Data Protection
Data Protection in the Competitive Gaming and Esports Industry: A Brief Overview
In the digital age, the topic of data protection has taken center stage. The rapid digitalization has led to an exponential increase in data collection through various web services. Recognizing the immense value of this data, entities worldwide have tightened data protection laws, making them more intricate. The emergence of the metaverse, NFTs, and the growing significance of the gaming and esports industry have further complicated the landscape. Given the vast amount of data these industries process online, they are significantly impacted by these regulations.
The Intersection of Data Protection and Gaming
The competitve gaming and esports sectors predominantly operate online, processing personal data on a global scale. Multiplayer experiences and network management necessitate the collection of personal data. To access gaming services, users typically provide personal details like names, addresses, birth dates, credit card information, email and IP addresses, feedback from other participants, and personalized profiles. Companies must ensure compliance with relevant data protection laws when processing this data, a task that can be daunting for businesses operating and marketing globally.
Understanding the GDPR and Its Implications
The General Data Protection Regulation (GDPR) is a pivotal piece of legislation in this context. Notably, the GDPR can apply even if the controller or processor is not based in the European Union. Similarly, the revised Swiss Data Protection Act, as in force from September 2023, aligns closely with the GDPR and can apply to organizations outside Switzerland.
Defining Roles: Controller vs. Processor
Under the GDPR:
- A controller decides the purpose and means of personal data processing, either alone or with others. They are the primary decision-makers regarding data processing.
- A processor, on the other hand, processes data based on the controller’s instructions.
Distinguishing between these roles is vital. It determines responsibility for regulation compliance and is crucial for the exercise of data subject rights. However, this distinction isn’t always straightforward.
Key Principles of the GDPR
For controllers in the gaming and esports industry, the GDPR mandates the following principles:
- Lawfulness, Fairness, and Transparency: Personal data should be processed transparently, fairly, and lawfully. This involves having a legal ground for processing, ensuring the data subject is aware of the processing, and being transparent about data collection and usage.
- Purpose Limitation: Data should only be collected for specific, explicit, and legitimate purposes. Any processing beyond this is generally unlawful.
- Data Minimisation: Only relevant and necessary data should be processed.
- Accuracy: Controllers must ensure data accuracy and address any inaccuracies or incompleteness.
- Storage Limitation: Data should not be stored longer than necessary.
- Integrity and Confidentiality: Data should be processed securely, protected against unauthorized access, loss, or damage.
Additional Considerations for the Competitive Gaming and Esports Industry
Companies in this sector should also be mindful of:
- Consent: It must be freely given, specific, informed, and unambiguous. Consent can impact marketing strategies, especially with direct marketing, profiling, and cookie placements.
- Child Data: The GDPR has stringent requirements for child consent. Generally, autonomous consent is possible from age 16, but this varies among EU member states. For younger users, legal guardian consent is necessary.
- Data Subject Rights: Players should be able to exercise their data protection rights, including access, rectification, erasure, and data portability.
- International Data Transfers: Especially prevalent in multiplayer games, data might be stored on servers across countries. While data flow within the EU is unrestricted, transfers to other countries require appropriate safeguards.
Hence, as the gaming and esports industry continues to grow, understanding and adhering to data protection regulations will be paramount for companies to thrive and maintain the trust of their user base.
Data Protection
Transparency in Esports: A Legal Perspective on Data Trading in Germany and the EU
In the world of esports, exchanging data is rather common. In general, esports athletes’ performance data is gathered, analyzed, and monetized. Usually, all of this happens within the boundaries of the national laws. Nevertheless, stakeholders’ contracts sometimes do regulate data trading. Hence, in this article our guest author Dr. Oliver Daum provides an overview over the present legal status of data trading in esports and gives practical advice to all parties involved.
Table of Contents
Data Trading: An Introduction
Picture yourself as an esports athlete who frequently joins tournaments and competitions. Whether you are a part-time professional or full-time professional, it does not make any difference. What remains is that it is the tournament organizer’s duty to supervise the game in order to prevent any cheating by teams or players using bots or comparable tactics. The tournament organizer manages the game’s data streams to achieve this. Up to now – all is well. However, what happens with the data after the tournament ends?
Information from esports events and competitions, such as statistics and performance metrics of esports players, are transmitted by tournament hosts like Riot Games to several analytics firms. Data analysts such as Bayes Esports or Splunk assess and organize the data. Afterwards, they make it available for purchase for different end-customers. Betting providers find the data especially intriguing as they can use it to determine their betting odds.
This article examines data trading in esports and offers a legal perspective overview on the topic. The article ends with useful advice on how stakeholders can lawfully protect data exchange.
Data Trading in Esports
The most important point – when it comes to data trading in esports – is the finding that trading data in Germany and Europe is permitted. Trading with personal data, which is specially protected under the GDPR, is also permitted.
