In an article for iNTERGAMINGi, counsel Richard Field considers data protection in eGaming.
Regulation has always been a contentious issue for businesses from all sectors. Finding the right balance between a regime that is not sufficiently tough to enforce common minimum standards and one that is so prescriptive that it stifles business, is very difficult. Add in the complexities associated with moral judgments as to the nature of the business itself and how it interacts with its customers, and it is easy to see why success in eGaming is tough to achieve.
With the onset of the single digital marketplace in Europe, and the increasing globalisation of e-commerce, traditional "boundaries" (whether jurisdictional or legal) are being broken down. Regulation has a key role to play in ensuring that defensible standards are maintained for eGaming businesses and no more so than in the sphere of data protection.
Our attitudes towards data protection have been changing in recent years – gone are the days when data protection was seen as the poor cousin to other, more "glamorous" (these things are relative) areas of compliance, such as fraud, anti-money laundering or sanctions. Data is rightly being cited as the new "oil" in terms of its value to businesses. The growth in cybercrime, however, has focused the attention of boards across the globe on the risks of processing data, in particular personal data and in terms of securing their digital assets.
Data protection is an inherent part of eGaming business – the processing of customers' personal data is a daily part of life for eGaming operators. Whilst some businesses in other sectors may deal with large volumes of personal data, it is often the case that eGaming businesses are dealing with hundreds of thousands of customers' data at any given time. Managing those data flows, whilst ensuring security and compliance with a raft of varying international laws is a significant challenge and one which will take on an additional dimension in the years' to come.
The General Data Protection Regulation ("GDPR") comes into force across the EU in May 2018 and has direct effect in all EU Member States (in other words, there is no need for implementing legislation in individual jurisdictions). However, the impact will be felt more widely, as the GDPR has extra-territorial effect. If operators are doing business in the EU, or profiling customers living in the EU, then the GDPR will apply. For eGaming businesses, the global reach of the legislation will have a significant impact. Notwithstanding the current uncertainty surrounding "Brexit", the standards it imposes will remain the benchmark for years to come.
Regulators will have power to impose administrative fines up to a maximum of 4% of global annual turnover or €20million (whichever is the greater) for serious breaches and so compliance will be a board level problem. eGaming businesses will have to be aware of the changes to come and should start preparing for the new regime. Alderney and Guernsey are already working towards compliance in these areas and will remain at the cutting edge of regulation in this area, thereby continuing to retain their place at the forefront of the industry.