The European Gaming and Betting Association (EGBA) has published a code of conduct designed to guide online gambling operators on their processing obligations under the General Data Protection Regulation (GDPR). The EGBA intends for this code to become an EU-approved code of conduct under Article 40 of GDPR, and the code has now been submitted to the Maltese data regulator as the first step towards receiving official EU approval. This is one of the first sector-specific initiatives in the EU under Article 40 GDPR, which encourages the use of sectoral codes of conduct to support the practical application of the GDPR within specific industries.
The EGBA Code aims not simply to be guidance or best practice for the industry, but a fully-fledged code of practice with a monitoring framework, accredited in accordance with Article 41 GDPR. The proposed monitoring body is an independent third party and is required to (among other things):
- review and approve declarations of adherence by operators;
- regularly monitor whether the operations of the members are in accordance with the EGBA Code; and
- review and handle complaints about infringements of the EGBA Code.
If approved, it will be one of the first ever self-regulatory initiatives for any industry's compliance with GDPR. The EGBA Code's objective is threefold:
- to provide guidance to online gambling companies on how to apply the GDPR;
- to foster trust with customers and improve transparency on how their data is used; and
- to assist online gambling companies in achieving a harmonised application of the GDPR, taking into account the practical and specific characteristics of processing within the online gambling sector.
What is a code of conduct under GDPR?
A code of conduct is a voluntary accountability tool, prepared by associations or bodies, enabling controllers or processors within their sectors to demonstrate compliance with the GDPR. It comes with assurance from the relevant national Data Protection Authority (DPA) that the code and its monitoring are appropriate (and, where a draft code of conduct relates to processing activities in several Member States, it must be subject to an Opinion from the European Data Protection Board (EDPB), and other national DPAs may also review the draft code).
Examples of code drafters may include: an association/consortium of associations or other bodies representing categories of controllers or processors; sectoral organisations; trade or representative associations; academic associations; or interest groups.
What is the scope of the EGBA Code?
If it receives EU-approval, the EGBA Code would be applicable in all EU/EEA countries. It would apply to all EGBA members and be open for signature by other online gambling companies who are licensed in these countries. In respect of this, the UK's Information Commissioner's Office (ICO) has previously noted that, while signing up to a code of conduct is voluntary, "if there is an approved code of conduct, relevant to your processing, you should consider signing up".
The EGBA Code covers all types of processing of the personal data of customers in the online gambling sector, but not the processing of personal data in the context of: (i) the company-employee relationship; or (ii) offline activities, for example, in bricks and mortar gambling establishments.
What is the status of the EGBA Code?
For the purposes of Article 40 GDPR, the EGBA Code is a draft code, and must go through a review process before becoming an approved code of conduct for GDPR purposes. As the first stage of the approval process, the EGBA Code has been submitted to the Maltese DPA - the Office of the Information and Data Protection Commissioner (IDPC) - for approval. It is possible that other national DPAs may opt to become involved in the review process, as co-reviewers alongside the IDPC. If approved, the IDPC will submit the draft EGBA Code to the EDPB for its Opinion on whether the draft code complies with the GDPR. The EGBA estimates that this process may take 18-24 months. Until that approval process is finished, it is important to note that the EGBA Code does not have formal status.
Given that this is one of the first times that a specific industry sector has sought approval for a GDPR code of conduct, it will of course be interesting to see the extent of any comments and feedback which emerge from the review process. It also remains to be seen whether any other national DPAs opt to become involved in the review process alongside the IDPC. The UK's ICO may have been interested in contributing to this process, given previous dialogue between the Gambling Commission and the ICO regarding data protection issues within the sector. However, the rapidly approaching end to the Brexit transition period may limit the ICO's involvement.
What guidance does the EGBA Code provide?
The online gambling sector presents some unique data protection issues upon which there has been little guidance to date. For example:
- how companies should establish player accounts for “VIP” customers in a way which respects privacy and the use of personal data;
- how companies should balance a customer's privacy and data protection rights against the need to protect them from problem gambling; and
- appropriate measures to prevent fraud and ensure data is used to comply with applicable laws.
Through the use of case studies (see pages 44-48), summaries and examples of good practices, the EGBA Code addresses these specific features of the online gambling sector, providing companies with clarity on areas where practical guidance regarding GDPR implementation is needed, as well as ensuring that customers are reassured that their personal data is used appropriately.
To take one of the above examples, when setting up a VIP scheme for loyal players, the EGBA Code notes that a gambling operator should consider four specific issues:
- Profiling: Where the operator is undertaking profiling to identify those that may be suitable for any VIP scheme, it should consider its legal basis for processing carefully. The EGBA Code notes that an operator will likely want to rely on legitimate interests as its lawful basis for such profiling. If doing so, the operator must carry out a legitimate interests impact assessment to assess the balance between its business interests in setting up the scheme and selecting VIPs, and the privacy rights of such players.
- Special Category Data and Proportionality: Where VIPs are allocated dedicated account managers, those account managers will need to receive appropriate training to ensure that, if processing any additional personal data which may be categorised as sensitive (e.g. relating to ethnicity or other such data), particular care is taken and that there is a legal basis to do so.
- Security: In line with the above, if significant additional information is being provided by a VIP, more robust access controls may need to be put in place to limit the account managers and individuals who have access to additional data held about the player.
- Data Protection Assessment (DPIA): Again, given the scope of personal data processing and the possible processing of special category data, a risk assessment may be required for a VIP scheme and, where indicated, a DPIA.
What is the benefit of signing up to a code of conduct?
Complying with an approved code of conduct should not only help gambling operators achieve better protection compliance, but also demonstrates to a DPA, and to customers, that those operators are accountable and transparent in accordance with GDPR. The EGBA intends to provide its members who comply with the Code with a unique membership number which can be put on a website (and elsewhere) to demonstrate to others that they meet its requirements.
Compliance with an approved code may be monitored by an independent third party accredited by the IDPC, and should a member organisation fail to meet the requirements of the code (once approved), membership could be suspended or revoked by that monitoring body and notified to the IDPC. If the failure to comply were to constitute an infringement of the GDPR, the IDPC could then decide to take enforcement action.
Even though the EGBA Code has not yet received EU approval, it indicates a "direction of travel" for the sector, and gambling operators (whether EGBA members or not) would be well advised to carry out an internal review and ascertain whether they are already in compliance with the Code, and, where not, consider possible changes to how they run operationally.