Europe's data protection laws are changing, are you prepared?
Harbottle & Lewis' Nic Murfett examines the ramifications of forthcoming legislation
For a number of years the European Commission has promised to modernise, harmonise and extend the remit of the EU's data protection regime. With the recent spate of cyber attacks on the likes of Sony once again bringing the issue of data security into the public eye, now may be the time that the European Commission acts on that promise and pushes through the draft general data protection regulation (GDPR) that has been debated since 2012. If introduced, the GDPR would represent the first major overhaul to the EU's data protection regime since the introduction of the Data Protection Directive (Directive) in 1995 and would present a number of benefits and challenges for games studios at a time when knowing as much about your consumers as possible has never been more valuable and the dangers presented by today's digital economy have never been more real.
The following table is a brief summary of each of the key areas which are likely to be affected by any new legislation, and what those changes could potentially mean for you. Each area is covered in more detail in the text which follows.
Issue | Proposed changes | Benefit or challenge? | Effect |
---|---|---|---|
Differing levels of protection afforded to personal data across the EU | The GDPR would ensure a consistent level of protection for personal data across the EU | Benefit | Complying with the EU's data protection regime should become easier for studios operating in a number of EU Member States |
Non-EU entities are often not bound by the Directive | Non-EU entities will be bound by the GDPR if they process personal data relating to a person resident in the EU in relation to either the offering of goods or services to that person or the monitoring of that person's behaviour | Challenge | Non-EU studios are likely to be bound by the GDPR and so will need to consider their heightened data protection obligations under the GDPR |
Relying on implied consent to data processing | Consent must be explicitly obtained, either by a statement or by a clear affirmative action by the data subject | Challenge | Studios will need to ensure that each player accepts the studio's privacy policy before any data processing takes place |
Obtaining consent from children under 13 years of age | For children under 13 years of age, the child's parent or guardian must consent to any data processing of the child's personal data on behalf of the child | Challenge | Studios will need to consider how they verify the age of their players and make sure that privacy considerations are built into the design of their games to allow players to control their privacy settings easily and effectively |
Data processors are not bound by the Directive | Data processors will be bound by the GDPR | Challenge | Entities processing personal data on behalf of another entity will need to familiarise themselves with their heightened data protection obligations under the GDPR |
The length of time data controllers have to notify the relevant authorities of a data security breach | Data security breaches must be notified to the relevant supervising authority “without undue delay, and where feasible, not later than 24 hours” after the data controller becomes aware of the breach and to data subjects without undue delay if the breach “is likely to adversely affect the protection of the personal data or privacy of the data subject” | Challenge | This requirement is significantly more draconian than the current voluntary regime in the UK and the 30 day notification requirement recently proposed by President Obama. Studios will need to act fast once a data protection breach has been discovered to minimise their exposure |
Compliance monitoring | Entities processing personal data must appoint a Data Protection Officer to monitor their compliance with the GDPR if they employ more than 250 people or if their activities require regular and systematic monitoring of persons resident in the EU | Challenge | Studios will need to consider whether they are caught by the requirement to appoint a Data Protection Officer and, if they are, either train up an existing member of staff or hire a suitably qualified person to perform the role |
Harmonisation
The EU's existing data protection regime is essentially governed by the Directive, each Member State's own national data protection legislation and the various decisions of the Court of Justice of the European Union. Whilst the courts of all Member States have a duty to interpret their national data protection legislation in light of the Directive, the fact that the Directive is not directly enforceable in any Member State has led to Member States interpreting the Directive in different ways. Studios processing personal data on a pan-EU basis currently face significant compliance challenges as a result. The GDPR should make complying with the EU's data protection regime easier, as the GDPR will be directly enforceable in each Member State. This will ensure that the same data protection laws apply in each Member State, thereby creating a harmonised approach to the way that personal data is protected in the EU. Viviane Reding, the European Commissioner for Justice, Fundamental Rights and Citizenship has previously referred to this harmonised approach as a "pillar of [data protection] reform" and has stated that the intention is for the EU's data protection regime to become "fast, consistent and predictable".
