Censorship reloaded – the new data behemoth is called Financial Blocking

By Ansgar Lange

Internet blocking under the Inter-State Treaty on Gambling (GlüStV): Data privacy activist Thilo Weichert fears that data retention may sneak in through the back door

Kiel, November 2014. It is on the attack again – the state-fed data behemoth, whose crafty limbs have found a new way of outwitting data privacy activists: The current focus of the state surveillance fetishists is the alleged combat of supposedly illegal gaming. On the basis of the GlüStV adopted by the Federal States, the German supervisory authorities – above all the Ministry of the Interior of Lower Saxony, the Federal Financial Supervisory Agency BaFin and the Federal Ministry of Finance – intend to cut off payments to online gaming providers who, in their opinion, are illegal. In order to implement this so-called Financial Blocking, banks and payment service providers are obligated to monitor all payments and to code transactions associated with gaming providers accordingly. However, the practical problems and the problems relating to (data protection) law in the context of the planned measures are manifold, which is, inter alia, the result of an analysis by the Independent State Center for Data Protection in Schleswig-Holstein (ULD).

In his recent statement “Assessment under Aspects of Data Protection Law of the Provisions on ‘Financial Blocking’ with the Aim of Preventing Illegal Gaming on the Internet” of 13 November of this year, the director of this institution, Schleswig-Holstein’s data protection officer Thilo Weichert, criticises the planned Financial Blocking measures against allegedly illegal gaming providers as “essentially impossible in practice”, and at the same time fears that there may be an “unlawful retention of data” to the detriment of all customers of German banks and payment service providers.

Financial Blocking would require a complete surveillance of all German payment transactions

The core of the controversy is a provision in the GlüStV which states that “in particular the credit institutions and financial service providers” may be prohibited “from cooperating in payments for illegal games of chance”. What initially sounds fairly clear can hardly be implemented in practice, and would require a complete surveillance of all German payment transactions. Weichert: “Also, this would require the collection of data on all customers, although it cannot be ensured that these persons actually use the financial service providers for gaming transactions, and that these data may be necessary for potential blocking measures. The assumption of a retention obligation would lead to an unlawful retention of data. It would be disproportionate in view of the associated interventions and of the pursued objective.”

At the beginning of November, leading international experts, at a panel discussion during the autumn conference of the International Masters of Gaming Law (IMGL) http://www.gaminglawmasters.com in Florence which explicitly dealt with the question of the future viability of Financial Blocking (“Financial Blocking – An Enforcement Tool with Future?”), explained that this instrument can neither be implemented in practice, nor does it show any effect. Christian Chmiel, expert for payment safety and CEO of Web Shield Ltd., who advises numerous European police authorities on issues of internet safety, Justin Franssen, Head of Gaming, Sports & Entertainment Practice Group, Kalff Katz & Franssen from the Netherlands and Joakim Marstrander, Partner at Deloitte Tax & Legal in Norway stressed that – whilst Financial Blocking obviously is regarded as a universal remedy in Germany and the Netherlands – one look at Norway is enough to witness the failure of payment blocking: In 2010, the Norwegian regulator ordered Financial Blocking measures against private gaming providers in order to protect the state gaming monopoly, and evaluated the consequences in 2012 and again in 2014. Rune Timberlid, Senior Advisor of the Norwegian Gaming Board, has now reached a disappointing conclusion: “This payment ban has had less impact than expected. It’s not been a success. There are too many ways around the ban. It’s easier than we thought to set up solutions where banks and financial institutions aren’t involved.”

Can banks verify whether payments are legal?

Irrespective of the fiercely discussed legal validity of the German gaming regulations, credit institutions and financial service providers usually lack the relevant data in order to verify whether deposits or payments are legal.

Rather, they are made unofficial “deputy sheriffs” of the gambling supervisory authorities, without any legal protection, thus running significant liability risks.

If a German authority classifies a gaming provider as illegal, it would obligate the German banks and financial service providers to no longer process transactions to or from this gaming provider. The newspaper Süddeutsche Zeitung (SZ) http://www.sueddeutsche.de reported that the bank organisations “have not been contacted up to now, as the federal association of banks, the Bundesverband der Volks- und Raiffeisenbanken, states. (…) This course of action would have to be ‘legally safe and practicable’ (…) The bank organisations informed the federal states as early as in May 2011 that bank transfers into the account of a gaming provider ‘are not always inevitably’ betting stakes, but could also have other reasons. The credit institutions could ‘not tell the difference’.”

