Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein

Executive Summary

Commissioned by the German Federal Ministry of Education and Research, the “Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein – ULD” (Engl.: Independent Centre for Privacy Protection Schleswig-Holstein) drafted an expert report on data protection in online games. The report reviews existing online games and their integration in different platforms, e.g., mobile phones, consoles, or personal computers. Recently, online games have been increasingly integrated in social network platforms like Facebook or Twitter. The new generation of online games generates considerably more flow of data than traditional games. The integration of online games into social networks can pose a potential threat to the privacy of its users. A huge amount of information about the users of the network and the game may be disclosed to the operator and third parties. They may serve furthermore as a base for the creation of extensive user profiles. These profiles can be used, e.g., for behavioral advertisement or similar methods of influencing the users’ behavior.

Current situation

Online games attract more and more users. There are different platforms and systems like Xbox Live (by Mirosoft) or Playstation Network (PSN by Sony) on which these games can be played. Operators of these platforms are located all over the world. One of the major sale arguments of modern consoles is the online functionality. Similarly, mobile communication devices allow playing at any time and anywhere, as long as a (GSM / wireless) network is available. This process leads to a loss of the clear boundaries of personal data and its processor into social networks. Online games allow the management of friends, provide communication through text, speech and image, and may be integrated into social networks like Facebook and Twitter. In addition there is a rapid increase of games that are played directly within social networks, like Facebook or StudiVZ.

Issue of the survey

Online games depend on the information about their users. This information may concern the arrangement of the contracts and payment as well as the usage pattern. In some cases, the collection of data is apparent to the user, e.g., if the data subject has to fill in a form. Other data may be collected and used without the user’s direct cooperation. The data collection, e.g., on the used software and hardware as well as files on the computer, may be done without the user’s consent or even his / her knowledge – for the purpose to track software and intellectual property piracy or cheaters. These data can contain quite a lot of information on the user.

Furthermore information about the skill levels, time and scope of usage are processed and sometimes even disclosed through the internet. Not only operators of sites may have an interest in the information. It may as well be of concern to (potential) employers and colleagues. This may be a threat to the user’s privacy, in particular when public or internal data are linked with other data. The possibility to link these data with information from social networks, search engines or personal contacts about the user may result in assumptions about the user’s behavior and may influence his / her real life.

The survey

The survey analyses the data protection issues of online games and suggests possible solutions. Games of different platforms have been analysed in respect to the data processing. Attention has particularly been paid to the transparency of the processing and the privacy policy statements. Opinions and discussions in online and print media as well as professional media have been analysed. Different workshops have been carried out. A very valuable source was the result of a poll with more then 1200 participants. Answers to openly phrased questions yielded best results, because they often led to new issues. In the report, the results are being discussed in respect to the data protection and privacy issues of the survey.

In this respect the first step was to analyse which regulations are applicable. In the course of the survey we decided to lay the focus on European and German legislation. Most games aiming at German consumers fall within these legislations.

We have identified 27 single functionality modules of online games with relevance to privacy issues. For each module, the relevant legislation are identified, the content of the norm are clarified and hints are given for the practical application. This results in the development of a privacy code of practice for online games. An earlier version of this privacy code of practice has been presented to and discussed with practitioners, game developers and operators in workshops.

Beside the legal evaluation the views of the users have been taken in concern as well. Their interests have been integrated a great deal into the survey. One chapter of the survey concentrates on the sociological and economic effects of online games. 
The last part was dedicated to the question of the market impact of privacy-compliant products. This analysis also took into account the possibility of third party certifications and other services.

Findings

Applicability of European data protection laws

The general principle is that business need to comply with European data protection laws if they are based in and operating out of a European member state.

As recent guidance from the Article 29 Working Party has made clear, any online business that targets a European audience can potentially be subject to European data protection rules, even if established in a non-European territory.

Article 4 of the European privacy directive (95/46/EG) states that member states must apply the national data protection laws whenever a business is established within their territory or, if this is not the case, when the business makes use of equipment, automated or otherwise, situated on the territory of the said member state for the purpose of processing personal data. So a company needs to comply with European data protection laws if it has a base of operations within the European member state or if it uses data processing equipment within a member state of the European Union.

Statutory source

Non-European operators aiming at German users usually have to comply with European and German data protection regulations. Within the European Union, under the principle of the country of origin respectively the principle of the place of establishment, the laws of the country in which the data controller is based are applicable. This in the end should not cause great divergences between different countries since the national legislation is harmonized by relevant European legislations, e.g., the data protection directive.

