European Union
Giulio Coraggio(gamingtechlaw.com): European Privacy Regulation Guidelines from the Italian Data Protection Authority
Source: http://www.gamingtechlaw.com/2017/05/privacy-gdpr-italian-data-protection-garante.html
WRITTEN BY GIULIO CORAGGIO
IT, gaming, privacy and commercial lawyer at the leading law firm DLA Piper. You can contact me via email at [email protected] or [email protected] or via phone at +39 334 688 1147.
The European privacy regulation (GDPR) can now rely on detailed guidelines from Italian data protection authority on how to comply with it.
After the French and the Dutch data protection authorities, the Italian privacy regulator, Garante per la protezione dei dati personali, (the “Italian DPA“) issued its 6 step methodology on the GDPR which aims at also increasing awareness on the most relevant changes introduced:
1. More detailed consent and broader legitimate interest
As already provided by the current regime, any type of processing of personal data needs to have a legal basis justifying it. In particular, among others, with reference to
Consent
An explicit (but no longer written) consent is required with reference to the processing of sensitive data (e.g. health related data that are now incorporated in the broader “special” category of data) and to the processing based on automated decision making. The latter is a burdensome obligation in case of automated decisions involving health related data since the manual processing of requests might not be economically feasible for companies in some cases. Therefore, other solutions need to be identified to avoid the risk that some customers do not give their consent to the automated processing of their applications.
Also, a relevant point raised by the Italian data protection authority is that if the consent obtained under the current regime meets also the requirements of the GDPR, no new consent is required. On the contrary, if this is not the case, a new consent shall be obtained before the 25th of May 2018.
Legitimate interest
The legitimate interest shall no longer be identified by means of a decision of the data protection authority. But the balancing test necessary to rely on it in order to be a legal basis for the data processing shall be performed by the data controller. The criteria identified in previous decisions of the Italian DPA relating to for instance biometric data and CCTV still apply. However, there is a new and wider possibility to exploit the legitimate interest as an alternative to the consent.
This is a major change since the scope of the legitimate interest (which would avoid the need to rely on individuals’ consent) is very broad as the GDPR requires to assess whether “a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place“.
2.Longer privacy information notice, but multi-layer
A much wider amount of compulsory information shall be listed in the privacy information notice. The most relevant change in my view is the need to expressly mention the storage period of personal data. This will force companies to adopt a strict internal policy and technical measures to delete or anonymise data on the expiry of the storage period.
Also, the privacy information notice shall be concise, transparent easily accessible and easy to understand. It can rely on standardised icons that shall be consistent across the European Union and will be defined soon by the European Commission. In this respect, the Italian DPA emphasised that the European Privacy Regulation pushes for the implementation of multi-layer privacy information notices in order to ease their understanding by the public. This would be essential given the very large amount of information to be included in the notice under the GDPR.
Also, strict deadlines are provided by the GDPR for the provision of the privacy information notice in case of personal data that is not collected from the data subject. Companies shall put in place procedures to be able to comply with such deadlines, otherwise they will be able to justify why the provision of the privacy information notice requires disproportionate efforts.
A privacy information notice compliant with the GDPR shall be in place before the 25th of May 2018 and therefore some operators that have relationship once a year with their customers might need to move quite fast!
3. Reinforced rights with the novelty of the data portability right
The GDPR sets strict deadlines to comply with the requests of exercise of individuals’ rights and therefore ad hoc internal organisational and technical procedures shall be put in place to address such requests. Also, the European data protection authorities might issue some guidelines on the potential “reasonable fee” to be paid by individuals in extraordinary circumstances for the exercise of their rights.
The rights of access and erasure (the so called “right to be forgotten“) are reinforced, while the new rights of restriction and portability are introduced. In particular, the right of restriction allows to limit the further processing of personal data, pending a decision on it, and obliges to adopt a procedure to “mark” such data up to the expiry of this transitional period. While with reference to the data portability right, the Italian DPA refers to the opinion on the Article 29 Working Party that I summarised in this blog post.
