Connect with us

Data Protection

Transparency in Esports: A Legal Perspective on Data Trading in Germany and the EU

In the world of esports, exchanging data is rather common. In general, esports athletes’ performance data is gathered, analyzed, and monetized. Usually, all of this happens within the boundaries of the national laws. Nevertheless, stakeholders’ contracts sometimes do regulate data trading. Hence, in this article our guest author Dr. Oliver Daum provides an overview over the present legal status of data trading in esports and gives practical advice to all parties involved.

Published

on

Esports Data Trading in Germany and EU ELN -Dr. Oliver Daum

Data Trading: An Introduction

Picture yourself as an esports athlete who frequently joins tournaments and competitions. Whether you are a part-time professional or full-time professional, it does not make any difference. What remains is that it is the tournament organizer’s duty to supervise the game in order to prevent any cheating by teams or players using bots or comparable tactics. The tournament organizer manages the game’s data streams to achieve this. Up to now – all is well. However, what happens with the data after the tournament ends?

Information from esports events and competitions, such as statistics and performance metrics of esports players, are transmitted by tournament hosts like Riot Games to several analytics firms. Data analysts such as Bayes Esports or Splunk assess and organize the data. Afterwards, they make it available for purchase for different end-customers. Betting providers find the data especially intriguing as they can use it to determine their betting odds.

This article examines data trading in esports and offers a legal perspective overview on the topic. The article ends with useful advice on how stakeholders can lawfully protect data exchange.

Data Trading in Esports

The most important point – when it comes to data trading in esports – is the finding that trading data in Germany and Europe is permitted. Trading with personal data, which is specially protected under the GDPR, is also permitted.

“The trading of data in Germany and Europe is generally permitted!”

Tournament organizers process not only the performance data of esports athletes but also their personal data such as name, date of birth, account name, etc. All these data are personal data, which means that the organizers are subject to the obligations of the GDPR. In addition to the tournament organizers, usually the organizations of the esports athletes (clubs/clans) are collecting data, too. They analyze and evaluate the performances of their team members for training and practice purposes and employ data analysts for this. More often than not, health data such as heart rates is recorded as well. Notably, health data belong to the category of special personal data and are therefore particularly in need of protection.

Data Protection in Esports

As legal entities responsible under the GDPR, organizers and organizations are subject to various data protection obligations. For example, they may only process the data for the purpose for which it was originally collected – exceptions included. If tournament organizers collected the data for monitoring and control purposes, this purpose would cease at the end of the tournament. This would mean that the data sets would have to be deleted, making their transfer to data analysts not permissible.

Advertisement

Responsible parties must also ensure that the data is protected from unauthorized access, such as hacker or cyberattacks.

Furthermore, in the context of data trading, the information obligations according to Articles 13 and 14 GDPR must be observed. Accordingly, responsible parties must make certain information available for identification and contact options when they want to store, process, and pass on data. This information is regularly contained in the privacy statement. It is also important in this context that third parties to whom the personal data is passed on must actively inform the esports athletes about the data processing and fulfill the information obligations under the GDPR. That is the legal situation, even if practice looks different.

The Problem

The exchange of data of esports players has been a common practice in the industry for a long time, despite being rarely discussed openly. And the indiscriminate sharing of information presents a significant possibility of misuse. The issue lies in the fact that many esports athletes do not perceive this risk yet, resulting in it not being recognized as a major threat. For instance, a soccer player must consider physical (and mental) injuries throughout their career, while in esports, it is one’s own data sovereignty that is at risk. he potential for big data analysis, artificial intelligence, and quantum computers to exacerbate these injuries in the future becomes a marginal note.

This lack of knowledge, commonly seen among organizations as well, results in data trading frequently not being fully addressed in contracts. This mainly impacts the agreements between esports players and teams. Merely including promises to adhere to the GDPR is no longer enough on its own. Esports players should ensure control over their personal data. In addition to strict regulations on data security and protection, licensing agreements for using performance data are also necessary. Since the majority of contracts either lack regulations on sharing performance data or have insufficient ones. In simple terms, the outcome is that the esports athletes are relinquishing their assets.

“The majority of contracts do not regulate the sharing of performance data adequately or at all!”

The Gaps in Contracts

A seamless chain of contracts is therefore essential for organizations, tournament organizers, data analysts, and betting providers as end consumers. If the organization did not grant the permission to transfer the data to event planners or data experts (sub-license), there would be legal issues with the data. This implies that the company would be marketing data that cannot be shared because of the absence of sub-licensing. This legal issue would affect all stages of the value chain. In the final analysis, data analysts and betting providers would lack permission to use the data of the esports athletes.

