Schrems II
As we reported in July 2020, the Schrems II decision has raised difficult questions regarding whether personal data can be lawfully transferred from the EU to the US. The Privacy Shield is no longer a valid basis for the transfer of data from the EU to the US. While the use of standard contractual clauses (SCCs) may still be valid, if supported by appropriate supplemental measures, there is uncertainty as to what supplemental measures would be sufficient. The European Data Protection Board has issued limited guidance on the steps which need to be taken to support the transfer of personal data to the US. The European Commission is discussing a possible replacement to the Privacy Shield with the U.S. Department of Commerce. In the meantime, privacy campaigners have filed complaints with European data regulators in respect of companies which share customer data with Google Analytics or Facebook Connect (on the basis that any such data is being transferred into the US). The Irish data regulator has issued a preliminary order requiring Facebook to stop transferring personal data to the US; Facebook has appealed, indicating that if the order is upheld, then it would stop operating its core FB app and Instagram in Europe.
Gambling companies will be closely following these developments, not least because the Schrems II ruling has implications for all data transfers outside the EU (other than to countries which currently benefit from an adequacy decision, such as Canada and Israel). Data transfers to the UK from the EU may be impacted after 31 December 2020, if the UK does not receive an adequacy decision from the EU prior to the end of the Brexit transition period.
Draft guidance on joint controllers
There have been a number of other recent developments relating to data protection. In September 2020 the EDPB published draft guidance on the concepts of controllers and processors for the purposes of GDPR. This touches on the circumstances in which parties will be deemed to be joint controllers. The guidance does retain the concept that parties may be independent controllers rather than joint controllers; however, it indicates that parties will be deemed to be joint controllers where either (a) they make common decisions regarding whether and how the processing takes place, or where (b) they make converging decisions regarding the purposes and essential means. Converging decisions are those where the decisions of the parties complement each other and are necessary for the processing to take place. An important criterion is that the processing would not be possible without both parties’ participation in the sense that the processing by each party is inseparable, i.e. inextricably linked. The consultation period on this draft guidance runs until 19 October 2020.
ICO guidance on AI and data protection
In July 2020 the ICO published guidance on AI and data protection. This builds on the ICO's previous guidance, and addresses the importance of preparing DPIAs, as well as the security risks posed by the use of AI (i.e. the risk that the large amounts of personal data required to train AI systems may be lost or misused; and the risk that software vulnerabilities arise from the introduction of new AI-related code and infrastructure).
General regulatory focus on vulnerable customers
In its Annual Report for 2019-20, the ICO briefly mentioned that it is involved in the UK Regulators’ Network’s work on how vulnerable people are protected across a range of sectors and services, and that the ICO had supported the Gambling Commission’s work on protecting vulnerable consumers in the gambling sector, ensuring that data protection was factored into new proposals. This reflects an increased focus on vulnerable consumers across a range of sectors (for example, the FCA published revised draft guidance on the fair treatment of vulnerable customers in July 2020, which guidance as to when it may be lawful to process special category data relating to vulnerable individuals).
EGBA code of conduct
The European Gaming and Betting Association (EBGA) has published a code of conduct designed to guide online gambling operators on their processing obligations under the General Data Protection Regulation (GDPR). The EGBA intends for this code to become an EU-approved code of conduct under Article 40 of GDPR, and the code has now been submitted to the Maltese data regulator as the first step towards receiving official EU approval. The EGBA Code aims not simply to be guidance or best practice for the industry, but a fully-fledged code of practice with a monitoring framework, accredited in accordance with Article 41 GDPR. For a more detailed look at the legal status and scope of the EGBA's code, see our June article, "The EGBA publishes code of conduct on data protection in online gambling". Although the EGBA Code has not yet received EU approval, it indicates a "direction of travel" for the sector, and gambling operators (whether EGBA members or not) would be well advised to carry out an internal review and ascertain whether they are already in compliance with the Code, and, where not, consider possible changes to how they run operationally.