I spoke at Sportel in October about data issues in relation to the regulation of sport, particularly in relation to betting integrity.
The topic raises a number of knotty issues:
- "Data" is a technical area of law, both in IP terms, and because of the fresh consideration given to protection issues arising out of the General Data Protection Regulations.
- In the gambling context, there is still a developing practice as to how the various stakeholders should best collaborate to preserve the integrity of sport (a matter of mutual interest), while preserving their own (often conflicting) commercial positions.
- On betting integrity, practice is largely built on self-regulation and formal/informal collaboration between stakeholders. It's built around MoU's, contracts, working groups, collaborations and contacts as much as black letter law.
- There are a series of emerging threats, the importance of which are yet to be fully understood: the integrity of data gathering, fake data (eg "ghost games"), use of "socket puppets" and other social media devices to spread misleading information.
The interests of the stakeholders
The use of data for betting integrity is important to sports bodies, betting companies who rely on the integrity of sport to maintain trust in their own products and minimise losses through fraud, and increasingly (as the process of opening up gambling markets has continued across Europe and beyond), government regulators. For operators, data is, in any event, at the heart of their business': from setting odds to “Knowing Your Customer”.
Working out where suspicious betting patterns arise - and in particular where "unusual" becomes "suspicious", and taking enforcement action, is not the work of any one group of people. It’s a collaboration, requiring an analytical approach to monitoring betting markets, effective investigative processes, expert knowledge of the relevant sports and markets, and resource commitment from regulators and law enforcement. In this information sharing is key, but there isn’t a single uniform process for managing the process of collaboration to prevent betting integrity issues, even in Europe:
- Some EU Member States (including the UK, Germany (Schleswig-Holstein), and Italy) put direct obligations on their national "Gambling Authority" to proactively collect and process information on suspicious sports betting activity: often through specific licence conditions imposed on betting operators, but sometimes through more indirect obligations (like imposing general requirements on operators to protect betting integrity).
- In many EU countries, there is no direct obligation at all for gambling regulators to collect information on suspicious betting patterns or to share information about suspicious betting patterns with the betting regulators. Some jurisdictions have introduced obligations on either the betting regulator to proactively collect information on suspicious betting patterns, or on betting operators to report suspicious betting patterns to the regulator. However, there are differences in the extent to which obligations are direct or indirect and the extent to which reactive or proactive approaches are used.
- In the UK betting regulators also have to share information with selected sport governing bodies.
- Generally betting integrity regulation is better dealt with in those countries who have renewed their gambling legislation recently. In the UK, for example, the Gambling Commission (and the Sports Betting Intelligence Unit (SBIU) - the unit within the Gambling Commission which deals with reports of betting-related corruption) form the hub of our regulatory response. The UK's "point of consumption" regime requires all operators who place bets with UK punters to register in the UK. Betting operators are required to report suspicious activity to the Gambling Commission under their licence conditions (Section 15.1 of Licensing Condition and Codes of Practice). Betting operators are also required to provide information to Sport Governing Bodies if betting operators suspect that information in their possession may lead the Gambling Commission to consider making an order to void a bet (the Gambling Commission has powers to void bets), and which relate to a breach of a rule applied by that sport governing body. Sports bodies in the UK are not obliged to inform the Gambling Commission when they detect something suspicious, but in practice are likely to do so .
Sports regulators now commonly incorporate into their rules specific requirements on preserving betting integrity. Uniquely, sports regulators have access (typically contractually enforced) to participants, officials and venues and can effectively gather information. They can use their Rules to investigate and sanction participants and officials where necessary, and impose obligations on participants to yield up data. But at the investigatory stage there is a vast difference between different sports regulators. Some have significant cost and expertise wrapped up in their integrity function - developing in-house expertise and forming partnerships to develop intelligence on suspicious betting activity. Others do not. Inevitably investigations are restricted by available resources.
This in itself raises a few tricky issues:
- On the one hand, some operators say they want to share information with sports bodies directly when something "does not feel right". On the other, they are concerned to satisfy themselves that the sports body will deal correctly with the information.
- Discussions on this topic typically quickly end up in the perennial issue of "who pays?". Is it - to borrow the concept from environmental law - that the "polluter should pay", or the sports body?
Self-regulatory models for information sharing
Examples of industry cooperation include:
- Memorandums of Understanding (MoUs) between betting operators and sport governing bodies, about the exchange of information. MoUs describe how information is to be shared, and may include obligations for how the recipient should deal with personal information. They are typically non legally binding expressions of a willingness to cooperate. Most of the large betting operators have MoUs with several – but not all - sports governing bodies. Some sports have refused to sign them.
- Cooperation between betting operators to inform each other of suspicious betting activity. As example is European Sports Security Association – ESSA. Its members include a number of larger bookmakers. Members share alerts with other members of the association. If suspicions arise ESSA will share that with regulatory body or sports bodies where MoUs are in place (ESSA has MoUs with over 20 of the larger sports associations and regulatory bodies including the International Olympic Committee (IOC), FIFA, the Tennis Integrity Unit, The Spanish Football Federation, the UK Gambling Commission, and the Malta Lotteries and Gaming Authority etc).