4. New obligations for data processors, while the need to appoint the persons in charge of the data processing remains
Data processing agreements with data processors shall be amended since the GDPR provides for a large number of obligations to be imposed on data processors (i.e. whoever processes personal data on behalf of the data controller), including the obligation to have in place a record of data processing activities, to implement adequate technical and organisational measures and, if it falls under specific categories, to appoint a data protection officer. The European Commission is considering the adoption of standard clauses for data processing agreements, but – as mentioned in this blog post – the main change relates to the controls to be implemented to monitor data processors.
A positive change is that data processors can appoint sub-processors, but data processors remain liable towards the data controller for the activities of their sub-processors, unless “it proves that it is not in any way responsible for the event giving rise to the damage“.
Interestingly, the Italian DPA provides that the individuals accessing to personal data shall still be appointed as “persons in charge of the data processing“ (incaricati del trattamento), which was a peculiarity of the Italian Privacy Code. Indeed, in order to prove the implementation of adequate technical and organisational measures, strict instructions shall be given to whoever has access to personal data.
5. Need to adopt an accountability program
The accountability principle is one of the major changes introduced by the General Data Protection Regulation. This requires that companies processing personal data are able to prove to have adopted the measures necessary to comply with the GDPR by means of a so called “accountability program“.
The accountability program finds two of its main elements in the implementation of a privacy by design and a privacy by default approach and in the performance of a privacy impact assessment that can be followed by a consultation with the competent data protection authority.
Such elements require that an assessment on the legality of the data processing activities is no longer performed by the data protection authority, but needs to be carried out by each entity processing personal data. This is the reason why the notification to the Italian DPA and the obligation to run a prior check with it in some circumstances will be removed with the GDPR.
Other elements of the accountability program are
- The establishment of a record of processing activities which the Italian DPA recommends to any company, regardless of their size and for which it might issue a template;
- The implementation of “appropriate technical and organisational measures to ensure a level of security appropriate to the risk“, which can no longer be limited to the minimum security measures provided so far by the Italian privacy code. But, the Italian DPA is considering to issue guidelines on the security measures to be put in place;
- The adoption of a procedure for the notification to the Italian DPA and the communication to the relevant individuals of data breaches, “unless the controller is able to demonstrate [—] that the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons“. For this purpose, data controllers shall also “shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken“, regardless of whether it has been notified to the Italian DPA and make it available upon request; and
- The appointment of a data protection officer on which the Article 29 Working Party issued an opinion summarised in this blog post.
6. No major change for transfers of data outside the EEA
Principles and tools as those currently provided remain for the transfer of personal data outside of the European Economic Area. It is possible to rely on codes of conducts, but those shall be expressly approved by the competent data protection authority.
Also, it is not possible for courts of non-EEA countries to order the transfer of personal data outside the EEA. This shall occur either on the basis of international treaties or if the relevant EU Member State recognises the public interest to the data transfer.
The above is a very interesting outline of the main contents of the GDPR and of the applicable obligations. On the same topic, you may find interesting my series of top 10+ issues arising from the European Privacy Regulation:
#1 Which companies shall care about it?
#2 Will fines be really massive?
#3 Did you run a privacy impact assessment?
#4 New risks for tech suppliers
#5 What changes with the one stop shop rule?
#6 How the new privacy data portability right impacts your industry
#7 What issues for Artificial Intelligence?
#8 How to get the best out of data?
#9 Are you able to monitor your suppliers, agents and shops?
#10 What liabilities for the data protection officer?
#11 Are you able to handle a data breach?
#12 Privacy by design, how to do it?
#13 How data on criminal convictions of employees become a privacy risk
#14 Red flag from privacy authorities on technologies at work
#15 Need a GDPR compliant data processing agreement?
If you found this article interesting, please share it on your favourite social media!
EEG iGaming Directory
How Gambling Regulation Across Europe Is on The Increase
Since exploding into our lives some twenty years ago, online gambling has gone through several transformations. Games have improved, the devices that we access them on have changed, and there are more services than ever before.
