Authors: Francesca Hili and Nicole Sciberras Debono
The role of affiliates in relation to gaming operators’ platforms is to drive individuals to an operator’s site/app with the aim of such individual signing up to become players. The legal position of whether an affiliate is deemed to be a controller or processor in light of data protection law, has been subject to some debate for a while.
In a judgement delivered on the 12th of June 2020, the Court of Appeal, in the case LeoVegas Gaming p.l.c v. Il-Kummissarju ghall-Informazzjoni u l-Protezzjoni tad-Data (Information and Data Protection Commissioner) decided upon several matters pertaining to gaming affiliates when conducting direct marketing on behalf of an operator, and delved into the operator-affiliate relationship, assessing when either is deemed a controller or processor.
Background and facts of the case
The Plaintiff is an online gaming company. It uses the services of affiliates to attract players to use its gaming platform. The United Kingdom Information Commissioner Office (‘ICO’) received several complaints from third parties who had received unsolicited communications through an affiliate whose services the Plaintiff company was using. The ICO addressed this matter to the Information and Data Protection Commissioner (‘the Commissioner’), requesting for this to be investigated.
The Commissioner found that:
- The Plaintiff company failed to provide the required evidence which is necessary to legitimise the sending of the marketing communications by its appointed affiliates;
- The sending of electronic communications by affiliates on behalf of the Plaintiff company was unlawful and a breach of the local legislation with regards to direct marketing.
The Plaintiff company has appealed the Commissioner’s decision before the Data Protection Appeals Tribunal (‘the Tribunal’).
The Plaintiff company argued that the gaming affiliates which they engage are to be deemed controllers of their data, as opposed to the Plaintiff company being the controller of such data, since the attractiveness in engaging them lies in the database that they have. The Tribunal’s counterargument was that the affiliate solely acts on behalf of the operator by driving traffic towards that operator and when such an affiliate would not have otherwise been processing that data had it not been for his relationship with the Operator (the Plaintiff in this case), then that affiliate is acting as a processor, and not a controller. This is based on the ICO’s opinions, as submitted during court proceedings, that where an organisation operates an affiliate programme whereby third parties are paid commission to drive traffic/individuals to its website, then, the latter would have instigated the marketing. If there were no financial incentives to the marketer to contact the subscribers, then there would be no marketing communications.
The Court of Appeal decision
The Court of Appeal agreed with the Tribunal’s decision that the Plaintiff company is the controller of the data. In this decision, the Court referred to the agreement between the Plaintiff company and the affiliate as the starting point, emphasising that the contractual relationship between the two parties contributes to defining whether either party can be deemed a controller, processor, and possibly both in separate scenarios.
From the agreement between the Plaintiff company and the affiliate, it transpired that the affiliate’s role in attracting players and more traffic to the Plaintiff company’s platform, was controlled and determined by the Plaintiff company, especially since it appeared that the Plaintiff company played a decision-making role when choosing to appoint affiliates who would in turn send electronic communications on their behalf, especially as a result of the affiliate programme that it has.
Regulation 9 of Subsidiary Legislation 586.01 states that ‘a person shall not use, or cause to be used, any publicly available electronic communications service to make an unsolicited communication for the purpose of direct marketing … to a subscriber or user irrespective of whether such subscriber or user is a natural person or legal person, unless the subscriber or user has given his prior consent in writing to the receipt of such a communication.
Therefore, the prohibitions against unsolicited communications would still apply against those who are not actually doing such direct marketing themselves, but engage others to do so on their behalf.
What does this mean for affiliates?
Succinctly, the Court of Appeal identified the role of the affiliate in terms of data protection law, as follows:
- The affiliate can be deemed a processor when it carries out its operation solely to drive traffic towards an operator, and without that operator, the affiliate would not be processing personal data. The affiliate acts solely on behalf of the operator.
- The affiliate can be deemed a controller where, although the affiliate’s aim is to provide customers to the operator, the way in which the affiliate fulfills this task and the means in which the affiliate reaches out to prospective players is entirely up to the affiliate. The affiliate has autonomy over its processing.
For further information about how GVZH Advocates can help you with your data protection queries, kindly contact us on firstname.lastname@example.org.