Advertisement

For the organizations, the tournament organizers, the data analysts, and the end consumers, using someone else’s data without the right to do so can have unpleasant consequences, which can lead to claims for damages.

What Needs to Be Done

Esports athletes should examine their contracts to protect their data sovereignty. This pertains to protecting data and particularly to sub-licensing. It should be taken into account to make the permission for transferring and trading the data conditional on additional payment. The same rules also apply to the organizations. They need to verify if they have any financial ties to the data sales of their esports athletes or if they could potentially be tied to them. It is necessary to include suitable clauses in the agreements between the company and the event planner and the data experts if they are not already included.

It is important for betting providers to carefully examine the contracts with data suppliers to confirm that the information about esports athletes can be legally sold. If not, data owners could potentially seek compensation and information requests as stated in Article 15 of GDPR.

The trading of data in esports is daily business. Now, it is necessary to put data trading on legal feet. For esports athletes and organizations, this means focusing more on the risk of data misuse than before and signing licensing agreements to participate in the sales revenue of the data.

DISCLAIMER

This post is an English translation of our partner blog www.e-sportrecht.de by Dr. Oliver Daum, which is an elaborate, yet free offering for the community. Hence, if you like the article or the site, we kindly ask you for feedback in the form of likes, comments, shares, follows, or retweets on social media.

Advertisement

Author

  • Dr. Oliver Daum

    Dr. Oliver Daum is a notable figure in the field of law, with a rich background and diverse experiences that have shaped his professional and personal life. Raised in the town of Plön, he completed his high school education in Preetz before embarking on an ambitious journey to study law. Prior to beginning his law studies in Kiel, Dr. Daum spent 12 months in Uganda participating in an unpaid volunteer service, an experience that broadened his perspectives and honed his sense of global responsibility. His academic path was further enriched by studying law for two semesters in Paris, adding an international dimension to his legal education. After passing the First State Examination in Law, Dr. Daum served as a research assistant at the chair of Prof. Dr. Alexander Proelß at the University of Trier, where he focused on the protection of human rights and wrote his doctoral thesis. Before founding his own law firm, he gained valuable experience working for an international commercial law firm in Hamburg and a medium-sized law firm in Kiel. Dr. Daum resides near Kiel with his wife and children, where he enjoys spending quality time with his family, playing football in a local club, and frequently meeting up with friends. He also has a keen interest in German and European history, which complements his professional pursuits with a well-rounded view of the cultural and historical context of his work.

Continue Reading
Advertisement

Data Protection

Navigating the Aftermath: A 7 Steps GDPR-Informed Guide for Esports Tournament Organizers Following a Data Breach

In the digital-first realm of esports, where data flows as swiftly as the games themselves, the specter of a data breach presents a formidable challenge. The General Data Protection Regulation (GDPR), with its stringent data protection standards, serves as both a shield and a guide for organizations navigating these turbulent waters. This detailed guide offers esports tournament organizers a robust framework for responding to data breaches, ensuring compliance, and safeguarding the trust of players and fans alike.

Published

on

GDPR and Ransomware

1. Immediate Response and Assessment

The moment a breach is detected, the clock starts ticking. Immediate containment is crucial but so is understanding the nature of the breach. This understanding forms the bedrock of your response strategy. Whether it is a phishing attack that has compromised player data or a ransomware attack that has locked down critical systems, the specifics of the breach will dictate your next steps.

  • Technical Measures: Implementing advanced security protocols and encryption methods can significantly mitigate the risk of data being accessed or stolen. Regular security audits and penetration testing can also identify vulnerabilities before they are exploited.
  • Organizational Measures: Establishing a dedicated incident response team and conducting regular data protection and security training for all staff are vital. This ensures that everyone understands their roles and responsibilities in the event of a breach.

Article 32 GDPR (Security of processing) emphasizes the importance of having both technical and organizational measures in place to ensure the security of personal data.

2. Notify the Relevant Supervisory Authority

The GDPR mandates that data breaches likely to pose a risk to individuals’ rights and freedoms be reported to the relevant supervisory authority within 72 hours of discovery. This tight timeframe underscores the need for esports organizations to have a clear, efficient reporting process.

  • What to Report: The notification must include the nature of the personal data breach, the categories and approximate number of data subjects and personal data records affected, and the name and contact details of the data protection officer or another point of contact.

Article 33 GDPR outlines the notification requirements, reinforcing the importance of swift action and transparency with regulatory authorities.

