The General Data Protection Regulation and the Gaming Industry
The Gaming and Gambling Industry is a peculiar one which is dealt with differently by various jurisdictions.
Due to the industry’s delicate nature, there are various special legislations which particularly target or apply distinctly to the industry. For this reason, each legal shift in the regulatory landscape impacts the industry.
Diverging legal positions between states vary depending on the social perspectives, with some jurisdictions legally encumbering the operations of the industry whilst others exhausting its potential. However due to its association with illicit usages and consequences, regardless of the approach taken, a heavy regulatory stance appears to apply globally. In Malta, as endorsed by the vast legislation and benefits granted, the iGaming industry has established itself as a leading economic activity. Due to the industry’s already elaborate regulatory restrictions, as well as its economic importance, implications of the General Data Protection Regulation seem to be heightened with respect to the Gaming Industry.
Due to the industry’s delicate nature, there are various special legislations which particularly target or apply distinctly to the industry. For this reason, each legal shift in the regulatory landscape impacts the industry. Compliance plays a monumental role in the running of such companies, especially in respect of licensing conditions, special laws on gaming, as well as Anti Money Laundering provisions. The General Data Protection Regulation is no exception to this and has in fact increased thresholds for data accountability within the industry.
This may be clearly observed in the instance of profiling, which plays an indispensable role in the promotion of business within the Gaming Industry. Profiling is utilised in data driven marketing, personalized player experience and email targeting amongst other applications. It is also applied in Anti Money Laundering prevention mechanisms. As suggested by Britain’s Gambling Commission, profiling techniques may also be used for identification of problem gamblers – a suggestion taken on by several companies within the industry. The General Data Protection Regulation imposes stricter responsibilities where profiling is utilised, especially where such profiling is used for automated decisions having legal effects on data subjects. Such burdens include the conducting Data Protection Impact Assessments, appointing a Data Protection Officer, applying GDPR Principles and, in line with WP29’s guidelines, provide customers with more information in relation to the profiling activity.
The complex system created by different bodies of law, each imposing their own obligations, has led to various legal anomalies due to these conflicting with obligations created data protection framework. For instance, such conflicts are exuded in recording and monitoring obligations pursuant to the Anti Money Laundering legislation. This is because the latter requires the superseding of the founding principles underlying the General Data Protection Regulation, namely data minimization and adequate retention periods.
Apart from the heavy regulatory restrictions, the industry also faces constant technological developments due to the sector’s online dependence. Whilst enabling constant improvement, this same technological aspect makes the sector more susceptible to data breaches and hacking. Businesses within the industry highly depend on processing and collection of player data for competitive success, leading to such businesses being accountable for a mass of player data. Amongst the array of recorded personal data, this comprises of demographic information, device ID, playing history and also payment information. Even where data does not individually constitute personal data, indirect associations inferred may lead to personal identification, especially if considered in light of other data, making it personal data by indirect reference, further expanding industry stakeholders’ accountability.
Whilst the Gaming Industry functions through various spheres of operation, the General Data Protection Regulation mainly concerns the business-to-consumer (B2C) aspect. In fact, most collection, processing and sharing of data is executed by the businesses responsible for operation of interfaces, sales and customer care services. In compliance with the General Data Protection Regulation may induce pecuniary ramifications as well as the revoking of gaming licenses in many jurisdictions.
The legal anomalies arising when applying the data protection framework to the Gaming Industry have prompted various legislators to address this through guidelines. Most notably, the Betting and Gaming Council in the United Kingdom, formerly the Remote Gambling Association, had issued a guideline aimed at aiding the application of the General Data Protection Regulation. Locally, similar guidelines have been issued by the Malta Gaming Authority after a consultation procedure with the Information and Data Protection Commissioner. This guideline is to be read in conjunction with the General Data Protection Regulation. It was written with the drive to envisage all difficulties which the industry expected to face when the regulation had not yet been enforced. This guideline goes through most aspects of the regulation, discussing them from the perspective of the Gaming Industry.
The General Data Protection Regulation has burdened the Gaming Industry by enforcing higher obligations which are directly implicit on main activities carried out by such businesses, which have led to conflicts and complexities. Industry professionals have advised a wider approach through dialogue between different state authorities and regulators. This would prospectively allow harmonisation in the area whilst enabling clarification and enhancement of the industry and the application of the General Data Protection Regulation itself.