Territorial scope
Perhaps the most controversial change that the GDPR would introduce relates to its jurisdictional scope. Under Article 3(2), any non-EU entity would be bound by the GDPR if it processes personal data relating to a person resident in the EU in relation to either the offering of goods or services to that person or the monitoring of that person's behaviour. This would almost certainly capture any non-EU studio that processes personal data belonging to people resident in the EU.
"However, exactly how national regulators will enforce the GDPR against a non-EU entity with no establishment in the EU is not clear"
The GDPR's extended jurisdictional scope closes the loophole that currently exists in the Directive that enables a non-EU entity to avoid regulation under the Directive by not having an establishment in the EU or, even if it does, by the non-EU entity not processing personal data "in the context of the activities of [that] establishment". However, exactly how national regulators will enforce the GDPR against a non-EU entity with no establishment in the EU is not clear. Perhaps the negative publicity that inevitably follows a finding of non-compliance may be enough to convince most non-EU studios caught by the GDPR to comply?
Further, any non-EU entity bound by the GDPR by virtue of its extended jurisdictional scope will need to appoint a "representative" within any of the Member States from which the personal data it is processing is derived unless that non-EU entity: (a) is situated in a country which has been found by the European Commission to offer adequate protection for personal data (this list includes such game development hubs such as Australia, Canada and, provided that the non-EU company has signed up to the US Safe Harbor scheme, the USA); (b) employs fewer than 250 employees; or (c) only offers goods or services to consumers resident in the EU on an occasional basis.
Consent
Although any processing of personal data must, of course, still be done lawfully and obtaining the consent of the people whose personal data is processed will remain a valid method of establishing the lawfulness of such processing under the GDPR, the explanatory notes to the GDPR make it clear that the way consent is obtained will be very different once the GDPR is introduced. No longer will it be enough for studios to rely on implied consent. Studios will therefore no longer be able to treat players as having consented to having their personal data processed in accordance with the relevant studio's privacy policy by simply playing that studio's game.
Instead, as the GDPR's explanatory notes state: "Consent should be given explicitly by any appropriate method enabling a freely given specific and informed indication of the data subject's wishes, either by a statement or by a clear affirmative action by the data subject, ensuring that individuals are aware that they give their consent to the processing of personal data, including by ticking a box when visiting an Internet website or by any other statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of their personal data. Silence or inactivity should therefore not constitute consent."
"studios will have to ensure that a player explicitly accepts the studio's privacy policy before any data processing is carried out by, or on behalf of, the studio, for instance, before the player downloads a copy of the game or accesses any of its content"
This will mean that studios will have to ensure that a player explicitly accepts the studio's privacy policy before any data processing is carried out by, or on behalf of, the studio, for instance, before the player downloads a copy of the game or accesses any of its content. For a studio whose game is available via a digital marketplace (such as the App Store or Steam), it may also mean that it will no longer be sufficient for that studio to provide a link to its privacy policy in the pre-contractual information that it is required to provide and state in that pre-contractual information that by downloading the studio's game, the player will be deemed to have accepted the studio's privacy policy and consented to the studio processing their personal data in accordance with that privacy policy. Best practice may be to ensure that when a player accesses a game for the first time, the player is presented with the studio's privacy policy and is then required to tick a box or press a button acknowledging that the player consents to the studio processing the player's personal data in line with that privacy policy before any such processing takes place.
The GDPR is also likely to be more prescriptive than the OFT's Principles for Online and App-based Games which simply require a studio to provide the player with information of "how, and the reasons for which, personal or other data may be collected and processed", without requiring the studio to ensure that the player explicitly acknowledges that it consents to such collection and processing. Studios will therefore need to consider when designing their games how they will obtain valid consent from their players. National data protection regulators, such as the Information Commissioner's Office in the UK, may strongly recommend that platforms themselves help facilitate this by implementing a requirement for studios to obtain explicit consent from players as part of the download process, for instance, via a pop up before a game is downloaded.
Children
Obtaining consent from children will be more complicated. Currently, the Directive does not contain any specific provisions regarding the age at which a child can give valid consent to the processing of their personal data. This will change under the GDPR, which defines a child as any person under the age of 18 years. However, in relation to any personal data that is processed in respect of a child below the age of 13 years, the GDPR states that such processing "shall only be lawful if and to the extent that consent is given or authorised by the child's parent or custodian. The controller shall make reasonable efforts to obtain verifiable consent, taking into consideration available technology." This will bring the EU's data protection regime more closely in line with the US's Children's Online Privacy Protection Act of 1998 which places similar requirements on any company that wishes to process any personal information relating to a child under the age of 13 years.