“The trading of data in Germany and Europe is generally permitted!”
Tournament organizers process not only the performance data of esports athletes but also their personal data such as name, date of birth, account name, etc. All these data are personal data, which means that the organizers are subject to the obligations of the GDPR. In addition to the tournament organizers, usually the organizations of the esports athletes (clubs/clans) are collecting data, too. They analyze and evaluate the performances of their team members for training and practice purposes and employ data analysts for this. More often than not, health data such as heart rates is recorded as well. Notably, health data belong to the category of special personal data and are therefore particularly in need of protection.
Data Protection in Esports
As legal entities responsible under the GDPR, organizers and organizations are subject to various data protection obligations. For example, they may only process the data for the purpose for which it was originally collected – exceptions included. If tournament organizers collected the data for monitoring and control purposes, this purpose would cease at the end of the tournament. This would mean that the data sets would have to be deleted, making their transfer to data analysts not permissible.
Responsible parties must also ensure that the data is protected from unauthorized access, such as hacker or cyberattacks.
Furthermore, in the context of data trading, the information obligations according to Articles 13 and 14 GDPR must be observed. Accordingly, responsible parties must make certain information available for identification and contact options when they want to store, process, and pass on data. This information is regularly contained in the privacy statement. It is also important in this context that third parties to whom the personal data is passed on must actively inform the esports athletes about the data processing and fulfill the information obligations under the GDPR. That is the legal situation, even if practice looks different.
The Problem
The exchange of data of esports players has been a common practice in the industry for a long time, despite being rarely discussed openly. And the indiscriminate sharing of information presents a significant possibility of misuse. The issue lies in the fact that many esports athletes do not perceive this risk yet, resulting in it not being recognized as a major threat. For instance, a soccer player must consider physical (and mental) injuries throughout their career, while in esports, it is one’s own data sovereignty that is at risk. he potential for big data analysis, artificial intelligence, and quantum computers to exacerbate these injuries in the future becomes a marginal note.
This lack of knowledge, commonly seen among organizations as well, results in data trading frequently not being fully addressed in contracts. This mainly impacts the agreements between esports players and teams. Merely including promises to adhere to the GDPR is no longer enough on its own. Esports players should ensure control over their personal data. In addition to strict regulations on data security and protection, licensing agreements for using performance data are also necessary. Since the majority of contracts either lack regulations on sharing performance data or have insufficient ones. In simple terms, the outcome is that the esports athletes are relinquishing their assets.
“The majority of contracts do not regulate the sharing of performance data adequately or at all!”
The Gaps in Contracts
A seamless chain of contracts is therefore essential for organizations, tournament organizers, data analysts, and betting providers as end consumers. If the organization did not grant the permission to transfer the data to event planners or data experts (sub-license), there would be legal issues with the data. This implies that the company would be marketing data that cannot be shared because of the absence of sub-licensing. This legal issue would affect all stages of the value chain. In the final analysis, data analysts and betting providers would lack permission to use the data of the esports athletes.
For the organizations, the tournament organizers, the data analysts, and the end consumers, using someone else’s data without the right to do so can have unpleasant consequences, which can lead to claims for damages.
What Needs to Be Done
Esports athletes should examine their contracts to protect their data sovereignty. This pertains to protecting data and particularly to sub-licensing. It should be taken into account to make the permission for transferring and trading the data conditional on additional payment. The same rules also apply to the organizations. They need to verify if they have any financial ties to the data sales of their esports athletes or if they could potentially be tied to them. It is necessary to include suitable clauses in the agreements between the company and the event planner and the data experts if they are not already included.
It is important for betting providers to carefully examine the contracts with data suppliers to confirm that the information about esports athletes can be legally sold. If not, data owners could potentially seek compensation and information requests as stated in Article 15 of GDPR.
The trading of data in esports is daily business. Now, it is necessary to put data trading on legal feet. For esports athletes and organizations, this means focusing more on the risk of data misuse than before and signing licensing agreements to participate in the sales revenue of the data.
DISCLAIMER
This post is an English translation of our partner blog www.e-sportrecht.de by Dr. Oliver Daum, which is an elaborate, yet free offering for the community. Hence, if you like the article or the site, we kindly ask you for feedback in the form of likes, comments, shares, follows, or retweets on social media.
Data Protection
Navigating the Aftermath: A 7 Steps GDPR-Informed Guide for Esports Tournament Organizers Following a Data Breach
In the digital-first realm of esports, where data flows as swiftly as the games themselves, the specter of a data breach presents a formidable challenge. The General Data Protection Regulation (GDPR), with its stringent data protection standards, serves as both a shield and a guide for organizations navigating these turbulent waters. This detailed guide offers esports tournament organizers a robust framework for responding to data breaches, ensuring compliance, and safeguarding the trust of players and fans alike.
