The recent World Online Gambling Law Report event held at Olswang raised some interesting data protection issues. One of the main topics addressed at the event was the challenges faced by gambling operators when changing service providers and, in particular, the data protection issues around migrating customer data. With operators in some of the most popular offshore locations – Gibraltar, Malta, the Isle of Man and Alderney (a part of the Bailiwick of Guernsey) – targeting UK consumers, below is a brief summary of the legislative safeguards in place.
Gibraltar and Malta are both part of the European Union and therefore have an obligation to implement community law, including the Data Protection Directive, into national legislation. If you haven’t seen Gibraltar on a list of EU Member States, then don’t worry; it entered the EU with the United Kingdom in 1973 as a qualifying “European territory for whose external relations a Member State (the UK) is responsible“. The Isle of Man and Alderney/Guernsey, however, are not EU Member States.
Malta implemented the Directive under its Data Protection Act on 4 December 2001. The definition of “personal data” in that act mirrors that in the Directive and the data protection principles set out in the Directive are, broadly speaking, accurately reflected in the Maltese law. Malta is also included on the EU website’s “status of implementation” list of Member States that have successfully implemented the Directive.
Gibraltar’s Data Protection Act 2004, interestingly based on the Irish Data Protection Act, features a wide definition of “personal data”: “any information relating to a data subject“. The data protection principles in the Directive are again, broadly speaking, accurately reflected. The status of Gibraltar’s Data Protection Act 2004 is, however, slightly tricky, as Gibraltar is not included on the “status of implementation” list referred to above. Both the Gibraltarian legislative arm and the Gibraltar Regulatory Authority (the data protection regulator in the jurisdiction) have confirmed to Datonomy that the Directive has been correctly implemented and that the European Commission has been notified. And, in addition, the actual legislation itself states that it is implementing the Directive. So, all that remains is inclusion on that list…
One of the objects of the Directive is that Member States neither restrict nor prohibit the free flow of personal data between Member States on the basis that this would protect individuals’ rights. Migrating customer data between the UK, Gibraltar and Malta is therefore likely to be relatively straightforward in terms of the data protection legislation, subject to the relevant consents being obtained. What, though, of the non-EU Member States?
The Isle of Man and Alderney/Guernsey, although not EU Member States, have both implemented legislation in relation to data protection: (respectively) the Data Protection Act 2002 and the Data Protection (Bailiwick of Guernsey) Law 2001. The definitions of “personal data” and the eight data protection principles in both pieces of legislation exactly mirror the UK’s Data Protection Act 1998, and the two territories are also on a list of “Third Countries” prepared by the European Commission to which personal data can flow without any further safeguards being necessary. The Commission’s report states: “For the purposes of Article 25(2) of Directive 95/46/EC, [the Bailiwick of Guernsey/Isle of Man] is considered as providing an adequate level of protection for personal data transferred from the Community.” Other countries recognised in this way include Switzerland, Canada, Argentina and the United States (subject to the Safe Harbor principles).
Datonomy will follow with interest how data protection legislation is enforced in these popular jurisdictions for gambling operators, but it seems that customers concerned about protection of their personal data don’t need to cash in their chips….
With thanks to Sam Ross