Data Protection
Data Protection – The concept of data protection designates the process of safeguarding data from unauthorized access, communication, corruption, compromission, or loss. Data protection, in its broadest meaning, can concern all kinds of confidential data, whether of an economic, business or personal nature.
The protection of data requires the implementation of various types of measures. These measures can be of a technical nature (e.g. identification and authentication of users of systems likely to access the data, use of sufficiently protective passwords, data encryption, network protection), of a contractual nature (e.g. confidentiality agreements), or even of a regulatory nature (i.e. compliance with applicable legislation).
When it comes to data protection, the top-of-mind area would be personal data protection. With regard to personal data, regulations at European level are relatively recent, whereas France, has been a pioneer nation in the protection of personal data, as the first law on this topic was adopted in 1978.
The European regulation is constituted by the General Data Protection Regulation (GDPR) 2016/679, adopted by the European Parliament on April 14, 2016 and in force since May 2018.
GDPR defines “personal data” as
“any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.[1]
Under GDPR, the most protected category is “sensitive data”, which includes information related to ethnicity, religion, race, sexual orientation, or even political opinions. As a principle, it is prohibited to process this type of data, except in certain cases, notably where the user has consented to it, or if it is necessary for public interest for example[2].
Among the rules provided by GDPR, the processing of personal data shall be lawful, and transparent to the users. According to the “data minimization” principle, the data processing must be necessary and dedicated to a determined purpose. It is also mandatory to ensure that the personal data is kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed[3].
The GPDR also provides for various rights applicable to individuals whose personal data is processed.
Data privacy and the gaming industry
When applied to the gaming industry, data privacy is fundamental. Indeed, when players register online, they generally provide several personal information such as an email address, gender, age and potentially their name. Some games include in-game purchases, which imply that the players may also provide card or payment details.
The processing of this personal information implies that all stakeholders and notably game developers, providers and hosts comply with applicable regulations, and use all means at their disposal to avoid any personal data breach.
The information provided to gamers whose personal data is collected must be particularly thorough and clear, especially as it very often concerns the personal data of players who are minors, which implies compliance with specific rules.
[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L 119/1, Article 4.
[2] Ibid, Article 9.
[3] Ibid, Article 5.