I reviewed the papers this morning on BBC1 at some ridiculously early hour, and one of the articles that came up was a piece in the Telegraph that talked about how the Government plans to share data across Whitehall departments. It amused me, given that I had written about data sharing (by the Gambling Commission, with overseas regulators) last week.
I don’t know if that piece, published on Tuesday, was what prompted a Gambling Commission FAQ on Friday, but whatever the cause, this is what they put out, apparently knocking down my points one by one:
29 Won’t Schedule 6 need to be expanded to allow the Commission to share information with other regulators?
31 July 2014
29.1 No. Unlike some other regulatory statutes, the Gambling Act 2005 contains no general prohibition on the provision of information by the Commission to others. That means that it is not unlawful for the Commission to provide information to other regulators if it considers it appropriate to do so, as long as it complies with any generally applicable legal requirements such as those arising under data protection law where personal data is concerned.
29.2 Schedule 6 (together with section 30) simply gives the Commission the express power to provide information to certain bodies, thereby simplifying the provision of information to British organisations and international sporting bodies it deals with regularly. It also enables the bodies listed in Schedule 6 to exchange information between themselves, and specifically empowers the Commission to charge for the provision of information to those bodies.
29.3 If the Commission proposes to provide information to a body not listed in Schedule 6, it will need to give greater consideration to whether (for instance) that body is capable of handling the information responsibly and fairly. Of course in many circumstances the provision of information will be with the consent of the data subject, in which case no legal issues arise. The Gambling Act 2005 also imposes no restriction on the Commission’s ability to receive information from regulators in other jurisdictions.
Hmmm. Let’s just consider this for a moment.
So, the absence of a general prohibition on sharing information with overseas regulators makes doing so implicitly fine. Really? On the one hand, Parliament felt it necessary to state explicitly in primary legislation with whom and in what circumstances information could be shared (when it related to UK statutory bodies), but on the other (when it comes to overseas regulators) it isn’t bothered? Is it likely that a previously ultra-prescriptive Parliament (which as I mentioned was obliged, in order to add the IOC, to make an amendment through the Olympic Act 2006) is now happy to leave things to the Commission’s sole discretion, with no specific guidance as to what information it could share (and who with)? Personally (and notwithstanding the direction of travel indicated in today’s Telegraph piece), I find that an unlikely scenario, but the Commission throws in the idea that in many circumstances the provision of information will be with the consent of the licence applicant, in which case no legal issues arise. Oh, so fair enough, you might say. Unless you think, on a less charitable reading, that the Commission’s safety net is to rely on the ostensible consent of licence applicants to cure what it realises is a defect in the law.
Am I being harsh? Well, as I said last week, I’m no lawyer: maybe I’m just seeing things where there’s nothing to see. So I thought I would run it past a lawyer for a view, to see if I was just nuts. This is what I got back:
The GC’s interpretation of section 30 (read with Schedule 6) would result in an effect quite different from that which Parliament intended, and would fall on the wrong side of the boundary between interpretation and amendment of a statute. What the GC is overlooking is that while it might have been reasonable for Parliament to have included a general power to share information with overseas regulators, it is clear that the express provisions of the GA interpreted in their context do not confer this power on the GC by necessary implication. They provide no basis for any implication that it was intended to be included. A necessary implication is a matter of express language not interpretation. What Parliament would probably have included in the GA if it had thought about it is, frankly, irrelevant.
Let’s backtrack. To underline the point, in case you have forgotten since my last post: I don’t disagree with any of the Commission’s motives, nor do I dispute that in clearly-defined circumstances, the information it is trying to share is sensible. The Commission clearly has the authority to share information with overseas regulators where the information requested is needed to investigate or prosecute a crime. It also clearly has the authority to do so with those bodies listed in Schedule 6. It also clearly has the right to do so if it does so in a manner legal under other data protection law. None of this is in dispute.
But any decision suddenly to ignore parameters (or make up its own) would get the Commission into real trouble, perhaps at the expense of the whole house of cards. And what is not clear from the FAQ statement on Friday is how sharing information with overseas regulators for the purposes of licence applications made to those regulators falls into any of the three categories mentioned above.
The Commission position – that it is not unlawful for it to provide information as long as it complies with any generally applicable legal requirements such as those arising under data protection law where personal data is concerned – is entirely correct and impossible to dispute. But that’s exactly the point. It is ‘legal’ to share this data only on the back of a huge catch-all disclaimer on page 20 of the application form for a licence, by which applicants are forced to waive all rights to data protection in order to have the right to apply in the first place. The Commission is relying on a blanket waiver which is included as an application-form requirement in its small-print. This time, I don’t think I need to be a lawyer: Blind Freddie could see that would be very difficult to defend.
The fanciful scenario I mooted last week (of information being given to the Russian Gambling Commission in 2015) seems to be addressed by the Commission’s statement that before it shares information with an overseas regulator, “it will need to give greater consideration to whether (for instance) that body is capable of handling the information responsibly and fairly“. But is that enough? It barely gives me any comfort, and I’m just some bod watching on the sidelines. I hate to think what someone giving up a load of data thinks of it. Under what circumstances can an overseas regulator request information? What can it ask for? What about the stuff that might have been provided that is subject to legal professional privilege? What protections are there that the overseas regulator has no ulterior motive behind wanting the data?
I wrote last week that the current position might stop some applying, but having seen the apparently flimsy legal basis on which the Commission has based its response, I think that that worst-case scenario was understated. On the basis of FAQ29, aren’t we looking at the possibility that sharing of data in this manner would open up the Commission (and its officers, presumably) to legal claims? I can imagine companies claiming financial and reputational loss from the misuse of information that was shared with an overseas regulator – a circumstance in which it would be pretty uncomfortable to be testing the validity of that enormous page-20 disclaimer. I can even imagine those that have given their consent claiming that they were coerced to do so, because they were forced to sign a disclaimer without which they could not enter the valuable UK market. Is that really where we are heading?
Schedule 6 provides detail about the various parties with which the Commission can share information. Each is named, and the list can be added to. Betfair’s MOU list that I had responsibility for got changed every time we signed an MOU. By my understanding, that is the way that Data Protection issues work.
I suppose that alternatively, rather than seeking an amendment to Schedule 6 and making explicit which overseas regulators the Commission can offer information to, the Commission could in every future instance take account of all legislation that could possibly be relevant to its sharing information with an overseas regulator before the decision to share the information is taken, keeping detailed audit trails of having done so to protect it from legal challenge by operators in an industry not known to be shy about launching them.
I know which I’d rather be doing.