As is typical, legislation has lagged behind innovation in the industry here in Europe. We’re just starting to see more nations undertake the balancing act between ensuring they generate sufficient tax revenue, and providing a safe environment for their bettors. This process is made particularly difficult since levying too much tax will discourage investment in localities, as well as promote a move to less regulated, altogether dodgier iGaming venues from the punters themselves. Despite the divides between legislators, there are still good offers for specific counties across Europe.
Regulation is the Answer
Some nations in Europe have already made steps to encourage a more open market, and thus create opportunity for new online gambling ventures to open there. Portugal have just spent the last two years trying to tackle similar issues within their own gambling legislation. However, under their new laws, there is concern that their efforts have made offering services there commercially unviable for international companies. Aggressive taxation is at fault and responsible for strangling companies trying to setup shop there.
The likes of Bet365 and William Hill quickly left following changes in 2015 and have shown no willingness to return. The efforts by Portuguese legislators are clearly stifling innovation in the nation. The problem is exacerbated by a curious issue facing the nation too. The SCML, a company who have long held a monopoly on iGaming services, are actually registered as a charity organisation and are therefore eligible for a 50% tax cut. It’s no wonder established bookmakers want little to do with the market.
Cyprus is also undergoing great changes to its gambling industry. However, their efforts to prohibit unlicensed betting sites seem short-sighted. Rather than take away the incentive for players to use fully regulated services, they have simply outlawed those that have not obtained full licenses. Of course, countless examples abound of how prohibition of something is usually a spectacular failure and there seems little evidence to suggest that internet-savvy Cypriots will not simply circumvent legislation using online privacy tools and anonymous digital currencies. As it stands, there are over 2,400 websites that have been blacklisted. Meanwhile, services hoping to operate there legally are forced to jump through a series of legal loopholes. These include demonstrating a certain amount capital, licensing fees, and a 13% taxation.
Recently, the likes of Holland, Sweden, Poland, and Greece have begun to take tentative steps towards an overhaul of their legislation governing online gambling. Aggressive taxation policies in these nations have resulted in an exodus of international providers which has led to monopolies. Holland are currently attempting to break an entrenched, state-owned monopoly on gambling that has existed for many years.
They hope that the Remote Gaming Act of 2016 will encourage foreign investment and greater competition. However, the likelihood of success of such a measure is questionable. The huge 29% tax obligation of gross revenue is hardly going to encourage foreign providers to enter the market. However, there do exist plans to lower this rate to 25% by 2020. Yet, too little, too late still springs to mind.
Meanwhile, the major gambling hub that is Sweden are hoping legislation will help liberalise their market. There, a 20-year monopoly has existed. The Swedish efforts seem better placed to deliver results than the Dutch, however. Under an Act due to take effect by January 2019, they’ll be a unified tax levied on all gross gaming revenue. The rate is a more competitive 18%. Meanwhile, providers will also have to submit a licensing fee to operate on Swedish territory.
Curiously, Greece are moving in the opposite direction. Rather than reduce taxation to increase foreign investment, they’ve added 5% to the rates charged to providers. Thanks to the struggling economy in Greece, ministers are desperate to generate revenue by any means necessary. The European Commission have put pressure on the Greeks to open their markets, however, the increase in taxation of 2016 seems to be doing just the opposite. Greek gambling company, the OPAP, enjoy most custom at present, however there are plans to begin tackling this by 2020.
In Poland too renowned bookmakers like William Hill, Bet365, and Betfair have been forced to leave the market because offering their services there isn’t considered viable financially. In 2016, the legislative vowed to re-examine the laws in place with the aim of developing the market there. Little has been done since then, however.
Whilst large portions of Europe are trying to use legislation to further open markets, there remain those nations who continue to ignore European Commission recommendations altogether, or prefer a protectionist policy when it comes to gambling. Germany, for example, falls into the former category, with the likes of Finland and Norway being firmly in the latter. In Germany, some 71% of the total bets placed on sports take place on so-called grey markets.
Their highly liberalised gambling climate makes it so that any operator can offer their services there if they’re not based in Germany, and are licensed by a known European gambling authority. This leads to a situation where an estimated 1.5 billion euros in lost taxation revenue is leaving Germany every year. With most regions refusing to follow EU proposals, it seems to be more of an issue of Germans trying to make a point about their own sovereignty from EU rule than anything else.
