Data protection in online gambling

Online gambling businesses inevitably process personal data about their customers. Those based in the EU or offering services to individuals in the EU will be caught by the GDPR and, potentially, national data protection laws. As a heavily regulated sector, online gambling businesses also have to comply with laws in other areas, including in relation to anti-money laundering (AML) and fraud prevention. This can lead to confusion about which requirements take precedence.

EGBA Data Protection Code of Conduct

The European Gaming and Betting Association (EGBA) has published a Data Protection Code of Conduct for Online Gaming Operators. The EGBA is the Brussels-based trade association which represents a number of leading online gaming and betting operators in the EU and UK. It has developed the Code which applies to all EGBA members but is also open to other companies licensed in the EU and UK. The competent Supervisory Authority for the Code is the data protection authority in Malta who needs to formally approve the Code for it to become legally binding on signatories – a process expected to take up to two years. In the meantime, compliance will be monitored by an independent third-party monitoring body.

The aim of the Code is to provide sector-specific rules and best practices to ensure "the highest standards in data protection and GDPR compliance for the online gambling sector". It is also intended to reassure customers that their data is being properly handled. The EGBA says the Code goes beyond the GDPR to set out essential rules to enhance data portability rights, prevent and deal with data breaches and improve transparency.

To a large degree, the Code distils GDPR requirements into plain language and applies it to the online gambling industry, but it is helpful for operators where it deals with the relationship of the GDPR to other legal requirements and illustrates this in case studies. Having said that, there are areas when it is insufficiently detailed which could lead to confusion, so it is no substitute for looking at the legislation itself.

Sector-specific issues covered by the Code include:

Lawful basis

The Code suggests appropriate lawful bases for different processing operations:

• Account data – processing is necessary for performance of a contract to which the player is party.
• Compliance with AML and responsible gambling obligations – processing is necessary for compliance with a legal obligation to which the operator is subject.
• Steps needed to protect health and safety of a player (for example where the operator is informed there is a suicide risk and needs to inform the relevant authorities) – processing is necessary for a task carried out in the public interest, or processing necessary to protect the vital interests of the player.

Consent

The Code requires that operators do not make the supply of services conditional on player consent to data processing. It does, however, say that operators can incentivise consent, for example, to receive marketing emails about bonus promotions, provided there is no penalty for not consenting. It underlines that the lack of receipt of a reward or bonus does not constitute a penalty.

Legitimate interests

There are a number of operations the Code suggests can be based on legitimate interests of the operator subject to a legitimate interest assessment. They include:

• system testing and security measures
• detection of player account fraud
• analytics of trends and forecasting within the player database (assuming this is non-cookie based)
• call recordings for quality assurance and potential dispute resolution
• customer segmentation for promotions and direct marketing purposes – for example, knowing which customers are sportsbook as opposed to casino
• establishment of VIP status based on game history for the purpose of offering special benefits to customers
• chatbot to direct customer queries or requests to the relevant person.

Special category data

In general, operators should only hold special category (sensitive) player data in very limited cases. The example given is where a VIP customer provides details of a medical procedure they are having to their account manager. The Code asks whether the operator would need to retain that information and suggests that if they do, they may be able to get explicit consent (to satisfy Article 9) or rely on the fact that the individual has manifestly chosen to make the information public.

The example seems slightly far fetched and it's certainly debatable that telling an account manager something of that nature would be choosing to make the information public. It will be interesting to see what the Maltese DPA has to say about that section, but the overriding message is that there will be very limited situations in which an operator is processing special data.

Transparency

While the GDPR mandates transparency as to the type of processing being carried out and uses of the personal data, the Code cites several exceptions which are likely to apply. Operators do not have to disclose data processing operations where to do so might affect an ongoing investigation or the operators' legal obligations. This might include processing operations relating to suspected fraud or AML offences, or risk assessments and tax collection.

