Some very important notes before you read this.
- GDPR is already becoming a farce in the gambling industry and its interpretation by many gambling companies is appearing to differ. Companies seem to be competing to deny as many rights as possible to all their customers relating to GDPR using their new privacy policies. Some statements in the updated privacy policies seem to contain blanket claims that other legislation over-rides GDPR when in most circumstances it probably doesn’t, i.e. ‘wool over their customers’ eyes’ yet again.
- Secondly, the phrase ‘our legitimate interests’ is appearing all over the place in new privacy policies. This term is obviously defined by the companies and judged by the companies and nobody else; is this fair as part of a consumer contract?
- Thirdly, the Remote Gambling Association no longer exists it has been replaced by the Betting and Gaming Council.
We should have expected nothing more, because data transparency and especially data erasure is the exact opposite of how many gambling companies operate due to their insistence on never trading with anyone who might break even or win.
Despite all the work we have put into what follows, we now doubt it’s worth much, because it’s now clear that many online companies are going to go out of their way to deny any erasure of data held and perhaps even access to the details of personal data held and shared with third parties.
We will be attempting to consult with regulators about this, but promise nothing.
GDPR is an evolution in data protection, not a revolution; nevertheless it may have a large impact for those who like to gamble, especially if you aim to bet successfully on sports?
None of us at ‘Justice for Punters’ (J4P) are lawyers, so you should not take any of the views that follow as being ‘water-tight’ in law or even the correct interpretation of GDPR, therefore it is crucially important you don’t rely on any of these views, especially if you decide to take a gambling company to court.
ps: We’ve done our best!
We’ve asked the Gambling Commission (GC) if it was likely that the Information Commissioner’s Office (ICO) would be publishing specific guidelines for the gambling industry and their customers; they said no. The Gambling Commission has produced some advice, which is summarised here: https://www.pinsentmasons.com/out-law/news/gdpr-gambling-operators-licensing-duties This is primarily about licensees not using GDPR to avoid their social responsibilities for problem gambling and crime, which is an interesting line to take and suggests that the GC might not trust its licensees to use GDPR for commercial gain?
It’s been impossible to write something in general, because GDPR is so complex, so we’ve decided to look at two issues that we see as being crucial for those who like a bet, e.g. the ‘right to be forgotten’ (more accurately ‘the right to erasure’) and profiling. We are going to deal with them separately. This first post is about the ‘right to be forgotten’.
What is GDPR?
GDPR is a regulation in European Law covering data protection and privacy for all people in the European Union. It also covers the export of personal data outside the European Union (EU). The GDPR aims to provide control for citizens and residents over their personal data. It also aims to simplify the regulatory environment for international business by unifying the regulation within the EU. The GDPR extends the scope of EU data protection law to all foreign companies processing data of EU residents. This latter aspect is very important as some online bookmakers, although licensed in the UK and Ireland are not based in the EU, but they will have to adhere to the new regulations.
What data is personal?
According to the EU, “Personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, or a computer’s IP address.”
An issue for people who bet is the collection and storage for life of e-device data, especially now the EU has listed an IP address as personal data. E-device data traditionally hasn’t been defined as personal data, however the UK’s ICO has ruled that e-device data when combined with other data, e.g. home and email addresses, becomes personal data, so a combination of this ruling and that the EU views an IP address as personal data means it is therefore likely fair to ask online gambling companies to erase all data they hold about an individual, including e-device data?
What is the right to erasure?
Under Article 17 of the GDPR individuals have the right to have personal data erased. This is also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances.
When does the right to erasure apply?
1. Individuals have the right to have their personal data erased if: The personal data is no longer necessary for the purpose which you originally collected or processed it for;
This statement is open to interpretation: It’s probably fair to say that the purpose of collecting original personal data by a gambling company was simply to open an account and make basic ID checks as dictated by the GC guidelines and other laws covering ‘Know your customer’, e.g. name, address and email address, etc. It will be likely difficult for the company to claim that this personal data was originally collected as the beginning of a profiling process to restrict a customer from trading with them because they might win? When you then add the fact that new customers were highly likely never told clearly what this personal information would be used for, including combining it with other data ‘secretly’ collected for critical analysis; surely means it will be difficult to refuse erasure? It must be kept in mind that unclear terms and conditions (T&Cs) make a contract unfair and unenforceable, so in our opinion it is likely that any data collected as part of that unfair process will have to be erased?
2. You are relying on consent as your lawful basis for holding the data, and the individual withdraws their consent;
We cannot cover every aspect of this statement with our knowledge, but one aspect that seems very relevant is that the lawful basis for a gambling company holding personal data was based on consent, e.g. a person was asked for consent when accepting T&Cs, but in no other way, so a person would have the option of withdrawing consent, thus meaning data erasure.
3. You are relying on legitimate interests as your basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing;
Impossible to answer with our knowledge; what is an overriding legitimate interest to continue data processing? Is it legimate in law to claim that having a gambling licence should enable a licensee to trade by reducing risk to virtually nil?
