ICO Report: Single Customer View Approach Has Legal Bases

A report released by the Information Commissioner’s Office (ICO), UK’s independent information rights body, is confirming an industry-wide single customer view (SCV) will not be in breach of existing data laws.

Sandbox Phase 1 Findings

The ICO report is clearing the path for the gambling industry to come up with possible solutions that will allow every operator a holistic view of a customer’s gambling behavior across all the other operators to avoid the risk of mounting losses and increasing gambling harm.

Starting as a challenge to the industry from the UK Gambling Commission in February 2020, the SCV became part of ICO’s Sandbox in November 2020, seeking to determine, first, whether Article 6 of the UK General Data Protection Regulation (UK GDPR) provides enough basis for the sharing of behavioral data between online gambling operators, and, second, to consider the processing of special category personal data within the remits of Article 9 of the UK GDPR.

Following the completion of Phase 1 of the Sandbox, and based on a conceptual model for an SCV, the ICO reported that sharing of behavioral data could be undertaken under the remits of Article 6 (1)(e) ‘Public Task’ or Article 6 (1)(f) ‘Legitimate Interests’ of the UK GDPR, as both bases provide a discretionary gateway to processing by asking an assessment of the potential benefits from sharing against the detriments to those whose data is shared. Both bases also allow people to object to being subjected to such type of data sharing.

If an SCV requirement is inserted into the Licence Conditions and Codes of Practice (LCCP) by the Gambling Commission, operators may rely on Article 6 (1)(c) ‘Legal Obligation’ of the UK GDPR as the lawful basis for processing, the ICO pointed out.

On the processing part, the ICO believes “some elements of the data proposed to be processed via an SCV may qualify as special category data” and may violate UK GDPR prohibition for processing special category data without an Article 9 processing condition, a predicament that can be solved by identifying this potential condition as early as possible.

Further, for the processing to be lawful, data protection principles set in Article 5 need to be compiled with other aspects of UK GDPR like Article 25, dealing with data protection by design and by default. ICO states that lawfulness should also be considered in a more general way, including non-compliance with the statute and common law obligations.

No SCV Solution Mandate

In response to the report, the Gambling Commission stated that “at this stage, we have no plans to mandate a particular SCV solution – that is for the industry to develop and test – but we do expect the industry to demonstrate the impact its piloted solution has against the challenge we set,” effectively urging the industry to come up with a solution of its own, “in collaboration with us and the ICO, within a Sandbox environment.”