Government representatives have warned companies operating in the gambling sector that international transfers of personal data will become significantly more complex following the UK’s exit from the European Union. Speaking at the PayExpo conference in London in October 2019, the representatives said it is unclear, at this stage, what companies can do to prepare. Advice will depend on the nature of the UK’s exit.
The complications regarding international transfers and data flows become particularly problematic in the event of a no-deal Brexit. Unlike a deal scenario where the UK will remain part of the EU for the duration of a ‘transition period’ (currently set to last until 31 December 2020), in a no-deal Brexit scenario, the UK will immediately leave the EU on exit day as provided for in the European Union (Withdrawal) Act 2018 (the “EUWA 2018”). Upon the UK’s exit, the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 and Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) (No. 2) Regulations 2019 will come into force, thus implementing the so-called ‘UK GDPR’.
The UK GDPR will mirror the provisions of the EU GDPR. However, in its current form the UK GDPR would not function effectively on exit day due to the numerous references to EU laws and institutions. Therefore, secondary legislation has been passed under powers conferred in the EUWA 2018 in order to make certain amendments to the UK GDPR so that it works as a piece of UK domestic law.
In the event of a no-deal Brexit, the UK will immediately be considered a ‘third country’ for the purposes of data protection laws, and as a result, transfers of personal data from the European Economic Area (“EEA”) into the UK will become restricted unless certain mechanisms are in place.
Mechanisms for international transfers
The first mechanism is if the European Commission (the “EC”) grants the UK an adequacy decision. A grant of such a decision means that the EC deems the data protection standards in that jurisdiction to be adequate and as a result no further safeguards would be required to make international transfers. This is a lengthy process which could take several years, and there are no guarantees that the EC would grant such an adequacy decision in respect of the UK.
The next mechanism is for there to be an ‘appropriate safeguard’ in place prior to a transfer of personal data outside of the EEA. In practice, this usually means that there is a contractual agreement between organisations which incorporates Standard Contractual Clauses (“SCCs”). SCCs are pre-drafted standard clauses that the EC has deemed to provide adequate safeguards if adopted.
The final mechanism to allow international transfers is where there is an exception under Article 49 of the GDPR, but that is not likely to be relevant to gambling operators.
Not having any of these mechanisms in place when transferring personal data outside of the EEA amounts to a breach of the GDPR and may result in severe regulatory fines.
What does this mean for gambling operators?
If a company or organisation is based in the UK and is collecting data from customers located inside the EEA, they will need to have reviewed their contracts, policies and operational procedures to make sure that (i) an appropriate safeguard is in place; and (ii) references to EU institutions and EU law have been updated to reflect the UK’s position as a third country.
It is also worth noting that due to the extra-territorial effect of the GDPR, upon exit, non-EU organisations that offer goods and/or services to individuals in the EEA or monitor their behaviour will have to comply with both the EU GDPR and the UK GDPR.
There are other practical concerns too - the Malta Gaming Authority (the “MGA”) recently published its Brexit guidance. They warned that Malta’s gambling regulations require "that a person that holds a licence must be a person established within the European Economic Area". Post-Brexit, an establishment in the UK will no longer meet that criteria. The MGA have therefore recommended that companies take the necessary measures to ensure compliance within the next 12 months.