General Data Protection Regulation (GDPR)

[flook]

Utter cop out from the ICO

I am writing in regards to your data protection concerns with Ladbrokes.

In my previous response to you I stated that we has written to the organisation asking for their perspective on the matter regarding third parties.

The Information Commissioner’s Office is satisfied with the organisations response. If you require a list of the categories of organisations that your data may have been released to, you may get in touch with the organisation, who will deal with your complaint accordingly.

As your account with Ladbrokes has been removed, you are now aware of their retention policy and if you require further information regarding third parties, the organisation will handle this request, there is nothing further that we can do on this occasion.

We will keep your concern raised on file, so that over time we can work to build up a picture of Ladbrokes information rights practices.

Thank you for bringing this matter to our attention

[Jimmy Justice]

Agreed. The ICO doesn't understand or worse, chooses not to understand, how Ladbrokes and others use data in ways they don't explain to their customers, which is an offence the ICO should be dealing with, but they don't.

Our meeting with them is now only 6-days away; it's going to be lively!

JJ

[dobie2089]

Hi ,
Just wondered what the outcome of the meeting was , with regards to erasure and gdpr ?

[Jimmy Justice]

I'm writing a piece for the website, but it will take a short while as we're getting written confirmation on a number of things that were said in the meeting, so I don't make any mistakes.

Very briefly; the ICO admitted that gambling companies were breaching differing parts of privacy law frequently. They also said they'd had meetings with industry representatives already including Iovation, because they are concerned about what is happening and they need to remind the industry in general of its responsibilities. The piece will mention what consumers can do to take these informal warnings from 'informal' to a proper investigation and hopefully action, including sanctions.

I will post a link on here when the meeting report is published.

Thanks for your interest.

JJ

[BearHawk]

Hi all

Just wanted to post my two cents

I’ve been gubbed by several online bookmakers including SkyBet, Betway and PaddyPower who’ve banned me from promotions, BOG and limited my stakes to low winnings. BetVictor have banned me from one sport in particular. A lot of bans and limits came about at roughly the same time.

I fired off an SAR to one of them to see what they held on me.

They data dumped me with hundreds of pages with hundreds of lines of all bets I made, IP addresses when logging on, all emails I sent to them and all withdrawals/deposits.

They didn’t include any emails or meeting minutes discussing me, my account or the reasons and decisions made to limit my winnings.

I’ve asked them for this, but hold no hope.

Cheers
BearHawk

[Jimmy Justice]

Hi,

Thank you for your post.

Under GDPR, legally these companies have to provide you with everything they hold about you.

As you know traders will have made their decisions based on some sort of process. They will tell you due to their T&Cs that they don't have tell you the exact reason/s for restricting you, which is true, but under GDPR they DO have to tell you what process was used and if relevant what you were rated against and how you scored. If they say they didn't use a process involving a human, i.e. fully automated, that's good news, because it's illegal and you could take action against them.

I would also suggest very strongly that one or more of the companies will hold Iovation and/or Threatmetrix data about you. They have to provide this data as well, but will likely fight not to. This data will contain details about your suspected betting activity, e.g. arber, account restriction, etc. This data is shared between gambling companies who subscribe to these products. It relates to your e-devices, not you personally, although it is easy to link an e-device to a person.

I hope this helps and do not give up until you've got everything you want. Companies regularly, nearly always to be fair withhold data, which again is illegal.

JJ

[edsisto]

I kept going back to WH and asking for more SAR details from them based on things from this thread and just get responses like:

Thank you for your email.

We can confirm that your account was restricted in XXX of XXX by our Trading team. Your account has been reviewed and we confirm we hold no IP information in Iovation linked to your account.

As advised previously, any restriction done on an account is done so at the discretion of the trader reviewing it. We have provided to you all the information related to your account.

Kind Regards,

As helpful as they always are.....

[Jimmy Justice]

It is 99% certain that they do hold Iovation tickets about your e-devices, which will include IP addresses and much, much more.

Iovation are registered as a data controller in the UK now, the UK ICO made them register, so your other option is to go to their Data Protection Officer and ask for the same. I suspect they will claim they don't know your name or your account number at WH, so you will have to ask them for the type of information you can provide that will identify your present e-devices on their system. An IP address is a good starting point, but they will have details of all the following (and more):

Screen resolution, Device Type e.g. PC, MAC, etc.,Operating System e.g. Windows, OS X, Linux, etc., Device Time Zone, JavaScript on/off, Flash on/off, Flash installed?, Flash Version, Flash storage enabled/disabled, Browser Cookies enabled/disabled, Browser Type, Browser Version, Browser character set, Browser Menu Language, Browser Configured Language, IP Address, IP Geolocation: City, IP Geolocation Country Code, IPGeolocation Proxy Flag, IP Geolocation Country Name, IP Geolocation State/Region, IP Geolocation Time Zone, Internet Service Provider (ISP), ISP Organization; Fully-qualified domain name, CPU Count, CPU Speed, Operating System Version, System Model, Component Serial Numbers, MAC Address, DeviceName (MD5 Hash), Device Identifier, Device Locale, Device System Version, OS Build Number, Kernel Version, Kernel Build Number, Flash System Capabilities.

There will be what's called Iovation tickets that outline what gambling companies have posted in the Iovation database about your e-devices you must insist on getting these, they can be very enlightening. If you wanted to be really difficult you could ask for all the fraud checks Iovation has done on your e-devices.

I'm very aware, as you know, that the ICO rarely do anything useful when gambling companies breach their rules, but if Iovation refuse to comply with your request please do let me know and I'll take it up with one of the ICO's Directors who told me that Iovation must provide the information.