Different again is the situation in Finland and Norway. These Scandinavian states opt for protectionist policies and in contrast to the Swedes are in no rush to tackle the system of monopolies in their gambling industries. This is largely because a significant portion of iGaming profits currently go directly to charitable organisations. Liberalising the economy there would likely see improvements in the player experience of online gambling but those in receipt of donations would certainly lose funding.
Interestingly, however, the law which makes foreign online betting sites illegal in these two states is rarely enforced at player level. This is often the case in such jurisdictions, and the result is huge streams of revenue flow out of the countries and into the coffers of providers who offer better odds, and more generous player perks.
Finally, there are some countries that seem to be making a much better job of regulating online gambling than the rest of Europe.
The United Kingdom, for example, enjoys one of the planet’s most vibrant betting environments. This has been cultured through a generally laissez-faire gambling policy since online gambling’s inception. Their stringent player protection rules but generous taxation policies provide the perfect environment for iGaming companies and sportsbooks to flourish. Competition is fierce in the UK, and many bookmakers find themselves head to head with one another to try and lure a public who are more than happy to have a punt on just about anything.
Clearly, there is anything but a unified gambling policy in Europe at present. Despite EU recommendations to liberalise markets and smash monopolies, the situation isn’t progressing quite as intended. Whilst some refute the centralised authority of EU leaders, others have attempted to generate greater revenue for themselves through aggressive taxation which has led to the industry effectively being strangled by legislation.
Of course, players need protection, and if foreign companies are making a killing offering gambling services, government are going to want a slice of that pie. However, as we’re seeing from the ad hoc array of legislation coming from European states, there is anything but consensus when it comes to finding the correct balance. Perhaps more countries should look at the example set by the likes of the United Kingdom who seem to be doing a relatively good job of nurturing their industry without endangering players or stifling innovation.
EEG iGaming Directory
Swiss Parliament agrees on gambling law
Switzerland is finally about to pass a unified law on gambling after the Parliament agreed on the final details about taxes.
A single gambling law is about to be achieved in Switzerland after the Parliament agreed on a compromise over taxes on winnings from lotteries and sporting bets. The country is close to unifying gambling legislation under a single law that would regulate the industry altogether.
The Parliament members concurred on taxing lotteries and sporting bets only when winnings cross US$1.029 million and overcame the final hurdle that delayed the unified law. The decision sets equal taxation criteria over all forms of gambling, unlike it’s currently set, having winnings from lotteries and sporting bets taxed and not money won in Swiss or foreign casinos.
The new legislation is set to replace the 1923 Lotteries and Betting Act and the 1998 Gambling Act and will take a tougher stance on online betting.
As underage gambling is one of the main concerns regarding the online segment, tha law-to-be was created with a view to protect minors and also prevent money laundering. It will limit online betting games to entities based in Switzerland and winnings from online gambling will also be subjected to income tax.
-
Latest News2 months ago
BlueOcean Gaming Wins Best Aggregator 2024 Award at SiGMA East Europe Awards
-
Latest News2 months ago
EGT’s bestseller Bell Link with another great success: Its bells are now ringing in the Czech market
-
Latest News2 months ago
BOS/The Swedish Trade Association for Online Gambling commissions Advisense to strengthen efforts against money laundering
-
Latest News2 months ago
MIRACL partners with Continent 8 to offer its single-step passwordless MFA solution to simplify the login experience
-
Latest News2 months ago
Applications invited to become safer gambling charity for 2025 editions of ICE, iGB Affiliate and iGB L!VE
-
Latest News2 months ago
ACR Poker’s OSS XL Exceeds Guarantee With Over $46 Million In Prize Pools
-
Latest News2 months ago
Match of LeGGends: Double Down. Highlights of the show match between NAVI and Team Vitality
-
Latest News2 months ago
FBMDS and FBM Foundation host solidarity keepy-uppy initiative at G2E Las Vegas 2024
You must be logged in to post a comment Login