A gambling service can neither start to exist nor survive without comprehensive data collection and generation procedures. The entire relationship between a player and an operator, from its very inception upon registration, is entirely based on the collection and generation of data.
Most of the time, the collection and processing of data is tantamount to a legal obligation imposed on the operator by the various legislative instruments to which they are subject. Amongst other obligations, operators are required to collect and process player data for the purpose of verifying their identity, and for monitoring their gambling history and activity in the context of the entire player portfolio in order to identify whether or not that player is at risk of developing a gambling problem. In other instances, the processing of this data is carried out in the business interests of the operator, such as marketing, customer retention and product improvement.
It came as no surprise, therefore, that the entry into force of the GDPR in May 2018 ignited as much panic as it did interest amongst the industry. The GDPR largely replicated existing provisions within the Data Protection Directive, however this time, the Regulation placed a new and increased focus on enforcement, and the envisaged fines were enough to cripple any operation. The indirect effect of a negative ruling by a data protection supervisory authority was that it could very well effect the good standing of a licensee with the jurisdictions in which it is licensed to operate as a gaming operator. At first glance, the GDPR seemed to be inundated with requirements which ran counter to the obligations imposed on operators under gaming legislation. With a view to attempting to resolve this impasse, the Maltese gaming regulator (Malta Gaming Authority) collaborated with the local data protection supervisory authority (Information and Data Protection Commissioner - IDPC) to draw up practical guidelines relating to the application of the GDPR to the industry, aimed at all operators who identified the IDPC as their lead supervisory authority. Not only were the guidelines well received by operators, but one year on it can be said that most operators have woven the requirements of the GDPR within their operations, and talk of tensions between the regulatory obligations is no longer on the agenda.
However, talks of the upcoming e-Privacy Regulation are once again inducing panic amongst the gaming industry. The specific legislation is expected to impact all operators offering their services online and will expand upon the already-burdensome GDPR. Being a Regulation, all EU Member States will be obliged to transpose and enforce it within the stipulated timeframes. It is yet to be seen whether the e-Privacy Regulation itself will largely replicate the justifiable legal bases for processing envisaged within the GDPR, or whether it will leave operators scrambling for new legal bases to justify their operations. Any tensions between the GDPR and the e-Privacy Regulation, and between the new privacy framework and gaming regulatory legislation could have the undesired effect of exposing the players both from a data protection perspective and from a player protection angle. It is imperative that gaming and privacy regulators with consumers at the heart of their regulation, collaborate to shed light on the application of the upcoming Regulation to an online gaming operation, and should encourage open dialogues and the sharing of best practices between all stakeholders. The Maltese regulators’ proactivity in this regard augurs well for the publication of future guidance, yet there is an argument to be made that pan-European legislation is best accompanied by pan-European guidance notes specific to the individual industries. The lack of harmonisation of the gaming sector should not impede collaboration between European regulators in the creation of industry guidance notes that ultimately contribute towards increased player protection.
Article provided by: Dr. Yanica Sant (MITLA, Malta)