3. Communicate with Affected Individuals

The High-Risk Threshold: When to Inform Data Subjects

If the data breach is deemed to pose a high risk to the rights and freedoms of natural persons, GDPR requires that these individuals be informed without undue delay. This communication must be clear, avoiding technical jargon, and provide details of the breach, its likely consequences, and the measures being taken to address it.

  • Best Practices for Communication: Offering clear advice on how individuals can protect themselves, such as changing passwords or monitoring for signs of identity theft, can help mitigate the impact of the breach. Providing a dedicated contact point for further inquiries also demonstrates your organization’s commitment to transparency and support.

Article 34 GDPR provides guidelines on communicating breaches to data subjects, emphasizing the need for clarity and helpfulness in such communications.

4. Engage with Third Parties

Partners in Protection: Working with Vendors

In the interconnected world of esports, third-party vendors often play a critical role in data processing. Whether it’s cloud storage providers, payment processors, or analytics services, ensuring these partners comply with GDPR is essential.

Advertisement
  • Contractual Safeguards: Agreements with third-party vendors should explicitly outline data protection and breach notification responsibilities. Conducting regular audits of these partners can also ensure compliance and identify potential vulnerabilities.

Article 28 GDPR stresses the importance of contracts in managing the relationship between controllers and processors, including in the context of data breaches.

5. Document Everything

The Record-Keeping Mandate

Documenting every aspect of the breach response not only aids in compliance but also provides valuable lessons for improving future security measures. This includes documenting the initial discovery, steps taken to contain and assess the breach, communications with authorities and affected individuals, and any remedial actions taken.

  • Learning from the Breach: Analyzing the breach and the response can reveal gaps in security and response planning. This post-mortem analysis is crucial for strengthening your organization’s data protection posture.

Article 33(5) GDPR mandates the documentation of personal data breaches, underscoring the importance of thorough record-keeping in demonstrating compliance and facilitating continuous improvement.

6. Review and Update Security Measures

Adapting to Evolving Threats

The digital landscape is constantly evolving, with new threats emerging regularly. Post-breach, it’s critical to review and update your security measures. This could involve adopting new technologies, revising access controls, or enhancing user authentication protocols.

  • Continuous Improvement Cycle: The response to a data breach should catalyze a cycle of continuous improvement in security measures. Engaging with cybersecurity experts and participating in industry forums can provide insights into emerging threats and best practices.

Article 32 GDPR calls for a review and continuous improvement of technical and organizational measures to ensure the security of personal data.

Ensuring Alignment with GDPR

Advertisement

Consulting with legal experts specializing in data protection laws can ensure that your breach response aligns with GDPR requirements. This legal consultation can also guide the refinement of policies and practices to enhance compliance and data protection.

  • Building a Culture of Compliance: Embedding data protection principles into the fabric of your organization, from the design of new services to the training of staff, fosters a culture of compliance and resilience against data breaches.

Article 25 GDPR (Data protection by design and by default) and Article 24 GDPR (Responsibility of the controller) highlight the importance of integrating data protection into all aspects of data processing activities.

Conclusion

For esports tournament organizers, navigating the aftermath of a data breach in compliance with GDPR is both a challenge and an opportunity. By following this detailed guide, organizations can not only respond effectively to breaches but also reinforce their commitment to data protection. This commitment is essential for maintaining the trust and confidence of players, fans, and partners in the esports ecosystem. In doing so, the esports industry can continue to thrive, underpinned by robust data protection practices that safeguard the rights and freedoms of all participants.

Author

  • Leonid Shmatenko

    Leonid Shmatenko is part of Eversheds Sutherlands’ data protection and technology law team. He has vast experience in regulatory and general issues in the areas of eSports and Blockchain. He advises eSports associations and clubs on all legal issues, advises and supports crypto startups in all matters from planning, preparation to execution of private and public token offerings (so-called Initial Coin Offerings or ICOs). Furthermore, Leonid Shmatenko specializes in international arbitration and has participated in several arbitration proceedings (SAC, ICC, DIS, UNCITRAL, ICSID, ad hoc) as a party representative and secretary of the tribunal. Leonid Shmatenko studied at the Heinrich Heine University in Düsseldorf and is currently pursuing a PhD in international law. After his successful first state examination (2011), he completed his legal clerkship, inter alia, at the German Embassy in Lima and within international law firms in Düsseldorf and Paris. He passed the second state examination in 2015. He is an external lecturer at the National Law University of Ukraine “Yaroslav Mudryi”, where he teaches International Investment Law. He is admitted to the Bar in Switzerland and Germany. Before joining Eversheds Sutherland, Leonid Shmatenko worked as an attorney at leading law firms in Geneva, Munich and Paris.