In Germany online games fall within the scope of the German Teleservices Act (Telemediengesetz – TMG) because they are understood as electronic teleservices. The processing of data about the user in respect to the online game and the usage of online games fall within the scope of the TMG. The processing of other data about the user falls within the scope of the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG).

The collection, processing and use of personal data is, as a general rule, admissible only if permitted or regulated by act or legal provision or if the data subject has consented. If none exists, the collection, processing or use of personal data is prohibited. As an example one can assume that processing of data for the establishment of contracts or payment purposes is in general admissible. Usage data may be lawfully processed in order to provide the service or enable the payment. Collecting, processing and use of personal data for other purposes normally requires the consent of the user. The consent must base on the data subject’s free decision and must be stated in knowledge of the relevant circumstances. Consent may be withdrawn at any time. Therefore special attention must be paid to the relevant declarations.

Operators of online games are obliged to collect, process and use only the data necessary to fulfil the given purpose. Before processing data, operators have to identify clearly the object and purpose of the data processing. Data retention without a clearly defined purpose is prohibited under German law. The user has to be informed about the purpose by the operator. The operator has to evaluate continuously whether the storage of the collected data is necessary. If personal data is not needed any more, the data have to be erased unless rules explicitly demand the storage of those data.

Furthermore, operators have to ensure the appropriate level of data security.

The German legal provisions demand that operators have to provide the anonymous and pseudonymous participation of users in online games if possible. Users have to be informed and it must be ensured that the real names of used pseudonyms are not disclosed.

All operations on personal data including the transfer of data to third parties require a legal basis. Under German law there is not privilege to data transfers within economic group units like a multinational company. Therefore the transfer of data between two members of one multinational company, although legally independent, requires a relevant legal basis, which in most cases has to be the consent of the user or order data processing.
Within the European Union the operators may pass parts of the data processing to a data processor without losing the legal liability for the processing. The processor is then processing the data on behalf of the operator. This requires contracts between the operator and the processor in which both parties agree on the details of the processing and the demands in data security. The processing of data outside the European Union requires in most cases the consent of the user.

Attention has to be paid to the fact that under German law the IP address is usually regarded as personal data. This means that data protection regulations apply to IP addresses. Legal problems can be avoided by anonymising the personal information.

Moreover, operators have to consider and implement the users’ right of access to their personal data. Further they have to make sure that requests for correction, erasure or withdrawal of consent are correctly carried out.

The communication between users is subject to the secrecy of telecommunication and has therefore to be secured against the access of third parties. The communication must not be fully monitored. There may be exemptions due to the protections of users. But the monitoring have to be communicated to the users.

Investigation of games

As a result of the investigation of different games we found several breaches of data protection rules. Most of the privacy policy statements did not meet the required standard of comprehension and completeness. Some operators had infringed the principle of necessity and the restriction of the processing to the predefined purposes. A lot of operators (esp. from outside the European Union) do not regard the IP address as personal data and therefore do not obey to the data protection rules. Requests for consent were too broad and did not contain enough information for users in the demanded manner. The erasure of data was impossible in some cases, in other cases users had to ask several times for the erasure. It was unclear which kinds of data were given to the operator if games were included into social networks. Some games had already transferred data to the operator during the installation routine but users were not informed about it. Hidden systems of usage monitoring did not reveal which kinds of data were transferred. Only few operators allowed anonymous or pseudonymous payment. And some operators completely monitored the content of communication between users.

Further results

Our survey made clear that many users are interested in data protection and privacy issues. They do not feel to be in control of their data and are insufficiently informed. Operators are unsure about the legal requirements and their obligations. Online games should be designed in a privacy-friendly manner, compliant to data protection regulation. This will increase the trust of the users in the product as well as the producers and operators that is necessary for long-term customer loyalty. Audits and privacy seals can support operators and producers in achieving this aim.
If the operator or producer is lacking the competence in privacy matters, external service providers can give support.

Outlook

During the time of the survey new developments have occurred. They raise new privacy issues. Online games are integrated more and more into social networks or become a social network themselves. “Casual games” encourage users to transfer health information (like weight progress or workout results) to operators so that these data can be used as part of the game. Data of games on mobile devices may be combined with the location data of the mobile device. Since in Germany the development of online games is in its beginning, it provides the opportunity to design games in a privacy-compliant manner. This gives the chance to avoid infringements of data protection regulation as known from other online services.