A surprise promise by the new UK government to jettison the General Data Protection Regulation (GDPR) regime as part of a “bonfire” of European Union regulations could mean headaches for online gambling companies that operate across national boundaries.
Culture secretary Michelle Donelan’s vow this week to replace the EU GDPR regime with a “business and consumer-friendly” UK version would risk a reassessment that could force international companies to adhere to two data protection systems, lawyers say.
Donelan’s promises of “simplification” of the GDPR aligned with new Prime Minister Liz Truss’s promise to party members that by the end of 2023, “all EU-inspired red tape will be history”.
In theory, simpler is better.
But replacement increases the chance that the EU would remove the UK’s current status as having an “adequate”, or equivalent, data protection system and generate masses of work for a host of companies.
“Any changes in the legislation which create differences in approach between the EU and the UK will make life difficult for online gambling companies which operate across jurisdictions,” said Audrey Ferrie of Pinsent Masons. “They may have to work with two systems. That makes compliance harder and adds to costs.”
Donelan’s move came as a surprise because the previous Conservative government, under ex-Prime Minister Boris Johnson, had put in motion plans to update, but not replace, the GDPR.
A parliamentary debate had been scheduled for September 5, the day before Johnson was replaced by Truss, but that Data Protection and Digital Information Bill has been “paused”, government sources say.
The UK has so far smoothly transitioned into a post-Brexit GDPR regime that just transposed EU rules into domestic regulation, said Patrick Massa of Malta-based WH Partners.
Businesses would welcome a simpler GDPR, but making it simpler is not as easy as it sounds, he said.
“Gambling companies collect vast amounts of data,” Massa said.
An unfavourable adequacy ruling would mean that a UK operator would find it much more complicated to, say, use a German due diligence company, he said.
But even if the EU did grant data adequacy status to the UK, having to comply with two or more regimes not only increases regulatory burdens but also the risk of fines, said Gemma Boore of London-based Harris Hagan.
EU fines for GDPR violations range up to €20m or 4 percent of global turnover, whichever is greater.
If adequacy status was lost, friction would also come not just in company-to-company transfer of data, but intracompany, where there is any EU-UK or UK-EU personal data flow between group companies, according to Boore.
That would hit UK-focused operators with operations in the gambling hub of Malta or that hold data anywhere in the EU.
Donelan said she wants the UK to learn from countries such as Japan, Israel or New Zealand, which she said protect personal data without far-reaching regulations.
“Our plan will protect consumer privacy and keep their data safe while retaining our data adequacy so that businesses can of course trade freely,” she told the Conservative Party conference this week.
“I can promise that it will be simpler, it will be clearer, for businesses to navigate. No longer will our businesses be shackled by lots of unnecessary red tape”.
“It is time we seize this post-Brexit opportunity fully and unleash the full growth potential of British business,” she said.
The Gambling Commission’s only comment was: “We would always expect gambling operators to comply with whatever data protection legislation is in force.”
Under the Johnson-era data protection bill, the UK government estimated that a loss of the adequacy status would cost a one-time £190m to £460m, and annual lost export revenue of £210m to £410m.
But another study suggested that compliance costs would be £1bn to £1.6bn, with lost business coming in addition to those one-time expenses. That 2020 study was done by the New Economics Foundation and University College London researchers.
Some Northern Ireland politicians have already griped that a new system could hinder data transfer from Ireland to the north for both companies and consumers.
And the gambling hub of Gibraltar, a British Overseas Territory, could be a wild card.
Gibraltar’s parliament might have to ponder what is best for Gibraltar and Gibraltar-based businesses, in compliance with both UK and EU law, said gambling commissioner Andrew Lyman.
“That said, EU gambling business is no longer conducted from Gibraltar and there may be merit in Gibraltar exploring changes to its data protection law to remove burdens for business,” he said.
“One might expect close collaboration between the [UK’s Information Commissioner’s Office] and the Gibraltar Regulatory Authority on this matter as well as governmental cooperation,” Lyman said.
“It’s a legal minefield, that’s the best way of putting it,” Boore said. “It might be better the devil you know.”