Data minimisation

The data minimisation principle – that no more data should be collected than is needed for a particular purpose – can seem to be at odds with other data collection requirements on operators. The Code comments that AML, terrorism financing (TF) and responsible gambling (RG) requirements, work "on a data maximisation principle" – operators need to collect and keep as much information as possible to be able to do a detailed analysis. In order to deal with this conflict, the Code says operators need to balance competing rights and regulators "should have in mind that operators must have flexibility in collecting and processing personal data in order to fulfil very extensive AML/regulatory obligations".

While this is true, the GDPR principle of minimisation is not as contradictory as the Code supposes. It requires that data should be "adequate relevant and limited to what is necessary in relation to the purposes for which they are processed". This does not exclude collecting large amounts of data where it is legitimate to do so, for example, because the operator is subject to a legal obligation.

Storage limitation

AML and other laws again require operators to keep customer data for specified periods of time which could be longer than customers might expect. The Code says data retention compliance requires an industry-specific approach, especially when determining the start of a retention period. Where accounts are closed at the customer's request or by the operator, the retention period will start at the point of closure.

Industry practice is to keep customer accounts open for indefinite periods, even where the account is inactive. This means that in order to comply with the storage limitation principle under the GDPR which says that personal data should not be retained for longer than necessary in relation to the purpose for which it is processed, operators need to clearly define when retention periods start. AML and other requirements may then define for how long the data is retained and this will vary across EU Member States. 

Sector-specific issues with giving effect to the right to erasure are related to those around data minimisation and storage limitation – in some cases, other laws may require that the data is retained for AML, RG and fraud checks. 

A particular concern for the EGBA is where a player has multiple accounts across a number of brands. While retention periods for one account may have expired, the data in that account may be relevant to analysis for AML purposes across other accounts. The Code suggests that where the brands are owned by the same company, the data should be retained and that retention periods in the case of multiple accounts begin when the last account is closed or becomes inactive. This would, however, require more detailed analysis as to what the data was originally processed for, who the controller is, as well as its ongoing use during retention periods.

Data portability

The Code goes into some detail as to how to give effect to the data portability right but reminds operators that it is limited in scope. It will include personal data processed on the basis of consent or which is necessary to a contract but will not cover, for example, analytics used to determine bonuses offered to players. This means that operators cannot guarantee a player porting their data to another operator will be offered equivalent bonuses.

Profiling and automated decisions

The GDPR gives individuals the right not to be made subject to a solely automated decision which produces legal or similarly significant effects on them. The Code suggests that an automated decision would have legal effect where it results in a player being subjected to surveillance by a competent authority. An automated decision might be said to have a similarly significant effect where it has potential to influence the circumstances, behaviour or choices of the player. While this seems a wide interpretation, the EGBA is right to take this approach given the sensitivities around online gambling and associated risks of harm.

Data sharing and transfers

Again, the Code emphasises that online gambling businesses may be subject to requests to transfer personal data to the police and other public bodies. It says that operators need to assess the validity of the requests but should act on them if they contain the minimum necessary information – an explanation of the reasons for requesting the data, specification of data requested and, where possible, a legal basis for requesting the data.

Operators will need to look at local law requirements in this area as well as at the GDPR.

Pseudonymisation

The Code reminds operators that pseudonymisation is a useful tool to help protect personal data but that the data remains personal data. It then goes on to say that pseudonymisation can, in some cases "totally reduce the risk of identification". This statement should be treated with some caution – where data is pseudonymised it remains personal data however much the risk of reidentification is reduced. It is only when data is anonymised that risk is totally reduced.

Case studies

The Code provides a series of case studies emphasising particularly relevant areas of the GDPR in each. It covers VIPs, problem gambling, direct marketing and fraud detection. While the case studies are not comprehensive, they are useful reminders of some of the key issues to consider.

What next?

It will be interesting to see whether the Maltese data protection authority requires changes before approving the Code which the EGBA itself sees as a "living document" subject to amendment. Compliance with the Code may help demonstrate GDPR compliance but will not guarantee it and areas of weakness mean online gambling operators should not treat it as definitive even if they are signed up to it.