JJ

[gdprboy]

Hi guys, just wanted to run some GDPR questions by you.

I've been wanting to clarify my position with regards to bookies accts and GDPR for a while but when Hills randomly emailed me three weeks ago about an account that's been restricted for years to inform me that I was restricted I decided to make Hills my target. I'll summarise or this will be tldr.....

* Emailed hills requesting acct closure and data deletion
* Reply saying acct closed but can't delete data for seven years due to regulatory reqs
* Complained to ICO
* ICO reply saying seven years is satisfactory as regulatory guidelines overrule data deletion requests and to contact GC for further info
* GC say they don't specify how long data must be kept. Bookies need to keep data for identifying self excluded customers tho which is fine as I didn't self exclude, I made that perfectly clear that I didn't want self excluded in my acct closure email
* Back to the ICO to tell them that the GC doesn't specify a length of time and asked exactly what regulations can override GDPR in this instance as nobody else can seem to tel me
* Their reply.....

"You have explained that William Hill have stated that it will retain your data for a number of years. This is likely to be because they have obligations such as the Anti-Money Laundering Regulations. Part 4 (40) of the Money Laundering Regulations, says that organisations have a legal duty to keep records for five years after the business relationship ends. More about this can be found by following this link:
https://www.gov.uk/guidance/money-laund ... quirements

It is also outlined in their privacy policy the purposes for retaining customer data. Their privacy policy can be found on the link below:
https://williamhill-lang.custhelp.com/a ... 8c~zj~PP~V

You may also wish to review the gambling commission' website for details on this subject;
https://www.gamblingcommission.gov.uk/f ... -GDPR.aspx

Therefore, we are satisfied that William Hill has responded appropriately to your request for erasure as they have legitimate grounds to retain your data."

* So looks like the money laundering regs to actually apply to us.


My questions though.

1. Hills say they can only delete data seven years after acct closure.
Why account closure and not my last transaction with them?
Why seven years and not the five stated in the money laundering regs link that the ICO quoted?

2. I'm pretty tilted with this whole affair. I'm leaning towards seeking legal advice but have zero experience with lawyers, courts etc.
Does anyone have an idea what this would cost me?
If I won or if they didn't defend could I claim my costs back?

As far as I can see, nobody has taken this as far as a court. I think it's about time that someone did.

[Jimmy Justice]

Hi,

Thank you for your post.

This is a sensitive topic for J4P at present as we're involved in a long (never ending) discussion with both the ICO & GC about this topic.

What follows is only our opinion, but we've yet to be told we're wrong by either regulator.

Sports betting is NOT covered by present anti-money laundering laws (The Money Laundering, Terrorist Financing and Transfer of Funds [Information on the Payer] Regulations 2017); casino gambling is. This has been confirmed in writing to J4P by the GC's lawyers. Why the ICO is continuing to tell people otherwise, as opposed to being clear about the law, is beyond our comprehension. Simply ask the person about their gambling and give them the correct answer.

However, operating licensees (including betting operators) must comply with Licence Condition 12.1.1, which currently states as follows:

Anti-money laundering
Prevention of money laundering and terrorist financing
All operating licences except gaming machine technical and gambling software licences

1 Licensees must conduct an assessment of the risks of their business being used for money laundering and terrorist financing. Such risk assessment must be appropriate and must be reviewed as necessary in the light of any changes of circumstances, including the introduction of new products or technology, new methods of payment by customers, changes in the customer demographic or any other material changes, and in any event reviewed at least annually.

2 Following completion of and having regard to the risk assessment, and any review of the assessment, licensees must ensure they have appropriate policies, procedures and controls to prevent money laundering and terrorist financing.

3 Licensees must ensure that such policies, procedures and controls are implemented effectively, kept under review, revised appropriately to ensure that they remain effective, and take into account any applicable learning or guidelines published by the Gambling Commission from time to time.”

Failure to comply with this licence condition (which does apply to betting operators) can constitute an offence under the Gambling Act 2005 (as well as potentially giving rise to regulatory action).

In much simpler terms this means that UK gambling operators must have a policy in place regarding anti-money laundering
prevention of money laundering and terrorist financing. The correct answer, therefore is that Hills has decided on their approach to this issue and they have decided 7-years is appropriate.

J4P's experience is that differing companies tell people differing time lengths. This often appears to relate to the length of time a person has had their account restricted. As example we've seen 3, 5, 6, 7, 8 and 10 years quoted. Of course this could all be pure co-incidence and these companies may have just changed their policy the day before each person asked for data erasure.

If you wish to be cruel (your choice) and assuming you've only placed sports bets you could conclude that Hills deem you to be a terrorist funding risk. Not a nice thing to accuse somebody of. Of course this isn't true. Again, J4P thinks the truth is that regulators are allowing gambling companies to interpret licesening regulations for their commercial advantage.

The whole thing is one huge mess!

1. Hills say they can only delete data seven years after acct closure.
Why account closure and not my last transaction with them?
Why seven years and not the five stated in the money laundering regs link that the ICO quoted?

Hopefully, I've answered this? Hills can do as they wish, except in the case of casino gambling, becuase regulators allow them to.

2. I'm pretty tilted with this whole affair. I'm leaning towards seeking legal advice but have zero experience with lawyers, courts etc.
Does anyone have an idea what this would cost me?
No.
If I won or if they didn't defend could I claim my costs back?
Yes.
As far as I can see, nobody has taken this as far as a court. I think it's about time that someone did.
To my knowledge you are correct although PaddY Power has been settling out of court with some Irish residents for other privacy offences: https://www.thetimes.co.uk/article/padd ... z7wfqn6g0

I hope this helps in some way?

JJ