October 11, 2021
The UK Betting & Gaming Council has joined Phase 2 of the Single Customer View ICO Sandbox. Read our latest update here.
The Commission has been working alongside the ICO to explore the challenges associated with achieving a “single customer view”. In February 2020 the Commission challenged the online gambling industry, represented by the Betting & Gaming Council (BGC), to explore and develop a “Single Customer View” (SCV) solution which could enable a holistic, cross-operator view of a customer’s online gambling behaviour and help reduce gambling harms in relation to those who hold accounts with more than one gambling company. Online gamblers hold an average of three accounts, with a significant proportion of younger gamblers holding more. Gambling Commission evidence also indicates an increased risk of harm among those customers who take part in multiple gambling activities.
The Commission says that a SCV, which could take various forms, is an ambitious and complex undertaking, and it is therefore critical that the concept is properly considered and tested through the lens of data protection law.
In November 2020, the Commission was accepted into the ICO’s Regulatory Sandbox, which the ICO designed to support organisations who are creating products and services that utilise personal data in innovative and safe ways for public benefit.
The aim of the SCV Sandbox was to: (i) establish whether there is an appropriate lawful basis under Article 6 of the UK General Data Protection Regulation that allows for the sharing of behavioural data between online gambling operators via a SCV, including the examination of existing legal gateways; and (ii) consider the processing of special category personal data and the appropriateness of Article 9 conditions for processing under the UK GDPR.
The ICO has now published its Regulatory Sandbox Phase 1 outcomes report. The ICO found that the sharing of behavioural data between gambling operators in order to identify individuals who may be at risk of gambling related harms via a SCV may be lawful under Article 6 (1)(e) “Public Task” or Article 6 (1)(f) “Legitimate Interests” of the UK GDPR:
- “Public task” requires there to be a basis in law, for the gambling operators to share the data for the SCV, and for that sharing to be carried out in the public interest; this does not require there to be a legal obligation, but there must be a domestic law from which this processing originates; while it is satisfied that this condition may apply, a further analysis of the specific circumstances will be needed (once the SCV has been further developed) to ensure the sharing is necessary and proportionate to meet those aims; and
- “Legitimate Interests” encompasses the interests of a number of parties including those individuals at risk of problem gambling, the interests of gambling operators in meeting their legal requirements and those of society at large; these must be balanced against the interests and fundamental rights and freedoms of all the data subjects whose data may be shared; again, it is satisfied that this condition may apply, but as the SCV is developed, a further analysis will be needed to consider how this condition applies in the specific circumstances;
Both lawful bases outlined above would provide a discretionary gateway to the processing. Both require an assessment of the proportionality of the processing when the benefits to those individuals who are at risk, are balanced against the potential detriment to all the data subjects whose data will be shared in connection with the SCV, and both allow for data subjects to object.
Should changes be made to gambling legislation, or if in the future the Commission inserted a new requirement into the Licence Conditions and Codes of Practice (LCCP) about implementing the SCV, gambling operators may rely on Article 6(1)(c) “Legal Obligation” of the UK GDPR as the lawful basis for processing.
It is likely that some elements of the data proposed to be processed via a SCV may qualify as special category data. As processing special category data requires an Article 9 condition in the UK GDPR, it is good practice to identify this potential condition as early as possible, because the UK GDPR prohibits the processing of special category data without an Article 9 processing condition. The ICO considers Article 9 (2)(g) “processing is necessary for reasons of substantial public interest” may be appropriate.
In addition, Schedule 1, Part 2, Paragraphs 18 “Safeguarding of children and individuals at risk” or 19 “Safeguarding of economic well-being of certain individuals” of the Data Protection Act 2018 may be appropriate substantial public interest conditions to enable reliance on Article 9(2)(g), but the applicability of these conditions will depend on the particular SCV model which is developed by industry.
For any processing to be lawful, all data protection principles outlined in Article 5 of the UK GDPR need to be complied with alongside other aspects of the UK GDPR, such as Article 25 data protection by design and by default. As explained in the ICO guidance, lawfulness also means that you do not do anything unlawful in a more general way, which includes non-compliance with statute and common law obligations whether criminal or civil.
The Commission stresses that a conceptual model for a SCV was considered for the purposes of the Sandbox, and the ICO’s view may be subject to change as the SCV solution is developed.
The Commission welcomes the ICO’s report, but acknowledges that there are still plenty of issues and complexities that need to be addressed as part of a pilot phase of work. At this stage the Commission has no plans to mandate a particular SCV solution, saying that that is for industry to develop and test, but it does expect industry to demonstrate the impact its piloted solution has against the challenge it set.
The Commission now expects industry to move swiftly towards trialling its SCV solution and invites it to do so in collaboration with the Commission and the ICO, within a Sandbox environment. To read the Commission’s update in full and for a link to the ICO’s report, click here.