Currently, it seems undeniable that the regulation of Fixed-Odds Betting (AQF) on sports events is imminent in Brazil. The regulation of games of chance in a general sense is embodied by the notorious Bill of Law 442/1991, approved in the Chamber of Deputies and currently pending analysis by the Federal Senate, where it has been numbered as PLS 2,234/2022, and its approval process is yet to be defined.
Specifically, the legal microsystem of AQF still lacks systematization, but it should be briefer than the legal framework for gaming since AQF is already authorized, or rather, legalized. The regulation, which could have been done through a Decree in the previous government, seems to have been replaced or preliminarily modified by a new bill (PL 3,626/2023) and/or by a Provisional Measure (MP 1,182/2023), both of which are pending approval. In the first case, it awaits consideration by the Federal Senate, and in the second, by the National Congress.
As key defining elements to understand the radiation of effects in the field of data protection, there is what is set forth in Article 29, paragraph 1, of Law No. 13,756/2018, characterizing sports betting as (i) a lottery modality; (ii) involving bets on real events of sports theme; (iii) where at the time of placing the bet, it is defined how much the bettor can win in case of a correct prognosis.
The same law also stipulates that "communication, advertising, and marketing actions related to fixed-odds betting lotteries shall comply with the regulations of the Ministry of Finance, with self-regulation encouraged" (Article 33) and that "the legal entity holding the authorization shall provide the Financial Activities Control Council (COAF), in accordance with the rules issued by the Executive Branch, with information about bettors related to the prevention of money laundering and terrorist financing" (Article 35).
On the other hand, the well-known General Data Protection Law, Law No. 13,709/2018, or simply LGPD, dated coincidentally in the same year as the AQF law, aims to "protect the fundamental rights of freedom, privacy, and the free development of the personality of the natural person (Article 1, in fine)."
The obligation to collect minimal data from bettors may be widely accepted today, but it was not always the case. In the past, during the regulation of bingo, numerous laws were passed one after another to address issues that needed improvement to provide sustainability to the activity. After the famous Zico Law, the Pelé Law, which, among many other points, authorized the operation of bingo by federated states, provided for the collection of data from bingo players in its original bill. Paragraphs 2 and 3 of the previous Article 71, which dealt with this point, were vetoed due to "violation of citizens' privacy."
Such an understanding is now unacceptable as it fundamentally undermines the ability to comply with the previously mentioned duties related to social responsibility, corporate responsibility, responsible gaming, and crime prevention. However, any details required from the bettor must now be justified, motivated, legally grounded, and adequately protected (LGPD, Articles 6 and 7). This is the significant difference that LGPD imposes on data processing agents. Instead of banning the use, it ensures compliance with a series of principles, among which the purpose (of use) is only the entry point (LGPD, Article 6).
It is evident that, at the start of operations, a series of uncertainties may arise regarding the quantity of personal data to be required, allowed, and provided to the data subject. Both topics – AQF and personal data protection – are recent in the national legal system, but not in their proposals (especially when considering AQF as a lottery modality in exceptional cases). They require authorities in different branches of law to have a specific understanding of sports betting and, more importantly, of the ecosystem within which the activity is fostered, under the risk of assigning responsibilities that are incompatible with its real development and sustainability. In the case of the European Union, it is not surprising that the first sectoral Code of Conduct regarding data protection was introduced in 2020, precisely for the gaming industry.
Until this coordination is instrumentalized and expressed, it is essential, however, that operators are prepared to develop action plans in the absence of clear rules since the busy agenda of the National Data Protection Authority (ANPD) will certainly prevent it from making early pronouncements on the matter.
It will be indispensable, therefore, to create channels of communication not only between data processing agents and data subjects (as this is not an option but an obligation), between the regulated sector, regulator, and ANPD (as even determined by LGPD, Article 55-J, § 3), but also within the industry itself in search of best practices.
Just as in the case of responsible advertising that refers to encouraging self-regulation, it is inevitable that, in the case of data protection, regulation will go hand in hand with self-regulation, in what has become known as regulated self-regulation or co-regulation.
The industry has already shown a real willingness to work towards this goal. Just this year, at least three representative entities of the sector, such as the Brazilian Institute of Responsible Gaming (IBJR), the Brazilian Association for the Defence of Sports Integrity (ABRADIE), and the National Association of Games and Lotteries (ANJL), were created with the aim of providing solid inputs for sectoral regulation by the federal government.
In the pursuit of efficiency, it is imperative that we begin to contemplate best practices, share them, and disseminate them throughout the industry. By doing so, we can not only enhance the legal certainty for operators but also empower ANPD to achieve its mission of promoting 'greater efficiency and the proper functioning of regulated sectors' (LGPD, Article 55-J, § 3) - and this certainly includes the sports betting activity.
Maria Luiza Jobim
Maia Yoshiyasu Advogados