How would you describe the transaction to GDPR, and what have been the main challenges to companies?
From your experience with the iGaming industry, what are the main shortcomings that you notice within the sector?
Notwithstanding having been subject to data protection rules under the Directive 95/46/EC for a good number of years, many companies do not seem to have enhanced their systems with the capabilities to facilitate access to data subjects’ rights, including providing sufficient information to ensure fair and lawful processing. Furthermore, companies might have also overlooked the recent increase in cybersecurity risks and, as a result, are currently striving hard to ensure that the necessary technical measures in their systems are in place to, inter alia, detect and prevent data breaches. In fact, since the onset of GDPR, we recorded some 70 data breaches, 15 of which related to iGaming companies. We also notice that proper email encryption is missing, for instance, on laptops that employees take home. This becomes an issue should the laptop be stolen or lost. Beyond the technology aspect, iGaming companies, especially operators, need to look into the relationship they have with their affiliates since, in certain instances, they should assume a level of responsibility for the actions of their affiliates.
Can you elaborate a bit more on your stance towards affiliate marketing and the affiliate’s role in handling personal data?
We know that responsible advertising and affiliate marketing are hot topics in the gaming industry. We already dealt with those issues pre-GDPR. In fact, we had a high-profile case: some 9,000 individuals had complained to the UK Information Commissioner that they had received spam emails from an iGaming affiliate. The affiliate was promoting a gaming company in Malta, hence, the complaints were referred to us. Had this case occurred under the GDPR, it would have been a co-decision making process with the UK Information Commissioner and subject to the administrative fines regime of the GDPR.
In this particular case, we ruled that the iGaming company was responsible for the unsolicited emails sent by its affiliate. The case is not yet closed because the gaming company appealed our decision, and we are still awaiting the outcome of the appeal. We are aware that the relationship between an affiliate and an operator can be complex given the industry structure and the fact that there are affiliate networks, affiliates and even sub-affiliates, and we acknowledge that there might be cases where both parties should be responsible from a data privacy point of view, as well as cases where only one of them is responsible. The outcome of the appeal will be important in clarifying and confirming responsibilities further.
There are more than 250 iGaming companies in Malta with international operations. How do you respond to cross-border data protection issues and how do you ensure regulation of companies in Malta with an international footprint?
GDPR provides for greater co-operation and information sharing between European data protection authorities. Cross-border incidents that substantially affect users from a number of EU member states will generally be investigated by a lead supervisory authority. We are the lead authority if the company has its main establishment in Malta, which is the case for most iGaming companies. But we don’t work in isolation as other authorities can offer their view and recommendations on which actions should be taken, particularly when individuals in their own jurisdiction have been adversely affected by processing operations. We can also ask for assistance during an investigation, for instance in cases where we may lack technical expertise. Where appropriate, we can also conduct joint investigations and joint enforcement action. In this scenario, we will enter into a co-decision making process with other supervisory authorities representing data subjects affected by the violation.
How do you expect privacy laws to evolve in the coming years?
I believe the landscape will further evolve in the coming years. One reason for this is new technology in the form of blockchain, which was not taken into consideration when GDPR was written. The GDPR requirements apply also to blockchain processing. One of the major concerns relates to the concept of a ‘retention period’ given that no data on the blockchain can be deleted. These issues need to be addressed, and they are on the agenda of European Supervisory Authorities. Looking outside of Europe, we also see that Europe’s privacy laws are fast becoming a global standard, with many countries around the world updating their data protection legislation to mirror the GDPR model because they fear their companies and service providers could be shut out of the European market.
Do you have a final message that you’d like to share?
We feel awareness has increased significantly especially this year in the run up to the GDPR. A lot of companies have done a lot of work to make preparations to comply with the GDPR. However, organisations still need to ramp up their data protection efforts to conform to the GDPR. All European data protection authorities are willing to bite, if required, and we are no exception. However, we certainly prefer to engage and educate people including data controllers and processors. Everyone who has a question can reach out to us, and we are committed to replying within a reasonable timeframe. Sound data protection gives companies the competitive edge in this digital age and data-driven economy.
Saviour Cachia has experience in Systems Development and Data Management Activities. He sat on inter-ministerial committees to draft a legal framework to regulate and enable information practices, covering data protection regulations. He articulated and implemented a strategy to set up the Office of the Commissioner and to faciltate compliance within the Public Service. On 16th April 2014, Saviour Cachia took oath of Office as Commissioner for Information and Data Protection. Apart from representing Malta in the Article 29 Working Party/EDPB, he was also the national expert to discuss the proposed data protection framework at DAPIX.