Data Protection Law

Discussions about Servers
Post Reply
Aldebaran
Masterful
Posts: 672
Joined: Thu Jan 28, 2016 7:30 pm

Data Protection Law

Post by Aldebaran »

In the european union there exist a law now for "General Data Protection Regulation" that will take effect from may 2018. Many websites that aren't for private use only then must have a data protection declaration where they have to describe how which personalised data is stored, used, passed to others and so on.
Are unreal tournament game servers offered to public affected if they are hosted in the european union?
And how much a player name + ip + login date belong to personalised data? Also if these information are pseudonymised it can be look as personalised data.
Or are the game servers all for private purposes because we make no money with them, so we don't have to care about this law?

I think there will be lawyers who will make money with written warnings if they find reasons for it.
Does this situation concerns other game communites too? Perhaps someone can tell us some important news?

You can find the law text in many languages here, but it will be better for the most of us to google for articles where this law is explained:
http://eur-lex.europa.eu/legal-content/ ... 32016R0679
User avatar
Feralidragon
Godlike
Posts: 5489
Joined: Wed Feb 27, 2008 6:24 pm
Personal rank: Work In Progress
Location: Liandri

Re: Data Protection

Post by Feralidragon »

This is one of the things that I will have to personally take care of myself very soon, but I already got the basic gist from it from a lawyer, and essentially the whole thing is about what data you can associate with an individual person.

Things like email addresses, real names (not necessarily nicknames), credit card numbers, etc, are all things which bind data to a specific person, so those must be fully visible to their owner by law and should be comprehensible in the way they are worked with and in the way they are handled or shared with other entities.

IP addresses do not seem to be directly affected by this, not necessarily at least, over the simple fact that an IP address can be shared across an unlimited number of individuals, so it's a bit of a gray area for them.
At most, with the IP alone you can only identify the country of origin in many cases, or if you dig deep enough, the ISP, city, or maybe the set of clients who ever used that IP as generally you don't always have the same IP. Sometimes you cannot identify anyone at all.
However, it can also be said that a client with a fixed IP, or a client who was the the sole user of that IP for a specific amount of time as ISPs generally have this logged in some way, can be considered to be personal data that identifies an individual, so it's tricky, and I would say it depends on the situation, and how much data are mashed together in order to be able to identify an individual.

Also, from what I understood, the law can be enforced without having to delete all data from a user (when the user wants to be "forgotten"), because in some cases that might even be impossible.
However, deleting the actual data that identifies a user so that whichever other data there is no longer is connected to said user, is also a valid way of enforcing it, because now that data is associated with no one, and that's the whole concern about data protection here.

Therefore, an advised way to do it, is to never include personal data anywhere at all, and instead to actually have some sort of id that you generate yourself, and makes sense only to yourself, that you associate all that data with.
And then, from there, you would have a central place with all the actual IPs, emails and whatnot, which would be associated with that id.
Therefore should someone want to know all their data, you can query through that id you generated, and in case a user wants to have it forgotten, you just delete the email, IPs, etc themselves, while keeping the rest of the data intact if you wish, as the id no longer identifies "anyone".

It all goes down to whether or not you can say if data X belongs specifically to an individual or not. If the answer is no, there's no problem, if the answer is yes, you have to make arrangements so it can be both seen and "deleted" by that individual.

And in the case of game servers, I don't think that's an issue, because first and foremost you're not a business, and the businesses are the ones mostly targeted by this, and the IP resides in a gray area anyway, so it's not a focus of worry as long as the actual personal data is correctly taken care of, if existent at all, which in your case I don't think you have to worry about.
Higor
Godlike
Posts: 1866
Joined: Sun Mar 04, 2012 6:47 pm

Re: Data Protection Law

Post by Higor »

This is troublesome, what are the odds of seeing banlists and ACE databases being eligible for deletion on demand?
/EDITED/
User avatar
Feralidragon
Godlike
Posts: 5489
Joined: Wed Feb 27, 2008 6:24 pm
Personal rank: Work In Progress
Location: Liandri

Re: Data Protection Law

Post by Feralidragon »

Actually, the "right to be forgotten" is not without conditions however:
http://www.privacy-regulation.eu/en/art ... 7-GDPR.htm
In other words, it pertains mostly to data which is exposed or shared in some way, such as in search results and the like, and do not forget that this only applies to EU citizens, so whichever data you have from citizens from other countries is absolutely safe from this law.

Server owners have the right to keep these lists, regardless of what the player requests, because they are internally used to keep such a player banned from the server, it serves a purpose which in no way violates the privacy of the player in question, so the player is not entitled to have it forgotten.

However, server owners are not free to share these lists with others, nor exposing them to the world, unless the player has actually explicitly agreed so.
If a server admin shows up a list of all the banned users to the world from that server, and if there's any name there from a player whom has not agreed with it, then that would be a violation of this law I believe.

Therefore, the only way to fully enforce this without any complications is to only allow players to play in the servers if they explicitly agree with a set of rules imposed by the server concerning the privacy of their data and its usage in the first place.
However, again, this law is mostly aimed at businesses, no one's gonna pry on UT99 servers and forums and the like, so I don't think you guys have to worry about it.
Post Reply