A new data protection system for the UK – good or bad news?

On 4 October 2022, Michelle Donelan, the UK’s Secretary of State for the Department for Digital, Culture, Media and Sport, announced the UK’s plans to overhaul its privacy legislation, replacing its (applied) GDPR with its “own business and consumer-friendly British data protection legislation”. Following Brexit, the UK managed to secure “adequacy decisions” from the European Commission on 28 June 2021, and this was after long and rigorous negotiations. The result of such decisions was that despite the UK no longer being an EU member state, transfers to the UK are still considered “assimilated” as intra-EU transmissions of personal data.

Inevitably, many are expressing their concern that a change to local UK data protection legislation could potentially threaten the UK’s continued adequacy status. If the UK were to indeed lose its current adequacy status because of its intended legislative changes, many in the gaming industry might suffer further added privacy compliance burdens. Personal data would be able to continue flowing lawfully from the EU to the UK only if the respective EU data controller or processor implements additional safeguards as laid down in GDPR when transferring data, or if a derogation for a specific situation applies.

Therefore, if GDPR safeguards or derogations cannot be called upon, personal data cannot be lawfully transferred, given that at such a point the UK would be equivalent to a third country (all countries that are not in the EU, and that are not countries approved by the EU Commission as providing adequate data protection safeguards) in GDPR terms.

Despite such potential risk, gaming operators and suppliers may be somewhat relieved to hear that the UK’s Information Commissioner’s Office is reportedly of the belief that the change in privacy laws should not threaten the UK’s continued adequacy status. Probably, it is likely fair to expect that any such simplified UK legislation will still respect core privacy principles. However, while an upcoming simplification of UK privacy rules might sound like welcome news, it is quite likely that such a simplification attempt will have the very opposite effect on UKGC licensees.

Following the rules

Numerous UKGC licensees are companies not established in the UK, with many hailing from Malta, an EU member state. GDPR applies to entities established within the EU irrespective of where they carry out their operations/processing activities. Therefore, for most UKGC licensees, GDPR compliance will remain a must.

Effectively, this means most UKGC licensees are not expected to benefit from any simplification of UK data protection legislation – quite the opposite – they are expected to suffer from yet another instance of having to comply with two sets of rules running in parallel.

More localised data protection effort and knowledge for the UK market are therefore expected to be necessary by international gaming operators and suppliers, along with data protection policies, procedures and notices that will now need to comply with both GDPR and the simplified UK laws.

Despite the headline intentions, it is most likely the net effect of such UK law changes are going to be negative for international gaming operators, which are already burdened with the need to keep up with several local regulations due to the ever-increasing number of markets requiring a local gaming licence, at a time when many in the industry are looking at US expansion, which also comes with its own local data privacy rules.

Dr Terence Cassar is a senior associate at GTG Advocates, which specialises in gaming and betting, IP, privacy and technology laws. He is counsel to numerous international B2B/B2C gaming, betting and technology companies. He holds an LLM in Internet Law and Policy from the University of Strathclyde and a Doctor of Laws from the University of Malta, where he also serves as visiting lecturer/examiner.