This article was first published in Online Gambling Lawyer, Volume 16, Issue 10.
With the EU’s General Data Protection Regulation (‘GDPR’) entering into force on 25 May 2018, the UK published in September 2017 its draft Data Protection Bill (the ‘Bill’), which addresses how the UK will introduce areas of the GDPR into national law where the GDPR allows scope for variation between Member States, while also addressing other aspects of data protection besides the measures within the GDPR. Patrick Rennie of Wiggin LLP provides here an analysis of the draft Bill – reading it alongside the GDPR itself – and what it means for the gambling sector, identifying areas of interest such as around transfers of personal data and territorial application.
On 25 May 2018 Regulation (EU) 2016/679, better known as the General Data Protection Regulation or the ‘GDPR,’ will come into force across the EU. Whilst the GDPR will have direct effect – meaning that it will automatically become law in each Member State without the need for implementing legislation – there are many areas that have been left for Member States to implement as they see fit. For this reason, each Member State will need to introduce legislation alongside the GDPR and last month the UK published the draft Data Protection Bill. Additionally, the Bill seeks to address data protection in a post-Brexit world.
Before looking at the Bill and any implications that it will have for the gambling sector, there are a couple of general points to note on the Bill. The first is that the Bill is in draft form only. This means that it will be subject to change before being approved by Parliament and as such any observations in this article must be qualified by the Bill’s draft status.
The second observation is that the Bill, even by legal standards, is not an easy read. It cross-refers to the relevant articles of the GDPR meaning that in order to read it properly one needs a copy of the Bill, the GDPR and, ideally, the Rosetta Stone! And so, with the relevant legislation to hand and following a trip to the British Museum, this article will look at the Bill as well as the GDPR with a view to identify some of the most significant changes coming about next year and how these will affect the gambling industry.
The key elements of the Bill that will impact the gambling sector relate to the territorial application of the Bill, particularly post-Brexit; the rules around transferring personal data outside of the UK; the rights of data subjects; and the exemptions to processing. The Bill doesn’t necessarily introduce changes to the GDPR in relation to each of these areas, however given their importance to the gambling sector it will be important to identify what the situation is under the Bill even where it repeats the rules set down by the GDPR.
It should also be noted that some of the most significant departures from the GDPR that the Bill introduces relate to the threshold at which children can consent to their personal data being processed and the right for 18 year olds to have their previous online processing deleted. As these will not be relevant to the gambling sector – at least one hopes that this is the case – then these changes will not be examined further.
One of the key changes that the GDPR will bring into force relates to the GDPR’s territorial scope. Article 3 sets out that the GDPR will apply to the processing of personal data by controllers and processors established in the EU, but also that the GDPR will apply to controllers and processors not established in the EU where the processing activities related to the offering of goods and services to data subjects in the EU. The second element of this territorial application brings about something that operators should be very familiar with: a ‘point of consumption’ test.
Putting the Bill aside for one moment, the application of the GDPR as set out in Article 3 would mean that any operators based outside of the EU (which will soon include the UK) but who offer goods and/ or services to data subjects in the EU would be required to comply with the GDPR. Because of this, any operators or B2B providers who process personal data of players in the EU will need to remain mindful of the GDPR both before and after Brexit and regardless of the Bill. The Bill addresses territorial application in Section 186. The effect of this Section is to repeat Article 3 of the GDPR vis-à-vis the UK, meaning that controllers and processors established in the UK or those established outside of the UK but who offer goods and/or services to data subjects in the UK will be captured by the Bill. This clarification, whilst expected, does confirm that any licenceholders in the UK will be required to comply with the Bill regardless of whether or not they are based off-shore or established in the UK. The definition of ‘established in the UK’ is set out in Section 186(6) and includes: ‘a body incorporated under the law of the United Kingdom or a part of the United Kingdom […] a person not within [the foregoing] who maintains, and carried on activities through, an office, branch or agency or other stable arrangements in the United Kingdom.’ Section 186 goes on to state that a corresponding meaning will be used for entities established in another country.
The definitions of establishment leave a great deal open to interpretation, especially where an organisation has a large corporate structure operating in numerous territories. As such, it is advisable that an organisation considers from the outset whether or not it is likely to be established in the UK for the purposes of the Bill as well as examining other applicable establishment rules (such as those set out in Article 3 and Article 4 of the GDPR).
Rights of Data Subjects
One of the biggest changes brought about by the GDPR is the introduction of a right to data portability in Article 20. This granted data subjects the right to request that personal data held by one controller is transferred (by that controller) to another controller. The effect of this is to introduce a system, similar to banking and utilities, whereby data subjects could request that a service provider essentially set up the data subject with a competitor.
The implication of this for the gambling sector – where many players have accounts with multiple operators – is arguably greater than most sectors. The practical implication also is that operators (as B2B providers) would have to have systems in place to easily ‘port’ personal data to other operators.
