Taking effect on May 25, 2018, the EU General Data Protection Regulation (GDPR) is the most impactful change to data privacy regulation in decades. The GDPR was enacted to help protect all personal information of EU individuals and is applicable to any organization, regardless of location, that intentionally offers goods or services to the EU, monitors the behavior of EU individuals (“data subjects”), or processes and holds the personal data of data subjects residing in the EU.
As anyone who has ever registered the latest copy of Overwatch or FIFA knows, millions of end-using gamers share their personal information in order to gain access to developer content. Given the changes promulgated by the GDPR, this has broad-reaching implications for all data collecting entities, including, but not limited to:
Data Collectors, in particular, will have to revamp their existing end-user policies with a particular focus on provisions addressing data monitoring, access, consent, data portability, and mandatory breach notification.
While the GDPR extends into many other sectors, its effects within the video game industry have already been felt. Citing the high cost of complying with the GDPR, the servers for Super Monday Night Combat, the massive online battle arena (MOBA) title by Uber Entertainment, were taken offline permanently, and Uber Entertainment offered $10K of in-game currency for users to spend before the game ended. Uber Entertainment’s multiplayer back-end system was not GDPR compliant, and the cost to make it compliant exceed the budget allocated to the game.
Fines for non-compliance with GDPR may be hefty and increase with the nature and severity of the violation. A lower level violation can cost the greater of up to €10M or 2% of the violator’s worldwide annual revenue, while upper-level infractions can garner the greater of up to €20M or 4% of worldwide revenue.
Unlike traditional sports, where anyone is free to produce a sporting event without having to pay royalties to the inventor of the sport, sanctioned esports events can only occur with the approval of the video game studios. Even unsanctioned esports events are only possible if an end user has registered their copy of the game. Furthermore, most popular esports games require an internet connection in order to play against others. As a result, a significant amount of personal data is being transmitted and processed by Data Collectors annually. Data Collectors collect and use this data for a number of reasons, including resource allocation based on where the most players are playing at a particular moment and weeding out negative behavior by banning toxic players.
Given the popularity of esports in Europe, it is not a question of if Data Collectors should become GDPR compliant, but how quickly can they do so.
So what should Data Collectors do in the face of the GDPR? For starters, they should consider the need for a data protection officer (“DPO”). The GDPR requires that a DPO be appointed within organizations that engage in large-scale systemic monitoring or large scale processing of sensitive personal data.
Given that Data Collectors engage in global systemic monitoring and processing of personal data coupled with the millions of dollars at stake for non-compliance, such organizations should appoint a DPO if they have not already done so. The DPO must understand the nuances of GDPR and be able to respond to inquiries from EU regulatory authorities.
A critical gatekeeping issue under the GDPR is getting consent from persons or other data subjects to collect personal data, GDPR compliance depends on the development and use of appropriate consent forms.
To that end, Data Collections should consider the following when developing GDPR-compliant consent forms:
Because the GDPR era is in its infancy, what is necessary to ensure GDPR-compliance may shift drastically in the coming years and will require an ongoing commitment from Data Collectors to evolve with how EU regulatory authorities interpret and enforce the GDPR, specifically how they dole out fines. Stay tuned for the second installment of this ongoing series.
This article was originally published by The Esports Observer.
Let’s Talk Compliance | Provider Relief Fund: Reporting Requirements and Compliance Concerns