New data portability rights for users of game play sharing platforms
Published on 21st Aug 2017
Sharing of game play footage is hugely popular in the gaming community, with some gamers becoming well known online for the videos they share. Platforms which enable individuals to share their gameplay footage often have large numbers of subscribers accessing content on a daily basis worldwide.
Under the General Data Protection Regulation which comes into force throughout the EU on 25 May 2018 (the “GDPR”), gamers who share gameplay footage (including, for example, footage of them carrying out play-throughs, or competing in e-sports) may benefit from the so-called “right of data portability”. This means that in certain circumstances, they may be able to require the platform they use to provide them with a copy of their personal data, or transfer it to another platform.
At this stage it’s not completely clear how the right will apply in this context, or what approach regulators will take to enforcing it. The Article 29 Working Party of the European Commission has produced guidance, which addresses some of the more common questions and concerns (the “A29WP Guidance”). However, other issues may not be fully answered until after the GPDR actually comes into force once supervisory authorities start to enforce the requirements.
What is the right of data portability?
The right of data portability forms part of the European Commission’s digital single market strategy. Its aim is to strengthen the control individuals have over their personal data, ,including by enabling them to switch more easily between different service providers. The A29WP Guidance also acknowledges that the right may increase competition by preventing “lock in” to a particular service, although this is not its primary purpose. In summary, where the right applies, individuals who have provided a copy of their personal data to a data controller will have the right to:
- receive a copy of their personal data in a structured, commonly used and machine-readable format; and
- require their personal data to be transmitted directly from one data controller to another, where technically feasible.In principle, various types of data may be ported. For example, lists of “contacts” that a player makes through the platform; lists of videos that a subscriber has “liked” or viewed; as well as lists of an individual’s titles included in “playlists”, or “favourites”. It’s also possible that, in certain circumstances, platforms may be required to port a subscriber’s video game footage to a competing platform, if a subscriber makes such a request.
What are the limitations to the right of data portability?
Operators of game play sharing platforms should be aware of the limitations of the right of data portability:
- The right to port data from one platform to another only applies where it’s technical feasible. There’s no obligation for a platform to use a processing system which is technically compatible with that of a competitor. This could result in practical challenges, for example, it may not be clear whether a transfer of personal data to another platform is technically feasible without knowing certain technical information about the other platform. Platforms are not required to process game play footage in a format which is interoperable with that of a competitor. If technical issues prohibit transmission, the platform will need to explain this to the subscriber. There’s no exception for non-compliance simply because of the size of the data, or its complexity.
- The “technically feasible” qualification, should be considered alongside the requirement that personal data must be transmitted “without hindrance”, which may include introducing technical obstacles to prevent transfer.
- The right of data portability will only apply where the processing is based on the consent of the subscriber, or where the processing is based on a contract.
- The right applies in relation to personal data “provided to a data controller” by the subscriber. The A29WP Guidance makes it clear that this will include data generated by the activities of the subscriber. For example, personal data collected through activity logs, history of website usage, or search activities.
- There’s no requirement to retain personal data beyond its normal retention period. For example, if a platform’s approach is to only stream live play-through footage, which is deleted from the platform’s servers once the play-through is complete, there’s no obligation on the platform to retain a copy of the footage, just in case a subscriber wishes to exercise their right of data portability in future.
- Where a subscriber exercises their right of data portability, this does not automatically mean that the platform has to delete the personal data.
- Platforms will not be required to comply with data portability requests from subscribers, to the extent that such requests “adversely affect the rights and freedoms of others”. This might include circumstances where the personal data in question also comprises personal data of a third party, or where exercise of the right could potentially infringe the intellectual property rights of a third party (or in principle, the licence terms of a developer).
What do game play sharing platforms need to do / what are the risks?
In order to prepare for the new right of data portability, game play sharing platforms should:
- Understand when the new data portability laws will apply and when they won’t, and consider how they provide their services, to work out whether the personal data they process might be caught.
- Plan ahead and try and adopt a “privacy by design” approach, to make sure their platform has the technical capabilities to comply with data portability requests.
- Make sure subscribers are aware of the right if it applies, and explain it to them (usually by including information in a privacy notice provided to the subscriber).
- Understand the risks of non-compliance with the GDPR. Regulators have the power to issue fines of up to €20m, or 4% of worldwide turnover, if greater, for non-compliance. More serious breaches are more likely to attract fines at the upper end of the scale. There’s also a significant risk of reputational damage for non-compliant organisations.