Some readers may remember an article I wrote a few years ago entitled Casino Industry Myths - The Data Protection Act (DPA) wherein I wrote of the widespread misinterpretation and/or misuse of the DPA by casinos to stifle discussions related to player complaints. The common claim then was that they were "protecting the consumer" and that that meant the door to discussing anything related to that consumer was well and firmly closed. In other words casinos were using it as a free pass to ignore player complaints.
The problem was that it was all 100% BS. As ICO.org.uk ("The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals") had pointed out, the DPA was not intended to be used as an impediment to a third-party's involvement in dispute arbitration. Where that third-party had been properly authorized by the player to speak on their behalf such involvement was perfectly legal and legitimate.
Well, here we are three years on with a new set of data protection laws, the GDPR. And unfortunately we're pretty much right back where we started in that the GDPR is now being abused in the same way the DPA was then. "Can't discuss details because of GDPR" and "GDPR/legal obligations does not allow us to discuss details" and so forth. To be blunt this is very much a "same shit different day" situation: casinos are through ignorance or intent misusing the GDPR to inhibit discussion of player complaints whether the player provides explicit authorization for that discussion or not.
I'd love to be able to point to ICO, or somesuch, and debunk this round of abuse of the data protection laws as efficiently as we did last time. Unfortunately that's not possible yet because ICO hasn't issued any such statement regarding the GDPR in relation to dispute arbitration nor has any other prominent organization, as far as I know.
What I have seen is
In other words the player contacts the DPO at the casino, explicitly requests that their data be disclosed to the arbiter they designate (us, for example) and the DPO then forwards the necessary data.
Unfortunately that's as good as it gets, for now. Per the GDPR the DPO is allowed to take up to two months to respond and there's no guidance at this time (AFAIK) as to how forthcoming regarding the player's complaint they need to be. They could simply supply the player's registration details and nothing more. Obviously that's not going to be very helpful when it comes to resolving a dispute.
As with most situations of this nature players can expect that some casinos will have no problem discussing their complaint with the arbiter of their choice and, for the time being, other casinos will continue to use the GDPR as an impediment to any such discussion.
Sadly the list of casinos opting to join the latter group is depressingly long and those casinos are likely to continue their non-cooperative ways until someone with clout shows them they can't. For now ADRs like us are left with little choice but to try convincing reluctant casinos to respect the player's wishes and flag incidents of non-cooperation as effectively as we can. Cold comfort for the players but so it is for the time being.
Addendum: as many of you know
An excellent suggestion and one I would have followed except that I find that operators won't generally engage in the discussion at that level. To make a long story short I find that if they can avoid discussing details with you then they will. In other words it's exceedingly difficult to get to the point in the conversation where those points can be brought to bear, usually they'll simply avoid it as long as they can.
The point about a judgement ruling from ICO, or whomever, is that that adds some gravitas to discussion with the operator. Specifically it helps them understand that avoiding the discussion entirely may no longer be an option for them. That is certainly what we saw in regards to the ICO notice re the DPA: before it most casinos ignored our protests that they were abusing the DPA, with it out there and in the open most operators changed their approach either towards cooperation or simply slamming the door completely shut and bringing their legal teams forward to keep it shut.
So to put it another way, I find there often needs to be a stick in the picture (something "official" that shows them to be in violation of the law's intent) before they'll see the carrot. Whether they'll suddenly develop an appetite for carrots or not is another matter.
The problem was that it was all 100% BS. As ICO.org.uk ("The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals") had pointed out, the DPA was not intended to be used as an impediment to a third-party's involvement in dispute arbitration. Where that third-party had been properly authorized by the player to speak on their behalf such involvement was perfectly legal and legitimate.
