Op-ed: Data regulation and why it will continue to keep gaming lawyers busy

The GDPR was making life complicated for gambling companies operating in multiple markets before Brexit and the end of the transition period threatens to add to the problem. Now, an industry-specific code from the EGBA is here to offer some support.

* This article appeared in the International Masters in Gaming Law Spring newsletter.

Personal data has in many ways become the new global currency for companies operating in the online world. But alongside growing commercial interest in the personal data of consumers have been increasingly vocal privacy concerns from inside EU policy circles. Questions are being asked about whether companies are using personal data ethically, in the consumer’s interests or respectful of their right to privacy. Several well- publicised global scandals involving data breaches, hacks and the harvesting of data have underlined the growing risk of data abuse and encroachments into consumer privacy.

In response, policymakers in the European Union and elsewhere took notice and began to develop various data compliance regulations. This culminated in 2018 with the implementation of the EU’s General Data Protection Regulation (GDPR), a ground-breaking moment in establishing standards and accountability as to how companies should process, store and use the personal data of consumers. Not only is the GDPR a landmark achievement in terms of data protection regulation in EU, but it is also the most far-reaching regulation anywhere in the world, with implications far beyond the EU’s borders.

The GDPR was designed specifically to protect the privacy of EU consumers and give them more control over how their personal data is used by third parties. This required government agencies and private companies who have customers in the EU to update their internal data protection policies bringing them into line with the EU’s new flagship data protection policy, a move affecting hundreds of thousands of companies and over 500 million consumers.

GDPR and online gambling

As with every other sector, the online gambling sector is covered by the GDPR and companies are required to comply with the regulation in addition to other data protection requirements contained in national laws or licensing requirements. Yet the myriad of national regulations for online gambling in the EU, and the countless companies who operate in more than one EU country, has rather complicated this task.

Faced with the sheer complexity of the new regime, the European Gaming and Betting Association (EGBA) developed an industry code of conduct to help online gambling companies apply the GDPR effectively. The Code Of Conduct On Data Protection In Online Gambling1, published in 2020, is one of Europe’s first sectoral codes on GDPR. It contains sector-specific rules and best practices and reflects the commitment of our members to promote the highest standards in data protection and GDPR compliance in the online gambling sector.

The code aims to improve transparency for customers as to how their data is used and kept secure. To offer practical guidance to companies, the code also includes case studies explaining how the principles of GDPR should be considered and applied by gambling companies in certain sector-specific scenarios – such as addressing problem gambling and fraud detection.

In accordance with Article 40 of the GDPR, which encourages the use of sectoral codes of conduct to support application of the regulation, the Code Of Conduct On Data Protection In Online Gambling has been submitted for formal approval by the EU data protection authorities as an official, approved and recognized industry code which applies the GDPR.

The code has been submitted for review by selected national data protection authorities (DPA), led by Malta, which will consider if the code properly applies and is congruent with the GDPR. The Maltese DPA will then notify the European Data Protection Board (EDPB), the EU-level authority for data protection, about the code and its recommendation as to whether the code should be approved. This approval process could still take up to two years.

Enforcement is vital for self-regulation

During the approval process, the code is considered as a draft even though our member companies are already applying its principles in their day- to-day operations. The code will be deemed fully applicable and enforced only after its approval by the Maltese DPA. After this, the code will become legally binding for its signatories and will be monitored and enforced by an independent third-party monitoring body. The monitoring body will check compliance of the signatory companies with the requirements contained in the code. Monitoring and enforcement are vital to ensure the effectiveness of self-regulation and, in the event of continuous violations of the code’s requirements, the monitoring body may decide to suspend the gambling company or revoke its status until it complies with the code requirements.

Benefits of the code

Any online gambling company based in the EU/EEA can adhere to the code and there are many advantages in doing so. As per the GDPR, adhering to an approved industry code is considered a factor in demonstrating a company’s compliance with the GDPR and is taken into account as a mitigating factor by any relevant national DPA when deciding upon enforcement actions resulting from breaches of the regulation. In practice, compliance with an industry code would, for example, lead to a reduction in the level of financial penalties a company would need to pay if found to be in breach of GDPR. In such a case, being part of an industry code could potentially save a company € millions.

