercise their right to erasure and/or to to allow their data to be retained as long as is required to ensure compliance with the LCCP?
To answer the above questions and to take account of potential litigants who will not hesitate to exercise their GDPR right to claim compensation from a gambling operator not handling their personal data correctly, it is essential that sensible and constructive discussion takes place sooner rather than later between the Information Commissioner’s Office (“ICO”) on the one hand, and the Gambling Commission on the other. This will ensure that a practicable solution is found, whereby it is accepted that compliance with the LCCP constitutes a “legal obligation” or an overriding legitimate ground for retaining the personal data in question.
(b) AML and other prevention of crime purposes
A similar issue will arise when a customer requests erasure of their data in circumstances where that data is processed to ensure compliance with the
requirements of the Money Laundering Regulations or for other crime prevention purposes.
In circumstances where the request is made at a time when the gambling operator is contemplating, or has made, a report to the Police or the Serious
Organised Crime Agency – whether in relation to AML concerns or, for example, an allegation of cheating under section 42 of the Gambling Act 2005 or otherwise related to the crime-prevention licensing objective – the position seems reasonably clear.
That is because the GDPR does not apply to the processing of personal data for national security activities or law enforcement purposes (the wording actually used is “for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties”).
But what will be the position in relation to a request for erasure in circumstances where no such law enforcement situation has arisen?
The LCCP contains AML requirements that:
• remote and non-remote casino operators (who in any event fall within the ambit of the Money Laundering Regulations) should act in accordance with the Gambling Commission’s AML guidance (including in relation to customer information record-keeping); and
• all other gambling operators should take into account the Commission’s guidance on the Proceeds of Crime Act 2002.
So again, on the face of it, conflicting compliance obligations will arise, so here too it would be good to have specific guidance arising from liaison between the ICO and the Gambling Commission and, in this case, the police also.
In light of greater focus by the ICO within the last year on affiliate marketing of online gambling facilities, the position in relation to affiliates, once the GDPR, and correspondingly updated Privacy and Electronic Communications Regulations (“PECR”) relating to email and text marketing messages are in force, merits particular comment.
Social Responsibility Code Provision 1.1.2 of the LCCP requires operating licence holders to take responsibility for third parties. This includes responsibility for the conduct of affiliates that falls short of compliance with the same licence conditions and/or advertising and other codes of practice by which the operator is itself bound or for affiliates’ conduct that is otherwise inconsistent with the licensing objectives under the Gambling Act 2005.
Responsible operators will already have ensured that their contracts with affiliates clearly set out the requirements for such compliance and for compliance with both the Data Protection Act and PECR, bearing in mind that in circumstances where the affiliate is using its own marketing list, the operator in the majority of cases will not have had any pre-existing relationship with the recipient.
However, the ICO’s view is that, although an affiliate is using its own marketing list to make contact with individuals, the gambling operator whose gambling services are being promoted to those individuals will be regarded as having instigated that contact. As a result of this, where a breach occurs, both the gambling operator (as instigator) and the affiliate (as sender) can be held liable by the ICO. This situation will not be changed by the GDPR.
However, bearing in mind that a) the GDPR will be more protective of the rights of EU citizens and will impose a more robust reporting and financial penalty regime in relation to data breaches, and b) many affiliates are located outside the EU, the gambling operator will represent a closer target for enforcement purposes and contractual penalty and termination clauses will offer no practical assistance.
The consequences in relation to future affiliate marketing therefore need to be carefully considered and operators would be well-advised to:
• carry out rigorous checks on third-party marketing lists to ensure that direct evidence of valid consent of the type required by the GDPR as applied to marketing activity conducted by the affiliate can be produced; and
• obtain suitable warranties and indemnities from affiliates to back this up.
Major change is coming. Operators would be well-advised to start preparing now.