Recital 68 of the GDPR does clarify that the right to data portability will not create an obligation on controllers to maintain processing systems which are technically compatible. This would suggest that the right to data portability is qualified by technical feasibility. However, Recital 68 also states that controllers are encouraged to implement interoperable formats. It is therefore unclear as to how far a controller needs to go to ‘port’ personal data upon request before it can argue that it is not technically feasible.
Unfortunately, the Bill has shed little light on the right to data portability. In fact, the Bill, whilst still incorporating the right, does not include any additional information about how this right will operate in practice. This leaves controllers in the dark as to the expected cost and effort to be put in to give effect to this right.
More information, however, is given in the Bill in relation to the right of a data subject to access personal data processed about them, commonly known as a subject access request. Subject access requests have existed under current data protection legislation for many years and currently allow controllers 40 calendar days to respond to such a request.
The Bill, however, has shortened this response time to ‘one month’ (the same timeframe for portability), meaning that a controller may only have 28 days to respond to a subject access right (and at most 31 days). The Secretary of State can extend this timeframe up to three months but at present controllers will need to be even more vigilant when it comes to responding to subject access requests.
Subject access requests are an area that operators will need to fully understand both currently and under the GDPR/the Bill. Increasingly subject access requests herald that a complaint is likely to be made by the requestor – a complaint which could be directed to either the ICO or, of course, the Gambling Commission. Whilst it is proper and right that individuals should be able to obtain information that controllers process about them, controllers will need to ensure that each request is dealt with in a prompt and considered manner to avoid further inflaming what may be an already delicate situation.
Some aspects that the Bill was required to address by the GDPR were those areas of the GDPR where processing would be exempt from complying with (all parts of) the GDPR. This is laid down in Schedules 2, 3 and 4 of the Bill. Broadly speaking, the exceptions laid down in the Bill replicate those currently included in the UK Data Protection Act 1998. From this perspective, the Bill is conservative in its approach to filling in the gaps of the GDPR, but such conservatism will likely stem from the fact that the existing regime works well.
There are a number of exemptions set out in the Bill but the most relevant to the gambling sector are those exemptions for processing personal data for the prevention of crime, the apprehension or prosecution of offenders, disclosures made in accordance with the law or a court order, and disclosures that relate to legal proceedings (including, importantly, prospective legal proceedings).
These exemptions will generally relate to processing carried out by public authorities, such as the police and the courts, but they could apply directly to operators and B2B operators where information about customers needs to be disclosed as part of an ongoing investigation. Additionally, it will allow controllers not to be obliged to disclose information to data subjects which could prejudice an investigation or legal proceedings. These exemptions make sense and whilst it was not expected that the Bill would bring about any significant reforms to these exemptions, it will be a relief to controllers that the existing regime has broadly been kept in place in this regard.
Transfers of Personal Data
With the UK leaving the EU, one burning question related to the transfer of personal data from outside of the UK. The Bill has not specifically addressed the transferring of personal data and instead the rules from the GDPR will be effective – namely that personal data cannot be transferred to a non-EU territory unless there is adequate protection in place (or freely given consent, but this is not a viable solution for systematic transfers). Adequate protection is generally classed as transferring to non-EU EEA counties (Iceland, Liechtenstein and Norway), certain white-listed countries (including Guernsey, the Isle of Man, Israel, Jersey and Switzerland), or where certain instruments are in place to govern the transfer (such as Standard Contractual Clauses or Binding Corporate Rules).
One suspects (and hopes) that as the Bill evolves the rules around transferring personal data from the UK to the EU will be more clearly addressed, but at this stage organisations should continue to apply the rules that are currently in place with regard to non-EEA transfers.
One imagines that the UK will aim to finalise an arrangement with the EU that will expressly permit the flow of personal data from the UK to the EU and vice versa, but with political progress on Brexit moving so slowly one cannot confidently second guess any arrangements at which the two blocs will arrive.
The Bill is a complicated piece of legislation that aims to do several things in a uniquely complicated political climate. The approach taken in drafting the Bill is one of conservatism, although with so much uncertainly around Brexit it makes a lot of sense to try and plug the gaps of the GDPR with a familiar and functioning structure.
Those in the gambling sector should note first and foremost the ‘point of consumption’ test set down for the territorial application of the Bill. This will mean that the Bill will apply to those licenceholders in the UK. The GDPR may also apply, so multinational operators and B2B providers will need to keep an eye on how the Bill and the GDPR develop in the coming years as any deviation could have profound effects on their processing activities. What is certain is that until the Bill is finalised and until the Brexit process has been agreed, companies will need to keep an eye on how data protection regulations evolve and develop over the coming months to ensure that they are prepared for whatever regime ultimately comes into force.