71 / 76
January/February 2016 // PUBLIC GAMING INTERNATIONAL //
71
T
he hot topic in the EU of the end of 2015 and
the start of this new year is without any doubt
the shake-up of the EU rules applicable to the pro-
cessing of personal data. This article intends to shed
light on new provisions that, once finally adopted,
will impact lotteries and gambling operators. Pro-
cessing of customer data, extensively done by online
gambling operators to attract new customers and
push their customers to play more, will no longer
be possible in the same way.
That comes in addition to the recent judgment
of the Court of Justice of the EU, in the C-362/14,
Maximillian Schrems v Data Protection Commis-
sioner (about the use of data by Facebook), in which
the Court annulled the European Commission’s
Decision
1
that laid down the safe harbor principles
allowing the transfer of personal data from the
EU to the USA under Article 25(1) of the current
Directive on personal data protection (“DPD”)
2
.
The ruling of the CJEU is of great importance, as
it implies that all transfers of personal data from
companies based in the EU to US companies may
be challenged since the USA is not anymore pre-
sumed to ensure a level of protection equivalent
to the protection guaranteed within the EU in ac-
cordance with Article 25(6) DPD. Moreover, com-
panies based on both sides of the Atlantic are no
longer allowed to directly transfer the personal data
obtained in the EU to their US establishment. Such
an automatic transfer could be found in breach of
EU law (and hence be suspended by national Data
Protection Commissioners) considering that, ab-
sent of Decision 2000/520, nothing demonstrates
that the Commission finds that the USA ensures an
adequate level of protection of the EU residents in
the processing of their personal data
3
.
Personal Data Protection rules are currently pro-
vided for in the DPD. It must be emphasized that
actual rules are laid down by a Directive. A Direc-
tive is an EU legislative instrument that requires, in
principle, an implementation in the national legal
framework of the EU Member States in order to
produce legal effect. Moreover, such text is bind-
ing on the Member States as to the objectives to be
achieved, but Member States maintain discretion
as to the means to be carried out to meet the pur-
pose of the Directive. This leads to diverging na-
tional regulations, even though they are all aimed
at the same purpose. The overhaul of the EU data
protection laws leads to the adoption of two new
legislative texts that aim to substitute and comple-
ment the current regime. The first one takes the
form of a Directive, i.e. the prospective Directive
on the protection of individuals with regard to the
processing of personal data by competent authori-
ties for the purposes of prevention, investigation,
detection or prosecution of criminal offences or the
execution of criminal penalties, and the free move-
ment of such data (this text is not addressed in this
article), the second (and the text with the most
significant importance for all companies in the
EU) will be adopted in the form of a Regulation
4
.
Unlike a Directive (and hence the actual DPD), a
Regulation is a legislative text that does not need
to be implemented into national law to have legal
effect in a Member State. As such, a Regulation is
entirely and directly binding on all EU Member
States, hence producing legal effect in the Member
Overhaul of the EU Personal
Data Protection Laws:
Why this is an opportunity
for well-prepared Lotteries
and more a problem for online
gambling operators.
B
y
P
hilippe
V
laemminck
and
L
ucas
F
alco
—
ALTIUS
www
.A
ltius
.
com
1 Decision 2000/520.
2 Directive 95/46/EC of 24 October 1995 on the protection of individuals
with regard to the processing of personal data and on the free movement of
such data
3 The EU and the US are however currently negotiating new safe harbor prin-
ciples.
4 (The prospective) Regulation on the protection of individuals with regard
to the processing of personal data and on the free movement of such data
(General Data Protection Regulation).