Stuart McMaster, Partner in the Betting & Gaming Group at Mishcon de Reya, and Daniele Perrone, Legal Advisor at the European Gaming & Betting Association discuss the Data Protection Code of Conduct published by the EGBA as part of the Mishcon de Reya series – aimed at exploring the latest trends and topics in the gambling sector. 

The GDPR encourages trade associations to draft their own data protection codes of conduct addressing how GDPR should be applied within their specific sector. These codes can then be submitted for approval by the EU. 

As part of the code, Article 40 enables trade associations to develop sector specific guidelines regarding compliance with GDPR but so far only a few industry sectors have decided to implement data protection code.

Perrone explained why the EGBA decided to produce the code: “We wanted to foster trust with the customers and improve transparency about how their data is used. We know that if you fail to protect customers data this can bring a loss of reputation to your company. So EGBA members want players to know that their data is protected in a certain way.”

“This is an initiative that was to show leadership for the sector since demonstrating compliance with the GDPR is one of the key principles of the data protection law.

“One of the goals of the code is also to assist online gambling companies in achieving a harmonised application of the GDPR. This is especially important for our sector because gambling companies are covered by different national laws and also licensing requirements, which may collide with the GDPR.”

The code has been submitted for approval to the Maltese data protection authority, which in turn will be reviewed by two other data protection authorities before being submitted to the European data protection board. A process expected to take between 18-24 months. 

The study includes five case studies which address specific issues in the online gambling sector and shows how to apply the principles of the GDPR in those situations.

In the code several case studies are mentioned, one being problem gambling. McMaster highlighted that the code makes the point that there’s been little guidance from gambling regulators in terms of what’s expected and proportionate in relation to data processing relating to problem gamblers. One of the points being that operators need to consider how they comply with Article 22 of GDPR when using profiling and automated decision-making processes. 

Looking into ways in which Article 22 could apply to other kinds of profiling undertaken by gambling operators, Perrone stated: “As we know many data are needed to assess if players are maybe at risk of problem gambling. The relevant processing activities will mostly be done using artificial intelligence and so using automated decision-making. 

“Nonetheless, operators have to ensure that such technologies provide only a first pass indicator for the account teams in order that any decision relating to the suspension or closure of an account, which may have a significant effect on a player, are always subject to meaningful human involvement. Another option for operators is that they must ensure that the applicable member state laws allow for solely automated decision-making. 

“Other cases of using profiling could be, for example, for marketing bonuses and in this case we don’t believe that this produces legal effects or similarly significantly affects the players. In this case the player cannot refuse to be subject to this profiling and the same applies for example to when operators are detecting fraud or when they conduct anti-money laundering and know your customer checks because these are made mandatory by law.”

More about the code can be found on EGBA’s website here.

Accumulator podcast: The Data Protection Code of Conduct guide