IN-DEPTH 2 June 2016
The GDPR and UK gambling operators
The incoming EU General Data Protection Regulation is set to have a significant impact, says Couchmans LLP Partner Nick White
By Nick White
There is currently no legal framework governing the EU-wide online gambling industry, with legislation being enacted and policed by individual member states. What there has been though is a growing realisation that a greater degree of co-operation is required to regulate online operators more effectively, and in late 2015 an EEA-wide arrangement was signed by Member States’ regulatory authorities. In terms of the security of personal data, this agreement referred to the EU’s existing data protection regulations (Directive 95/46/EC), dating from 1995.
Recognising that these data protection rules were significantly out of date, given the technological developments of the last two decades, the EU has pursued a significant overhaul of its data security policy.
In December 2015 the European Commission announced that, after four years of negotiations and discussions, agreement had been reached on the text of the new European General Data Protection Regulation (GDPR). This will replace the current Data Protection Directive in 2018.
The stated aim of the GDPR is to harmonise the current data protection laws in place across EU member states which, according to the European Commission, will remove unnecessary administrative requirements and save around €2.3 billion a year.
The new legislation will impact all companies handling personal data from European Union residents, and this will certainly include the European online gambling industry, superseding the terms of the 2015 co-operation agreement.
Importantly, and in a shake-up designed to address wider data security fears, the GDPR will have a significant effect on any online providers based outside the EU but processing EU residents’ data. The terms of the regulation apply extraterritorially to any company (termed as a data processor or a data controller) that offers goods or services to residents (termed as data subjects) of the EU.
The impacts this will have on online gambling operators are numerous, wide-ranging and too extensive to be listed here in their totality. There are, however, a number of aspects to the regulation that providers, and especially non-EU providers, should be aware of if they are to avoid falling foul of European law once it is implemented.
Firstly, an individual must be clearly notified that their information is going to be collected or processed, and for what specific purpose.
Secondly, operators will be limited in the length of time in which they can keep an individual’s data, and their identity must be transparent and clear.
Thirdly, operators will have to inform customers of the consequences of any ‘data profiling’ taking place and must also provide them with a way to access their data and withdraw consent for the use of their data.
Fourthly, operators will be required to notify data subjects within 72 hours of a data breach involving data that is not encrypted.
Finally, fines are significantly increased. The ceiling will rise to the higher of €20,000,000 or four per cent of an enterprise’s annual global turnover for the preceding year.
Not all of these requirements are completely new, but they will bring with them an inevitably heavy compliance burden, which will be felt especially by operators based outside of the EU. Although it is certainly not the intention of the legislators, in some cases the GDPR could even cause operators to seriously consider whether they should depart from the European gambling market entirely.
Such actions by online gambling providers in the face of increased regulation certainly have precedent. The most prominent example of this was when providers such as Mansion Poker and SBObet departed the UK market after the government introduced the Gambling (Licensing and Advertising) Act 2014 in October 2014, and imposed a 15% tax on the profits obtained from UK citizens playing online the following December.
Europe is a huge gambling market that no operator would turn its back on lightly. It is nonetheless possible that the level of regulation and the high potential fines carried by the GDPR could have an impact on the growth and international attractiveness of online gambling – which has been identified by the EU as a key growth industry. According to the EU’s own figures, in 2012 online gambling services represented more than 12% of the EU’s total gambling market, with annual revenues of over €10bn. Annual revenues in 2015 for online gambling are expected to have increased to €13bn.
The intention of the new legislation is of course to modernise the law and provide a level and type of protection to consumers and others that is appropriate to the current technological climate.
It will certainly achieve that. At the same time online gambling industry providers will, at the very least, now be starting to scrutinise their data policies and tech supply chains closely ahead of the 2018 implementation date. Non-EU operators in particular, who may currently sit outside the European data protection regime, will need to be thinking about the greater burdens that will be placed on them under the new legislation, and may indeed in some cases even be reviewing their continued presence in the European market.
Nick White is a Partner at specialist sports law firm Couchmans LLP and operates SportsDataProtection.com which provides advice to the sports and gaming industries regarding data policy and regulation