The iGaming industry has changed drastically over the past two decades, due to the development of new software and changing laws and regulations. Dmitry Smirnov, EvenBet Gaming Lawyer, shares his expert view on the dangers of unauthorized use of personal data handled by the heavily regulated iGaming sector. The possible harm can be great and insufficient focus on (cyber) security can lead to major risks and, as a result, large fines, licence revocations and other sanctions.
Dmitry Smirnov “Those operating in the iGaming industry must comply with data privacy laws (such as GDPR) as well as laws regarding anti-money laundering (AML) and fraud prevention. This can lead to confusion about which requirements take precedence.
In 2020 the European Gaming and Betting Association (‘EGBA’), whose members accounted for 33% of Europe’s total online gambling revenue in 2021, initiated the development of the Code of Conduct (the Code) for iGaming companies. The Code aims at going beyond the requirements of the GDPR and introduces dedicated rules for iGaming companies aimed at, for example, enhancing data portability rights, transparency and preventing and/or mitigating breaches of personal data.
However, despite the implementation of the Code, there are still many problems regarding data protection in the field of iGaming.
Conflict between GDPR provisions and AML regulatory requirements
In applying certain principles of the GDPR gaming operators need to be mindful of responsible gambling and AML requirements which may overlap and to a certain extent conflict with the GDPR.
Speaking of the principle of transparency, we have
- on one hand, the GDPR stipulates that operators need to provide players with clear and specific information about all processing activities,
- on the other hand, anti-money laundering laws essentially prohibit the disclosure of any information relating to ongoing investigations.
Similarly with respect to responsible gambling operators need to be very careful when disclosing information relating to the monitoring of players because this might enable players to bypass RG mechanisms which at the end of the day should be in place and should not be disclosed in a transparent way enabling players to bypass them.
Discrepancy between GDPR and other areas of law related to the iGaming industry
In addition to conflicts between GDPR and AML regulatory requirements, there are still some uncertainties in applying certain provisions of GDPR that may clash with different areas of law, specifically, legal requirements in the iGaming industry.
GDPR is ought to make operators question what data they keep unnecessarily. At the same time, the iGaming industry standardised players to receive specific attention, which, in turn, can lead to a conflict based on the requirement that operators need to build a player profile and track their activity.
The main difficulties arise from the peculiarities of the system operation and are reduced to the following principles that have to be ingrained in the system:
- data minimisation;
- data proportionality;
- storage limitations.
Generally, operators (as well as subject persons and controllers) want to keep all the data about a player in order for them to build a proper profile and provide the best services, which is also, in a way, mandated by RG and AML, while on the other hand, GDPR mandates the principle of data minimisation.
Therefore, finding the right balance between the two is the key at the moment. Operators in the industry collect data to build a player profile for player protection purposes without storing any data that is unnecessary and beyond what is required by law. In other words, the more information that is being collected and retained, the higher the risks, at least from a GDPR perspective.
Overlaps between the operator’s proactivity and law
Recently we can see that GDPR started to be a proper balance in the field of the AML requirements as well as proactive measures that are required from the operators in the responsible gambling area.
But nevertheless, we still witness interesting issues in the field. For example, with the introduction of new VIP guidance practically requires operators to understand the financial, emotional and other problems of their VIP customers in order to make good responsible gambling judgments. We can also cite Sweden as an example, where regulators ask for a bit more proactive approach in even collecting health data of the customers in order to do the proper RG assessments.
Therefore, the task of each operator is to determine the boundaries for the collection and sharing of personal data in order to comply with regulatory guidelines.
This approach seems to be the most prevalent one today because, from the very beginning, the UK Gambling Commission expected operators to accept this as a self-regulatory approach, while also putting a lot of burden on the operators that need to find a balance between regulatory obligations and data protection and privacy considerations.
In conclusion, for the time being, it’s a task for operators to set limits and find a way how they will share very sensitive data which, hopefully, will soon be clarified in the new AML regulation.
Lack of communication between the data controllers and data processors
In my opinion, regulatory compliance and data protection is a shared responsibility therefore all involved parties need to be aware of what is expected, what the best practices and what the guidelines are.
Data processors generally act within GDPR guidelines while processors are more scoped due to the lack of day-to-day interaction with AML and RG.
Therefore having more clarity and communication between the data controller and data processor is crucial in order, for example, to understand potential areas of overlap between GDPR and AML.
Issues arising from EGBA
EGBA, the Code of Conduct of the European Gaming and Betting Association seeks to reinforce the sector’s compliance with the GDPR. The code was developed by the relevant authorities jointly with iGaming businesses.
The main issue that has been brought up in recent times is that the document needs to be regularly updated because even the nature of the industry and the challenges that it’s facing are changing due to technological development. Therefore, currently, the main issues with implementing the Code could be summarised into the following:
- numerous concerns with implementing self-regulatory instruments in the field of sharing the data for AML-responsible gambling purposes from open banking;
- the code will have to go to the consistency mechanism in terms of articles 63 and 64 of the GDPR;
- lack of clarity on keeping the Code itself up-to-date.
In conclusion, as much as businesses expect regulators to understand their side of the story, it is important to take a part and explain to the regulators what current industry concerns which, in turn, can help with keeping legal regulations, such as the Code of Conduct, up-to-date.”
EvenBet Gaming is a gaming platform supplier that pays increased attention to cyber security having high standards for security processes. Contact us to obtain consulting services and get the right solution for the iGaming business.