Table of Contents
1. Immediate Response and Assessment
The moment a breach is detected, the clock starts ticking. Immediate containment is crucial but so is understanding the nature of the breach. This understanding forms the bedrock of your response strategy. Whether it is a phishing attack that has compromised player data or a ransomware attack that has locked down critical systems, the specifics of the breach will dictate your next steps.
- Technical Measures: Implementing advanced security protocols and encryption methods can significantly mitigate the risk of data being accessed or stolen. Regular security audits and penetration testing can also identify vulnerabilities before they are exploited.
- Organizational Measures: Establishing a dedicated incident response team and conducting regular data protection and security training for all staff are vital. This ensures that everyone understands their roles and responsibilities in the event of a breach.
Article 32 GDPR (Security of processing) emphasizes the importance of having both technical and organizational measures in place to ensure the security of personal data.
2. Notify the Relevant Supervisory Authority
The GDPR mandates that data breaches likely to pose a risk to individuals’ rights and freedoms be reported to the relevant supervisory authority within 72 hours of discovery. This tight timeframe underscores the need for esports organizations to have a clear, efficient reporting process.
- What to Report: The notification must include the nature of the personal data breach, the categories and approximate number of data subjects and personal data records affected, and the name and contact details of the data protection officer or another point of contact.
Article 33 GDPR outlines the notification requirements, reinforcing the importance of swift action and transparency with regulatory authorities.
3. Communicate with Affected Individuals
The High-Risk Threshold: When to Inform Data Subjects
If the data breach is deemed to pose a high risk to the rights and freedoms of natural persons, GDPR requires that these individuals be informed without undue delay. This communication must be clear, avoiding technical jargon, and provide details of the breach, its likely consequences, and the measures being taken to address it.
- Best Practices for Communication: Offering clear advice on how individuals can protect themselves, such as changing passwords or monitoring for signs of identity theft, can help mitigate the impact of the breach. Providing a dedicated contact point for further inquiries also demonstrates your organization’s commitment to transparency and support.
Article 34 GDPR provides guidelines on communicating breaches to data subjects, emphasizing the need for clarity and helpfulness in such communications.
4. Engage with Third Parties
Partners in Protection: Working with Vendors
In the interconnected world of esports, third-party vendors often play a critical role in data processing. Whether it’s cloud storage providers, payment processors, or analytics services, ensuring these partners comply with GDPR is essential.
- Contractual Safeguards: Agreements with third-party vendors should explicitly outline data protection and breach notification responsibilities. Conducting regular audits of these partners can also ensure compliance and identify potential vulnerabilities.
Article 28 GDPR stresses the importance of contracts in managing the relationship between controllers and processors, including in the context of data breaches.
5. Document Everything
The Record-Keeping Mandate
Documenting every aspect of the breach response not only aids in compliance but also provides valuable lessons for improving future security measures. This includes documenting the initial discovery, steps taken to contain and assess the breach, communications with authorities and affected individuals, and any remedial actions taken.
- Learning from the Breach: Analyzing the breach and the response can reveal gaps in security and response planning. This post-mortem analysis is crucial for strengthening your organization’s data protection posture.
Article 33(5) GDPR mandates the documentation of personal data breaches, underscoring the importance of thorough record-keeping in demonstrating compliance and facilitating continuous improvement.
6. Review and Update Security Measures
Adapting to Evolving Threats
The digital landscape is constantly evolving, with new threats emerging regularly. Post-breach, it’s critical to review and update your security measures. This could involve adopting new technologies, revising access controls, or enhancing user authentication protocols.
- Continuous Improvement Cycle: The response to a data breach should catalyze a cycle of continuous improvement in security measures. Engaging with cybersecurity experts and participating in industry forums can provide insights into emerging threats and best practices.
Article 32 GDPR calls for a review and continuous improvement of technical and organizational measures to ensure the security of personal data.
7. Legal Consultation and Ongoing Compliance
Ensuring Alignment with GDPR
Consulting with legal experts specializing in data protection laws can ensure that your breach response aligns with GDPR requirements. This legal consultation can also guide the refinement of policies and practices to enhance compliance and data protection.
- Building a Culture of Compliance: Embedding data protection principles into the fabric of your organization, from the design of new services to the training of staff, fosters a culture of compliance and resilience against data breaches.
Article 25 GDPR (Data protection by design and by default) and Article 24 GDPR (Responsibility of the controller) highlight the importance of integrating data protection into all aspects of data processing activities.
Conclusion
For esports tournament organizers, navigating the aftermath of a data breach in compliance with GDPR is both a challenge and an opportunity. By following this detailed guide, organizations can not only respond effectively to breaches but also reinforce their commitment to data protection. This commitment is essential for maintaining the trust and confidence of players, fans, and partners in the esports ecosystem. In doing so, the esports industry can continue to thrive, underpinned by robust data protection practices that safeguard the rights and freedoms of all participants.