"studios will need to take extra care when designing their games to ensure that mechanisms are in place to ascertain the age of the player"
This, coupled with the new requirement to implement organisational and technical procedures to ensure that personal data is protected "by design and by default", will mean that studios will need to take extra care when designing their games (particularly, but not exclusively, those targeted at children below the age of 13 years) to ensure that mechanisms are in place to ascertain the age of the player, establish whether parental consent will be required and allow players to control the privacy settings in any game they play easily and effectively.
Obligations for everyone
Unlike the Directive, which only places obligations on data controllers (i.e. those entities that determine the purposes, conditions and means by which personal data is processed), the GDPR will place direct obligations on both data controllers and data processors (i.e. those entities that process data on behalf of a data controller). For instance, both data controllers and data processors will need to "implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected, having regard to the state of the art and the costs of their implementation." This requirement to view security as a dynamic concept which must be kept in line with the state of the art goes further than the equivalent requirement in the Directive. Studios processing personal data will need to factor in their security obligations when setting their annual budgets and keep abreast of developments in this area if they are to stay in compliance with the GDPR.
Breach notifications
"The GDPR will also introduce new requirements for data controllers to notify the relevant supervising authority and the individuals involved of any personal data breaches 'without undue delay'"
The GDPR will also introduce new requirements for data controllers to notify the relevant supervising authority and the individuals involved (if the breach adversely affects their data or privacy) of any personal data breaches "without undue delay and, where feasible, no later than 24 hours after having become aware of [the breach]". Whilst electronic communications service providers are already under such an obligation by virtue of the Privacy and Electronic Communications Directive, this requirement is significantly more draconian than the voluntary notification regime to which all other data controllers operating in the UK are required to adhere. It is also significantly more draconian than the 30 day self-notification requirement President Obama recently indicated he intends to propose to Congress. Studios operating in the EU would need to ensure that they act quickly in the event of a data protection security breach to ensure that their exposure to fines is minimised as far as possible.
Data Protection Officer
Data controllers and processors will also be required to appoint a Data Protection Officer (DPO) if personal data is to be processed by an "enterprise employing 250 persons or more" or if "the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of [consumers resident in the EU]." Whilst the first limb of this test is likely to exclude many studios operating in the EU, the second may well capture the activities of some F2P studios. Whether monitoring is enough to satisfy the "regular and systematic" definition will need to be assessed on a case by case basis and in light of the final approved wording of the GDPR.
"Any studio that believes it is likely to caught by the requirement to appoint a DPO should therefore strongly consider investing in training up an individual to act as its DPO in advance"
Once appointed, the DPO must perform its tasks independently and must not receive any instructions as regards the "exercise of [its] function." In essence, the DPO will act as an internal data protection compliance auditor. However, numerous recent reports have suggested that there is currently a critical shortage of suitably qualified DPOs in the EU. Any studio that believes it is likely to caught by the requirement to appoint a DPO should therefore strongly consider investing in training up an individual to act as its DPO in advance of the GDPR coming into force to avoid a mad scramble to recruit a suitably qualified DPO when the GDPR comes into force.
Get prepared
Whilst we still do not have a firm timetable for the introduction of the GDPR into European law, a statement released by the European Council in October last year indicates that there is significant desire within Brussels for, at the very least, the GDPR to be in agreed final form by the end of this year (although even then there is still likely to be a 2 year implementation period before all Member States are bound by the GDPR). Regardless of when the GDPR is finally introduced into EU law, studios processing personal data of people resident in the EU will want to consider their heightened obligations under the GDPR in advance of its introduction, particularly given the significant and much publicised fines (up to the greater of 5% of annual global turnover or €100m) that can be levied on anyone found to have intentionally or negligently processed personal data in contravention of the GDPR. Going forward, those studios that make protecting personal data part and parcel of their operations and game design will be best placed to take advantage of the EU's harmonised data protection regime.
Nic Murfett is an Interactive Entertainment Associate at Harbottle & Lewis LLP of London.