June 21, 2019

The amount of customer data held by gambling operators is at an all time high and continues to grow as technology evolves and AI develops. Capturing useful personal data clearly provides advantages for responsible gambling initiatives, but how does this line up with data privacy laws?

The introduction of GDPR has meant that data protection laws have become tighter than ever before and this has created potential hurdles to the implementation of responsible gambling initiatives seeking to protect customers. High profile cases, such as Facebook and Cambridge Analytica, have brought the data discussion to the forefront both within the legal sector and more broadly in public forums.

The Commission’s view

The Commission has clearly expressed its position on GDPR by arguing that it is not there to prevent operators from acting in the public’s interest, nor should it prevent an operator from complying with its requirements under a gambling regulatory licence. Operating licences contain conditions which require operators to put into effect procedures to: (i) allow for self-exclusion; (ii) prevent money laundering; and (iii) combat problem gambling. In order for operators to comply with these provisions they will need to obtain and process personal data, as well as retain data for a reasonable period, including so that they can evidence compliance to the Commission in the event of an investigation.

AI v Data Protection

Data that is collected and shared amongst like minded operators aiming to raise standards has the potential to be significantly more valuable than when used in isolation. For example, GAMSTOP lets customers put controls in place to restrict their online gambling activities and enables operators to check whether a player has voluntarily registered for the scheme. It is hoped that the introduction of GAMSTOP will improve customer protection standards in online gambling in Great Britain.

However, in order to use personal data for responsible gambling initiatives based on automated decision-making, operators must identify one of six legal grounds under GDPR.  Operators must also satisfy further conditions where the use involves ‘special categories’ of personal data, such as information  about a customer’s health, which includes information about gambling addiction. Ensuring compliance with data privacy laws has led some operators to resort to excluding elements of personal data from automated decision-making processes, which noticeably undermines the effectiveness of the responsible gambling initiatives. The Information Commissioner’s Office (ICO) recognises that applications of AI are “starting to permeate many aspects of our lives” resulting in AI being named as one of their top three strategic priorities and, in March 2018, the ICO invited organisations to provide input on the development of an auditing framework for AI.

At a time when operators are under regulatory pressure to use data to protect consumers, operators should be careful to avoid an inadvertent own goal.