The GDPR was making life complicated for gambling companies operating in multiple markets before Brexit and the end of the transition period threatens to add to the problem. Now, an industry-specific code from the EGBA is here to offer some support.
Personal data has in many ways become the new global currency for companies operating in the online world. But alongside growing commercial interest in the personal data of consumers have been increasingly vocal privacy concerns from inside EU policy circles. Questions are being asked about whether companies are using personal data ethically, in the consumer’s interests or respectful of their right to privacy. Several well- publicised global scandals involving data breaches, hacks and the harvesting of data have underlined the growing risk of data abuse and encroachments into consumer privacy.
In response, policymakers in the European Union and elsewhere took notice and began to develop various data compliance regulations. This culminated in 2018 with the implementation of the EU’s General Data Protection Regulation (GDPR), a ground-breaking moment in establishing standards and accountability as to how companies should process, store and use the personal data of consumers. Not only is the GDPR a landmark achievement in terms of data protection regulation in EU, but it is also the most far-reaching regulation anywhere in the world, with implications far beyond the EU’s borders.
The GDPR was designed specifically to protect the privacy of EU consumers and give them more control over how their personal data is used by third parties. This required government agencies and private companies who have customers in the EU to update their internal data protection policies bringing them into line with the EU’s new flagship data protection policy, a move affecting hundreds of thousands of companies and over 500 million consumers.
GDPR and online gambling
As with every other sector, the online gambling sector is covered by the GDPR and online casino sites are required to comply with the regulation in addition to other data protection requirements contained in national laws or licensing requirements. Yet the myriad of national regulations for online gambling in the EU, and the countless companies who operate in more than one EU country, has rather complicated this task.
Faced with the sheer complexity of the new regime, the European Gaming and Betting Association (EGBA) developed an industry code of conduct to help online gambling companies apply the GDPR effectively. The Code Of Conduct On Data Protection In Online Gambling1, published in 2020, is one of Europe’s first sectoral codes on GDPR. It contains sector-specific rules and best practices and reflects the commitment of our members to promote the highest standards in data protection and GDPR compliance in the online gambling sector.
The code aims to improve transparency for customers as to how their data is used and kept secure. To offer practical guidance to companies, the code also includes case studies explaining how the principles of GDPR should be considered and applied by gambling companies in certain sector-specific scenarios – such as addressing problem gambling and fraud detection.
In accordance with Article 40 of the GDPR, which encourages the use of sectoral codes of conduct to support application of the regulation, the Code Of Conduct On Data Protection In Online Gambling has been submitted for formal approval by the EU data protection authorities as an official, approved and recognized industry code which applies the GDPR.
The code has been submitted for review by selected national data protection authorities (DPA), led by Malta, which will consider if the code properly applies and is congruent with the GDPR. The Maltese DPA will then notify the European Data Protection Board (EDPB), the EU-level authority for data protection, about the code and its recommendation as to whether the code should be approved. This approval process could still take up to two years.