April 1, 2022
Members of the UK Betting and Gaming Council (BGC), including some of the world’s largest betting and gaming operators, are working with the UK’s Information Commissioner’s Office (ICO) to trial a new mechanism for sharing player data between gambling operators.
The gambling industry continues to collaborate to identify how it can utilise technology to further protect its customers from the negative consequences of gambling participation. Attempts to collaborate have previously been constrained by concerns about customer privacy and competing obligations under the GDPR. However, since neither of these legal frameworks overrides the other, the BGC and ICO must innovate to solve the problem. The aim is to achieve a single-customer-view (SCV), allowing each operator to view a customer’s online behaviour across other operators so that it can take active steps to identify and reduce potential harms.
Most customers hold multiple accounts (the average is 3, although this number is higher among younger customers), and so without a broad picture of their activity, it’s almost impossible for an operator to accurately assess whether or not a customer may be transacting in a financially unsustainable way. However, allowing for such a comprehensive view raises immediate and serious privacy concerns.
In November 2020, the ICO admitted the SCV project to its regulatory sandbox, a virtual environment for testing products and services in a technical and regulatory capacity. The initial aim was to establish whether there is an appropriate lawful basis for sharing customer data between operators. This was a complex consideration due to much of the data being behavioural data and/or identifying health-related information, which would require an additional Article 9 condition to be present to legitimise the processing (in this case most likely GDPR Article 9(2)(g), ‘necessary for reasons of substantial public interest’).
The lawful basis
So far, the ICO has identified that the sharing of behavioural data using an SCV may be lawful under the public task basis in Article 6 of the GDPR. Public task goes beyond ‘legal obligation’ as a lawful basis, since the sharing/processing does not have to be required by law, it must merely originate from the law (in this case, British gambling law/regulation) and be in the public interest.
A change to legislation, such as a new requirement in the Licence Conditions and Codes of Practice, could also enable operators to rely on the legal obligation basis but this is not currently a substantive proposal.
The ICO also said the SCV may be lawful on a legitimate interests basis, since such interests may include not only the interests of the operator but the interests of the customer. Legitimate interests must be balanced against the fundamental rights and freedoms of the individual and so an appropriate assessment would need to be considered.
A summary of the full outcomes of Phase 1 can be found here.
It’s likely that the processing and sharing of data under the SCV will be closely scrutinised once implemented to ensure compliance with the GDPR principles (e.g., purpose limitation, data minimisation and fairness). An area of particular focus will be to address concerns, that may arise from some quarters, that such data could be used by operators to profile customers for commercial reasons: for instance, helping to target products and services; or to gain competitor insights. Use will need to be strictly limited to harm reduction and there will no doubt be guidance on reporting and retention practices for participants in the SCV.
The SCV is now being developed further so that the ICO can explore the application of these bases in more detail and test the efficacy and security of the system to ensure it can comply with data protection law.