Well, here we are three years on with a new set of data protection laws, the GDPR. And unfortunately we're pretty much right back where we started in that the GDPR is now being abused in the same way the DPA was then. "Can't discuss details because of GDPR" and "GDPR/legal obligations does not allow us to discuss details" and so forth. To be blunt this is very much a "same shit different day" situation: casinos are through ignorance or intent misusing the GDPR to inhibit discussion of player complaints whether the player provides explicit authorization for that discussion or not.
I'd love to be able to point to ICO, or somesuch, and debunk this round of abuse of the data protection laws as efficiently as we did last time. Unfortunately that's not possible yet because ICO hasn't issued any such statement regarding the GDPR in relation to dispute arbitration nor has any other prominent organization, as far as I know.
What I have seen is
You do not have permission to view link
Log in or register now.
(Chartered Institute of Arbitrators) wherein matters related to the above are discussed. For the purposes of the following note that a Data Subject (for us, "the player") is a person whose data is held by a Data Controller (for us, "the casino") and the Data Protection Officer (aka DPO) is the person within the Data Controller's organization who is responsible for GDPR compliance:The designation, position and tasks of the Data Protection Officer (“DPO”) are covered under Articles 37-39. Under Article 38, the Data subject may contact the DPO if there are issues related to processing of their personal data and Article 4(2) provides that “Processing means any operation or set of operations which is performed on personal data or set of personal data, whether or not by automated means, such as...disclosure by transmission....” In an arbitral proceeding, an issue by a Data subject requires disclosure. This disclosure obligations falls within the purview of the GDPR and is necessary for the purposes of legitimate interests of both the data controller and data subject.
In other words the player contacts the DPO at the casino, explicitly requests that their data be disclosed to the arbiter they designate (us, for example) and the DPO then forwards the necessary data.
Unfortunately that's as good as it gets, for now. Per the GDPR the DPO is allowed to take up to two months to respond and there's no guidance at this time (AFAIK) as to how forthcoming regarding the player's complaint they need to be. They could simply supply the player's registration details and nothing more. Obviously that's not going to be very helpful when it comes to resolving a dispute.
As with most situations of this nature players can expect that some casinos will have no problem discussing their complaint with the arbiter of their choice and, for the time being, other casinos will continue to use the GDPR as an impediment to any such discussion.
Sadly the list of casinos opting to join the latter group is depressingly long and those casinos are likely to continue their non-cooperative ways until someone with clout shows them they can't. For now ADRs like us are left with little choice but to try convincing reluctant casinos to respect the player's wishes and flag incidents of non-cooperation as effectively as we can. Cold comfort for the players but so it is for the time being.
Addendum: as many of you know
You do not have permission to view link
Log in or register now.
is at least as active in the area of player complaints as we are. He had some very salient thoughts on the above:I would have focused on the parts of the legislation that facilitate the interaction ...
The Legal Basis covered in the GDPR provide two clear roads for operators to engage (in discussion regarding a player):
- Legitimate Interest (which I have received feedback from the ICO is the correct selection in this case), and
- Consent
The latter has some interpretation - i.e. there is scope for the operator to define what is reasonable demonstration that the customer has given their consent ...
An excellent suggestion and one I would have followed except that I find that operators won't generally engage in the discussion at that level. To make a long story short I find that if they can avoid discussing details with you then they will. In other words it's exceedingly difficult to get to the point in the conversation where those points can be brought to bear, usually they'll simply avoid it as long as they can.
The point about a judgement ruling from ICO, or whomever, is that that adds some gravitas to discussion with the operator. Specifically it helps them understand that avoiding the discussion entirely may no longer be an option for them. That is certainly what we saw in regards to the ICO notice re the DPA: before it most casinos ignored our protests that they were abusing the DPA, with it out there and in the open most operators changed their approach either towards cooperation or simply slamming the door completely shut and bringing their legal teams forward to keep it shut.
So to put it another way, I find there often needs to be a stick in the picture (something "official" that shows them to be in violation of the law's intent) before they'll see the carrot. Whether they'll suddenly develop an appetite for carrots or not is another matter.
Last edited:
