EU Data Transmission Remains Key Brexit Uncertainty

A government representative has warned gambling firms to expect serious complications when receiving data from the EU after Brexit and could only shrug when asked what companies could do to avoid breaking the law.

The spokesperson for the Department for International Trade spoke to GamblingCompliance during the recent PayExpo conference in London.

They advised gambling firms to ensure they have up-to-date contractual terms for all of the EU companies they deal with to help mitigate the legal changes that will follow any kind of Brexit.

The planned transposition of the General Data Protection Regulation (GDPR) into UK law will likely ameliorate any problems encountered when sending data to the EU, they said. However, when it comes to receiving data, the advice was considerably more murky.

"As the UK will be adopting GDPR into law, sending data to the EU should be fine. However, as the EU will recognise the UK as a 'third country', sending data from within the EU to the UK will be more tricky," said the spokesperson.

Asked whether these problems would apply not only to business between two separate companies but also for UK companies with subsidiaries and data centres in Europe, the spokesperson could only say they were unsure.

Stuart McMaster, partner and data protection expert at law firm Mishcon de Reya, agreed that gambling companies should be taking steps now to ensure they will be compliant with the dual regulatory regimes that will be in effect in the event of a no-deal Brexit — both the EU’s GDPR and the UK version of GDPR.
 
The extent of work required will depend on how personal data is currently processed by individual companies, he said.

"Organisations that receive personal data from the EU or European Economic Area (EEA) will need to review their contracts and ensure that adequate safeguards are in place so data flows can continue from 'Brexit Day' until the European Commission has made an adequacy ruling in respect of the UK and/or Gibraltar, which could take a significant amount of time," said McMaster.
 
"In addition to transfers of personal data from the EEA to the UK or Gibraltar, consider whether your organisation is transferring personal data from the UK or Gibraltar to other jurisdictions, and vice versa. If it is, is this permitted under the laws of the jurisdiction of the recipient or transferor of the personal data?"
 
Organisations should also consider whether it will be necessary to update their privacy notices, or appoint a representative in the EEA, he said.

Last week, the government published a checklist of advice for gambling companies in the event of a no-deal Brexit on October 31.

In addition to concerns about data, it warned there would likely be problems with employment, border crossings and hardware imports.

On Monday, the Malta Gaming Authority (MGA) also published its Brexit guidance, flagging risks to data protection, immigration, employment, duty and copyright.

The MGA warned that its gambling regulations require "that a person that holds a licence must be a person established within the European Economic Area".

"The United Kingdom’s exit from the EU shall mean that persons and entities established in the United Kingdom will no longer meet this criterion, and thus are required to take the necessary measures in order to ensure that the entity that holds the licence meets this pre-requisite," said the regulator.

Operators would likely have a 12-month window in which to become compliant.

The MGA said that, in its view, there would be no issues caused by a Malta-licensed operator keeping essential staff or components in the UK.

However, it warned that this opinion may be quickly superseded by the European Commission, the European Data Protection Supervisor or the Information and Data Protection Commissioner in Malta.

Additional reporting by Harrison Sayers.