4. You have processed the personal data unlawfully (ie in breach of the lawfulness requirement of the 1st principle [a]);
As would be expected by its’ title this is vital and underpins all data collection. The following taken from the 1st principle (a) places many gambling companies, if not all, with few options moving forward with GDPR and data erasure due to the way historical personal and other data has been collected and processed;
- be transparent about how you intend to use the data, and give individuals appropriate privacy notices when collecting their personal data; (historically the industry in general hasn’t)
- handle people’s personal data only in ways they would reasonably expect; (historically the industry in general hasn’t)
- make sure you do not do anything unlawful with the data (historically some companies have done unlawful things).
So, when will a gambling consumer have the ‘right to be forgotten’?
In addition to the previous section about principles in general for all industries, the following is taken from guidance provided by the Remote Gambling Association to their members,
“55. Customers have the right to have their data ‘erased’ in certain specified situations. This is in essence where the processing fails to satisfy the requirements of the GDPR. Where customers seek to exercise these rights, data controllers must respond without undue delay (and in any event within one month). This period can be extended in difficult cases, but data controllers would need to demonstrate their justification for relying on the extension provision.”
We’ve read numerous sources and it seems “certain specified situations” in the case of gambling companies appears to mean any situation except where a person has self-excluded or is suspected of crime. We have failed to find any other legitimate reasons for a gambling company to refuse erasure of data, we may be wrong? Extremely important here is that it would seem that there is no justification for not erasing data if a gambling company has refused to trade with a customer unless this was due to crime. We feel it is likely that a UK court would rule that restricting stakes to silly amounts is a refusal to trade, i.e. a refusal to trade doesn’t have to be a full account closure? It is likely that some gambling companies will cite reasons to refuse erasure of data, but according to what we’ve read that should be challenged vigorously and reported to the ICO.
The following is another quote from the RGA’s guidance,
“57. Where a controller is obliged to erase the data, but that data has already been put into the public domain or shared with other controllers, then the controller must also inform other controllers who are processing the data that the data subject has requested erasure of those data.”
Assuming e-device data is deemed as personal data in the circumstances already explained this means that a gambling company who uses either Iovation, Threatmetrix or another similar product will have to tell these companies that provide these products to erase full data they hold, including data in their databases that subscribers share access to, unless a person has self excluded or is suspected of crime. It needs to be kept in mind that it is not apparent what some companies use instead of Iovation and Threatmetrix for fraud purposes, so a person should be clear that they want any form of device ‘footprinting’ erasing. We suspect, but have never proven that one or more of the large operators have their own similar versions of these products.
As above, it’s also important to consider the ICO’s general information for all industries in addition to what the GC and RGA have issued. As is obvious, there seems to be quite a number of reasons why gambling companies cannot refuse data erase often due to their historical failures.
It’s a real pity that the GC are not doing what we’re trying to do. They have their own lawyers and we’ve asked their lead for GDPR if there would be any guidance to help consumers, but again were told nothing would be forthcoming.
A word on transparency and GDPR
The following is information provided by the ICO,
“The GDPR says that the information you provide to people about how you process their personal data must be:
- concise, transparent, intelligible and easily accessible;
- written in clear and plain language, particularly if addressed to a child; and
- free of charge.
This is not the main theme of this post, but it is probably important in the context of account restrictions and especially delayed payouts? If a gambling customer is facing a delay with being paid out we would suggest you email the company’s Data Controller and specifically ask what data the company holds that is delaying the payout and/or why their standard automated systems are unable to identify the person. If nothing else it will give the company grief instead of the customer getting all the grief.
J4P has found no 100% certain reasons, except self exclusion and crime for a gambling consumer not being able to implement their ‘right to be forgotten’ after May 25th 2018. Yes, there is plenty in the legislation that is open to interpretation, but a gambling company will be very lucky if they can prove they have not done something historically or still which means the ‘right to be forgotten’ can be turned down. There is wonderful irony in previous dubious practices ‘coming home to roost’. If a person therefore wishes, they should write to or email Data Controllers at gambling companies from which they want their data erased. Remember this should be ALL data held by the gambling companies and other companies they’ve shared data with.
All data erasure refusals should be reported to the ICO.
As mentioned at the start of this post we are not lawyers and we may have missed something, but in the absence of direct advice to gambling consumers from either the ICO or GC we suppose it’s what gambling consumers will have to put up with? The next few months will tell us if we are somewhere near correct and if the ICO are even going to bother implementing GDPR in the gambling industry. We should remember they’ve shown little intention of implementing the Data Protection Act (1998).
If there is a lawyer out there who doesn’t work for the gambling industry and would like to improve this post J4P would be very grateful. Like J4P volunteers a lawyer will not be paid for this work, so this fact should be remembered.
J4P has drafted a letter, which can be edited for personal use and/or adapted for use as an email.
As a gambling consumer if you do decide to implement your ‘right to be forgotten’ please do make sure to let us know your experience at email@example.com (it’s very important we share experiences and expertise).
Finally, J4P has now added a draft letter for those who’ve had their account restricted by an online bookmaker, which will help them to obtain their data, details of how that data was processed and how they were personally profiled, i.e. how the decision was made to effectively refuse sports bets from them.