Continue Reading

Data Protection

Data Protection in the Competitive Gaming and Esports Industry: A Brief Overview

In the digital age, the topic of data protection has taken center stage. The rapid digitalization has led to an exponential increase in data collection through various web services. Recognizing the immense value of this data, entities worldwide have tightened data protection laws, making them more intricate. The emergence of the metaverse, NFTs, and the growing significance of the gaming and esports industry have further complicated the landscape. Given the vast amount of data these industries process online, they are significantly impacted by these regulations.

Published

on

The Intersection of Data Protection and Gaming

The competitve gaming and esports sectors predominantly operate online, processing personal data on a global scale. Multiplayer experiences and network management necessitate the collection of personal data. To access gaming services, users typically provide personal details like names, addresses, birth dates, credit card information, email and IP addresses, feedback from other participants, and personalized profiles. Companies must ensure compliance with relevant data protection laws when processing this data, a task that can be daunting for businesses operating and marketing globally.

Understanding the GDPR and Its Implications

The General Data Protection Regulation (GDPR) is a pivotal piece of legislation in this context. Notably, the GDPR can apply even if the controller or processor is not based in the European Union. Similarly, the revised Swiss Data Protection Act, as in force from September 2023, aligns closely with the GDPR and can apply to organizations outside Switzerland.

Defining Roles: Controller vs. Processor

Under the GDPR:

  • A controller decides the purpose and means of personal data processing, either alone or with others. They are the primary decision-makers regarding data processing.
  • A processor, on the other hand, processes data based on the controller’s instructions.

Distinguishing between these roles is vital. It determines responsibility for regulation compliance and is crucial for the exercise of data subject rights. However, this distinction isn’t always straightforward.

Key Principles of the GDPR

For controllers in the gaming and esports industry, the GDPR mandates the following principles:

  1. Lawfulness, Fairness, and Transparency: Personal data should be processed transparently, fairly, and lawfully. This involves having a legal ground for processing, ensuring the data subject is aware of the processing, and being transparent about data collection and usage.
  2. Purpose Limitation: Data should only be collected for specific, explicit, and legitimate purposes. Any processing beyond this is generally unlawful.
  3. Data Minimisation: Only relevant and necessary data should be processed.
  4. Accuracy: Controllers must ensure data accuracy and address any inaccuracies or incompleteness.
  5. Storage Limitation: Data should not be stored longer than necessary.
  6. Integrity and Confidentiality: Data should be processed securely, protected against unauthorized access, loss, or damage.

Additional Considerations for the Competitive Gaming and Esports Industry

Companies in this sector should also be mindful of:

  • Consent: It must be freely given, specific, informed, and unambiguous. Consent can impact marketing strategies, especially with direct marketing, profiling, and cookie placements.
  • Child Data: The GDPR has stringent requirements for child consent. Generally, autonomous consent is possible from age 16, but this varies among EU member states. For younger users, legal guardian consent is necessary.
  • Data Subject Rights: Players should be able to exercise their data protection rights, including access, rectification, erasure, and data portability.
  • International Data Transfers: Especially prevalent in multiplayer games, data might be stored on servers across countries. While data flow within the EU is unrestricted, transfers to other countries require appropriate safeguards.

Hence, as the gaming and esports industry continues to grow, understanding and adhering to data protection regulations will be paramount for companies to thrive and maintain the trust of their user base.

Author

  • Leonid Shmatenko

    Leonid Shmatenko is part of Eversheds Sutherlands’ data protection and technology law team. He has vast experience in regulatory and general issues in the areas of eSports and Blockchain. He advises eSports associations and clubs on all legal issues, advises and supports crypto startups in all matters from planning, preparation to execution of private and public token offerings (so-called Initial Coin Offerings or ICOs). Furthermore, Leonid Shmatenko specializes in international arbitration and has participated in several arbitration proceedings (SAC, ICC, DIS, UNCITRAL, ICSID, ad hoc) as a party representative and secretary of the tribunal. Leonid Shmatenko studied at the Heinrich Heine University in Düsseldorf and is currently pursuing a PhD in international law. After his successful first state examination (2011), he completed his legal clerkship, inter alia, at the German Embassy in Lima and within international law firms in Düsseldorf and Paris. He passed the second state examination in 2015. He is an external lecturer at the National Law University of Ukraine “Yaroslav Mudryi”, where he teaches International Investment Law. He is admitted to the Bar in Switzerland and Germany. Before joining Eversheds Sutherland, Leonid Shmatenko worked as an attorney at leading law firms in Geneva, Munich and Paris.

    Advertisement
Continue Reading

Trending