In the last week Max Drayman at Casinomeister has once again raise the issue of operators citing “Data Protection” as a reason that they cannot discuss complaints when players approach an Alternative Dispute Resolution (ADR) service like ThePOGG or Casinomeister (you can read this conversation here).
This topic is one that is very relevant to the day to day operation of this service. Our experience is that we receive a complaint from a player against ‘Casino GDPR’, we then contact Casino GDPR to initiate a dialogue about the complaint and they tell us something along the lines of “We cannot discuss any aspect of the player’s account with a 3rd party due to the GDPR/data protection law”.
So what is the problem here? With all the big stories in the press recently about how our data is being misused by companies to market to us in manners we never intended or manipulate our views or opinions to undermine our free will, surely it’s a positive that some business are taking the protection of your personal data seriously?
The problem is that these operators are being entirely disingenuous. Declining to discuss the player’s complaint has absolutely nothing what-so-ever to do with protecting private information. These excuses are trotted out to avoid scrutiny of practices of the operator, not to protect the player.
The truth is that neither the GDPR nor the Data Protection Act that preceded it create any insurmountable legal barrier to a gambling operator discussing any aspect of a player’s account or activity where the account holder requests they do so. Yes, the GDPR increased the responsibilities of businesses to manage their customer’s information responsibly and significantly inflated the penalties for failing to do so, but no part of these laws was ever intended to prevent data sharing for legitimate reason and they certainly do not preclude a gambling operator working with a 3rd party dispute mediation service to resolve a complaint from one of their customers.
The GDPR offers two clear avenues (or in technical language ‘Lawful Basis’) for operators to manage complaints/a user’s account data via a third party in a complaint situation. Having taken guidance from the ICO regarding this issue the most appropriate is likely to be:
Legitimate Interest – This Lawful Basis is rooted in the ‘Data Controller’ (the gambling operator in this instance) sharing the personal information on the ‘Data Subject’ (the player) in a manner that the Data Subject would “reasonably expect”, which should have a “minimal impact on privacy” or where the impact is beyond minimal there is a “compelling justification” to move forward anyway.
Where a player has submitted a complaint to a 3rd party dispute mediation service it is patently obvious that they are expecting an exchange of their personal information between the ADR and the operator they are complaining about. The majority of the information that can be reasonably classified as “personal information” is or can be provided by the submitting complainant directly to the ADR circumventing any need for the operator to “process” this data and minimising privacy concerns and given the published report that is likely to result from this interaction the gambling operator has a “compelling justification” for processing the information as they have a vested interest in ensuring the final report is factually accurate and accurately reflects on the actions they have taken.
In short, the GDPR provides sound Lawful Basis for operators to process a player’s personal data under Legitimate Interest.
Let’s set aside Legitimate Interest for the time being however many operators seem to struggle to accept this Lawful Basis to process personal information. There is another Lawful Basis that can validate the processing of a player’s personal information in this circumstance:
Consent – This Lawful Basis is the most intuitively obvious to players. It means that the Data Subject directly gives the Data Controller permission to share their personal information with a 3rd party.
Alongside not being the most appropriate Lawful Basis to process data in a complaint type situation Consent unfortunately usually results in some additional ‘paperwork’. As long as the ADR service has the correct terms and conditions in place and is ensuring to get clear agreement from the complainant that explicitly defines which organisations they are going to share the complainant’s data with, the standards for Consent have been met before contact with the operator ever happened. ‘Friendly’ operators are usually willing to accept that. However other operators will often seek higher standards of Consent that they can keep on record. This barrier is not by any stretch insurmountable but usually results in the player having to provide a signed letter to the operator explicitly providing their permission for the operator to share any personal information they hold on the player with the ADR service.
The Data Protection Lie
Given the above, what grounds do operators have to cite “data protection” or “the GDPR” as a reason not to discuss a player’s complaint with an ADR service? None. Above we have clearly laid out two entirely legitimate justifications under which online gambling operators can engage in complaint management with ADR services. “Data protection” is demonstratively not sound grounds for refusing to engage in discussion of player complaints. The gambling operator could easily overcome any and all legal barriers to their processing the player’s personal data (regardless of whether these legal barriers really exist or are simply a conservative construct on the part of the operator to ensure they offer their business the maximum legal protection) if there is any legitimate will to do so on the part of the operator.
So if there is no grounds to refuse to discuss a complaint based on data protection or the GDPR, why do some operators look to use this as a reason for not doing so? Because it sounds legitimate. The vast majority of people do not fully understand the ins and outs of data protection law. They do not know what rights these laws grant and what strictures they create.
Many operators are very wary – and with good reason – of any external scrutiny of their practices or their management of players. They actively do not want anyone questioning what they do. They have been strong-armed by some regulatory agencies (currently the UKGC and MGA) into having to work with some level of 3rd party scrutiny in the form of ADR services, but they are hostile to any suggestion that they should engage further than the letter of the license requirements.
The legal teams of some gambling operators look to exploit the lack of consumer understanding of data protection law to mis-represent their internal policies as a legal barrier. In other words they want people to believe that they ‘legally cannot’ manage a complaint or that they are just trying to look out for their customers’ best interests when the reality is far more simple: they do not want another independent party reviewing the issue in case the discussion ends up reflecting poorly on them.
In our opinion this is a wilful deception intended to mislead and misrepresent the truth. Acting in this fashion is dishonest at its core and an entirely disreputable business practice.
To give a practical example of this, below I will present a conversation that coincidentally took place between myself and an operator immediately prior to the publication of this article below. The email conversation below is a perfect example of an operator trying to use data protection as a justification for not managing a complaint when in fact they simply did not want to work with our service to address the issue. They are entirely within their rights to decline to work with our service. But citing “data protection” as their reasons for doing so is fundamentally incorrect.
I have redacted the email conversation so neither the individuals involved nor the group can be identified. This isn’t an exercise intended to ‘name and shame’ (that will come further down) – this group are far from unique and it would not be fair to single them out in this manner. This is intended to give players and other interested parties a reference point to understand how operators can and do mis-represent data protection laws in an effort to validate player unfriendly internal policies.
Directly below this email chain you will find a ‘Named and Shamed’ section. This is where we will from now on list any operator who when refusing to discuss a complaint with this service looks to represent that their reason for refusing to enter a dialogue is due to an impediment created by the GDPR, data protection or any reasonable variant of these themes. We will not populate this immediate so as not to inadvertently identify the operator in the below email conversation.
Named and Shamed
Below you will find a list of operators who have provided ‘data protection’, the ‘GDPR’ or some other reasonable variant as grounds for refusing to discuss a complaint:
Leave a Reply
You must be logged in to post a comment.