- Commercial contracts between betting monitoring companies (Sportsradar, Perform, Genius etc) and one or more buyers of their surveillance services by monitoring betting markets and report suspicious sport betting activity to their customers.
- The SportRadar Fraud Detection System, which monitors patterns worldwide and uses algorithms to detect possible match-fixing.
- The IOC Integrity Betting Intelligence System (IBIS) - The IOC IBIS allows for the exchange of information and intelligence for use by stakeholders of the Olympic Movement.
The global dimension
One complication is that fraud in the gambling market is commonly highly international: often facilitated through Asian betting markets with high liquidity and weak regulation.
Suspicious sport betting activity will often be cross-border: bets are placed with a betting operator in one country, on a match in another country, by punters in a third country. The betting operator or the betting regulator will therefore often be in a situation where the bets might be placed in their country, but on a match in another country, and by punters in another country. In order to share this information with the relevant public authorities and/or sport governing bodies, they must know who to contact and who to share the information with, which in itself can be quite a task.
Global problems require global solutions.
One step in this direction is the Council of Europe's Macolin Convention, which is open for signature to parties outside of the Council of Europe (signatories include Japan, New Zealand and Canada), but is yet to be ratified by the EU.
The Convention is the first legally-binding international tool to fight match-fixing, focusing on key aspects of the fight against match-fixing; prevention, law enforcement, the exchange of information among the various actors and of course international cooperation. The aim is to bring the parties closer together in their efforts to tackle this problem through coordinated "national platforms". The aim is to "prevent, detect and sanction the manipulation of sports competitions under both criminal law and disciplinary provisions, as well as facilitate information exchange and national and international cooperation between public authorities, sports organisations and sports betting operators".
Obstacles to sharing information - data protection and the impact of GDPR
Information shared about suspicious sport betting activity will often be personal information and must therefore respect the data protection requirements in that particular country and in that particular situation. This can present a barrier to sharing information.
Betting operators will usually rely on Terms and Conditions under which customers agree upon opening an account, that personal information can be shared with relevant bodies like betting regulators and sport governing bodies with whom the betting operator has an MoU. Betting operators can therefore in principle share information with betting regulators and sport governing bodies. They can also choose to share information with organisations they do not have a MoU with if the recipient is able to handle personal information securely.
In their statutes and regulations, sports federations also typically say that they can share personal information from their members with relevant bodies.
The main obstacle to date has been national and/or EU data protection legislation. In particular, public prosecutors are either unable to share information with private organisations or unwilling to share information for fear that it might harm their case if information leaks. Although in the UK the Gambling Commission is allowed, by law, to share information with sport governing bodies if certain criteria are fulfilled (see above) typically European sport governing bodies have found it difficult to secure recognition as an entity that has legitimate rights to access and acquire personal data.
Sharing will also be further complicated when the GDPR applies from 25 May 2018.
Governing bodies will, like other data controllers, be required to comply with a number of new legal obligations from next May as they process personal data. In the context of betting integrity, their main concern is although they are not public authorities (to whom exemptions are available under the regulations), they clearly perform integrity functions in the public interest.
Some aspects of the GDPR – and in particular the changes to "consent" of the data subject - create risks for sports governing bodies in carrying out those regulatory functions. Relying on "consent" for regulatory functions (always problematic) will clearly be unreliable:
- Under Recital 42) there is a presumption that consent is not freely given where the data subject has no genuine choice and cannot withdraw consent without detriment: if consent to processing of data is not valid, this leaves bodies with no lawful basis for processing such data under GDPR.
- The right to be forgotten (Art. 17(1)(b)) allows participants to require participating bodies to erase data already collected, clearly an impediment to investigatory and enforcement processes.
If consent is ruled out there are other justifications which sports bodies may rely on, but none are risk free. Art 9(g) of the GDPR, for example, permits the processing of sensitive personal data where it is necessary for reasons of “substantial public interest” as determined by “Union or Member State Law”. Inevitably though, relying on such a broadly framed provision in this context invites challenge.
This has led to lobbying by sports bodies to their domestic governments to introduce specific provisions clarifying the position on issues such as betting integrity. Although the Regulations take direct effect, Art 6(2) of the GDPR does allows Member States to introduce specific provisions to adapt the application of the rules "by determining more precisely specific requirements….". By Article 23, Member States may also introduce exemptions to data subject rights "where this is a proportionate measure to safeguard the "rights and freedoms of others."
In the UK, this has led to a concerted effort to ensure the Data Protection Bill (implementing the GDPR) includes a legal basis for processing sensitive data where that is required to fulfil a regulatory function in the substantial public interest, irrespective of consent. Currently, the Bill is making its way through the Lords, and amendments are being considered on precisely those issues. This would be good news for UK sports bodies, but it also means that sports regulators are likely to be left in the sub-optimal position of dealing with a patchwork of arrangements across Europe.