As a pan-European initiative, the code establishes a consistent set of principles which will help online gambling companies to achieve a harmonised application of the GDPR across their entire EU-based operations, in addition to their compliance with national data protection laws. This would, for example, be particularly usefulfor online gambling companies who operate across several EU countries, as well as for national DPAs and gambling authorities by establishing an industry benchmark.

To ensure the code is future proof, it can be amended in the future to respond to legislative and technological developments on data protection.

Brexit uncertainty over data transfers

The Brexit transition period expired on 1 January 2021 and the UK is now considered as a third country by the GDPR. UK companies without legal establishment in any EU country are required to appoint a GDPR representative in the EU if they wish to process personal data of consumers located in the EU (regardless of their citizenship) in a way that falls within the extraterritorial scope of the GDPR.

In the short-term, the EU and UK trade agreement provided for an additional transition period of six months concerning the transfer of personal data between the two jurisdictions. Therefore, until the end of June 2021 there will not be any changes to the current arrangements governing data transfers. However, the future of UK-EU data transfers lies with the approval, or not, of a future data adequacy decision by the EU.

As per Article 45 of the GDPR, this involves the European Commission deciding whether UK laws offer a sufficiently adequate level of data protection compared to EU standards. The Commission’s decision process requires input from the EDPB and approval by EU countries. The European Parliament and the Council can request the European Commission to maintain, amend or withdraw the adequacy decision.

The adequacy decision for the UK is currently being discussed and, if approved, it would mean data transfers will continue to flow freely between the two jurisdictions without any further safeguards being necessary. This would be the best outcome both for online gambling companies and regulatory authorities and we fully support an adequacy decision being made which maintains the current data protection standards. As the UK has already transposed and implemented the GDPR we see no valid reason (political considerations aside) as to why the UK’s data adequacy would be rejected.

If an adequacy decision is not reached, then gambling companies transferring data from the UK to the EU will need to review their contracts involving transfers of data and introduce additional legal safeguards when transferring data to the EU. Such safeguards may include using EU standard contractual clauses, establishing Binding Corporate Rules or participation in an approved industry code of conduct on data protection such as The Code Of Conduct On Data Protection In Online Gambling.

We therefore encourage UK-based gambling companies with customers or operations in the EU to join our industry code. GDPR-compliance will remain vitally important for these companies with or without a future agreement on the transfer of personal data between the EU and UK.

One thing is for certain, even if there is a data adequacy decision it will not be the end of the matter. Every year, the adequacy of a third country’s level of data protection must be assessed and the situation regarding the EU’s adequacy decision for the United States, the so-called “Privacy Shield”, should act as a warning as to the vagaries of the system. After one such assessment, last July, the US’ adequacy was declared invalid by the Court of Justice of the European Union. An adequacy decision is not permanent, is subject to annual review and can be invalidated.

The issue of data transfers is not going to go away anytime soon even with an adequacy decision and the possibility of political manoeuvring and data divergences cannot be ruled out in the coming years. What we are seeing are just the early days of data regulation and the topic will keep data protection officers and lawyers busy for the foreseeable future.

Daniele Perrone, Legal Advisor

European Gaming and Betting Association (EGBA)

Further reading:

• Draft Code of Conduct on Data Protection in Online Gambling
• Q&A: EGBA’s Code of Conduct on Data Protection in Online Gambling
• A video presentation of the Code

About the European Gaming and Betting Association (EGBA)

The European Gaming and Betting Association (EGBA) is the Brussels-based trade association representing the leading online gaming and betting operators established, licensed and regulated within the EU, including bet365, Betsson Group, Entain, Kindred Group, and William Hill. The Swedish Trade Association for Online Gambling (BOS) is also an affiliate member. EGBA works together with national and EU regulatory authorities and other stakeholders towards a well-regulated and well-channeled online gambling market which provides a high level of consumer protection and takes into account the realities of the internet and online consumer demand. EGBA member companies meet the highest regulatory standards and have 145 online gambling licenses to provide their services to 16 million customers in 17 different European countries.