In order for the German banks to be able to identify gaming transactions, these transactions are intended to be coded. This means that a procedure which has already become customary for credit card payments – VISA for instance uses the code 7995 for gaming -, is intended to be transferred to other means of payment. At least this is the data collectors’ theory. Experts from practice directly object stating that for payment methods such as bank transfer or electronic direct debit (ELV), this is not possible. Furthermore, even the VISA card coding does not distinguish between legal and illegal offers.

Are movement profiles for bank customers looming?

The German supervisory authorities, however, intend to ensure this differentiation. Led by the Ministry of the Interior of Lower Saxony, a so-called “Black List” with illegal providers is allegedly currently being prepared. In order for the banks to be able to more easily distinguish between legal and illegal, they are intended to receive messages as to which gaming providers are licensed and which are prohibited in Germany. However, there is a huge difference between theory and practice in this area as well: The mere fact that a provider is not licensed in Germany does not automatically mean that the customer’s payment to this provider is prohibited. The same applies to payments effected by the gaming provider. This is because the question as to whether participation in a game is legal or illegal depends, also under the GlüStV, on where the player is located when he/she takes part in the game.

Does this mean that banks will also have to find out where their customers are located? Thilo Weichert thinks that this is absurd anyway: This is exactly what the banks cannot do, because the “the IP address is only known to the financial service providers in a few exceptional cases. Geolocation through radio cells or GPS is an exception in the context of gaming offers.” Therefore, the banks themselves would have to attempt to determine the customer’s location at the time of payment, without having a sufficient legal basis for this. In the online area this would, if at all, only be possible with the help of the easy to manipulate IP address.

Unilateral action by Germany is impossible

Weichert’s analyses confirm the statements of internet pioneer Michael Rotert, president of the eco Association of the German Internet Economy http://www.eco.de, who, during the CRM economic summit in Schleswig-Holstein in spring already rejected the blocking of financial transactions from a data privacy perspective. “For this purpose, the payment processors would have to collect far more data, and/or use the collected data in other ways than would normally be necessary for the payment function. This already leads to a data privacy problem.” Conversely, for Rotert this also means that the processing of such data affects all German customers of payment providers, independently of the respective reasons for such payment. Furthermore, he is of the opinion that practical implementation is almost impossible: For instance, the payment provider would have to be able to verify whether the offers are actually gaming offers and where the player is located when participating in the game – i.e. whether or not he/she is in a German Federal State or a country where the used offers are licensed. The possible consequences: Special national regulations such as the German gaming legislation intervene into the medium of the internet which is available world-wide. Furthermore, he draws attention to the fact that players are not dependent on German banks, “but this is the only area where the authorities can impose requirements. Even in the European context this will be futile, as the provider may be licensed there. For reasons of incompatibility with European realities alone, there cannot be Financial Blocking as a unilateral German measure.”

The reply by the Baden-Wuerttemberg state government to a parliamentary inquiry by the SPD in the state parliament supports Rotert’s analysis and also reveals these weaknesses of Financial Blocking. It states that German authorities can only impose obligations upon German banks and payment service providers. As soon as a German citizen uses a foreign bank account or a foreign payment service provider, the prevention of payment transactions does not work at all, because the German authorities simply do not have jurisdiction abroad. This means that such orders would only affect German banks and payment service providers – clearly a competitive disadvantage compared to other institutions within the European Union.

The place of participation in the game does not have to be the place of payment

However, even if it were possible to determine the customer’s location at the time of payment or withdrawal with the help of the IP address, there is another practical problem also named by Weichert: “Another problem is that the playing and the payment process are often carried out (more or less) separately. This means that the localisation of the payment transaction merely is an indication of the place of participation in the game.” In other words: There is no rule which states that at the time of payment the customer is located at the place where he/she will ultimately play. A player may, for instance, wish to make a deposit with an Austrian sports betting provider via the player’s German account while he is in Munich during the week, in order to then legally bet online when he visits his girlfriend in Vienna at the weekend. Who could forbid him to do so?

Due to the lack of effectiveness of Financial Blocking, paired with considerable administrative expenses, state surveillance structures à la Orson Welles, encroachments upon the European fundamental freedoms and upon data privacy, as well as, last but not least, liability risks for the affected German banks and payment service providers, the Kiel data privacy activist Weichert poses the question as to the proportionality of the planned measures. “Due to the very far reaching practical impossibility of implementing Financial Blocking under the GlüStV, it is questionable as to whether the principle of proportionality which binds all state actions is being complied with.”

What remains is the question why German supervisory authorities and lottery officials continue to demand Financial Blocking. The answer is anybody’s guess.