IMPLEMENTING THE EU GENERAL DATA PROTECTION ...

0 downloads 134 Views 242KB Size Report
The GDPR is a fundamental reform of EU data protection regulation which will .... Data controllers will need to notify m
IMPLEMENTING THE EU GENERAL DATA PROTECTION REGULATION (GDPR): AN OVERVIEW FOR DIGITAL ENTERTAINMENT BUSINESSES SUMMARY

1. The GDPR is a fundamental reform of EU data protection regulation which will impact any business using EU personal data (whether inside or outside the EU) and take effect in the EU on 25 May 2018.

2. Businesses processing data will be subject to greater regulatory requirements and individuals will have stronger rights, e.g. it will be harder to rely on consent as a ground for processing data. Data protection authorities will have greater enforcement abilities than before, including the ability to impose higher fines for breaches.

3. Businesses should update their internal data use and protection policies, start making data protection a core part of business thinking and review material business agreements. But in reality, there is a great deal of uncertainty still about what to do first, how to do it and how far to go. In practice, many businesses are looking to see what the major players do and what the regulators say about it.

4. In our view, small to medium sized digital entertainment businesses (e.g. game developers and esports teams) should take a reasonable and proportional view on what improvements to make and keep an active eye on the wider industry trends, which we expect to provide more clarity and actionable changes in the coming months after GDPR comes into effect. OVERVIEW What is the General Data Protection Regulation (GDPR)? The GDPR is an EU regulation which will take effect from 25 May 2018 and introduce wide ranging changes on how personal data can be collected and used. To whom does the GDPR apply? Both EU and non-EU based businesses that process EU “personal data”. What is “personal data”? In simple terms, it will continue to mean any data which can identify a living individual, but businesses will have to think even more carefully about what that means. Personal data will still include things like names, physical addresses, email addresses, age, gender, sexual orientation and health details but businesses will also have to be careful around data like IP addresses or geolocation data. We will just say ‘data’ for short in this note. What are the core data protection requirements currently? Under current EU data protection law, data controllers (more on them shortly) are required to follow eight data protection principles, including obtaining data only for lawful purposes and having measures in place to ensure the integrity and confidentiality of such data. There are also restrictions on transferring data outside of the European Union. There are a large number of ancillary laws and regulations, for example, regarding the use of cookies/tracking technologies (AKA the ‘Cookie Directive’). These rules are not harmonised across the EU, with different Member States taking differing approaches. Who is responsible for data protection compliance? All businesses involved in the collection or use of personal data will have some level of regulatory obligations, but there is a particular focus on ‘data controllers’ (i.e. parties who control the collection/processing/use of the personal data) as opposed to ‘data processors’ (i.e. parties who may carry out data regulated activities but on behalf of a controller). This will change under the GDPR where increased focus is being placed on the activities and responsibilities of data processors (see below). (UK specific) What about Brexit? The current position is that the UK will implement the GDPR into UK law and the UK intends to maintain a close link between UK and EU data protection law. However, it is not clear yet what impact there will be from the ongoing UK/EU Brexit negotiations, above all whether the EU will regard the UK as having a sufficiently robust regulatory system to permit easy UK/EU data transfers.

1

WHAT DOES THE GDPR DO? Accountability. A new principle of ‘accountability’ requires data controllers to demonstrate (with evidence) that they comply on a technical and organisational level with the GDPR (e.g. staff training, internal audits, data protection policies, maintaining records on processing activities and data breach procedures). Privacy by Design. Businesses must proactively consider data protection issues at an early stage as part of their core business – e.g. games developers must consider data protection matters during the game development cycle and not simply as an afterthought. This may include: •

only gathering data that your product needs for its or your business’ operation;



conducting internal data protection impact assessments to assess the risks involved with any new proposed data processing;



building your data storage arrangements in a way that gives you knowledge and control over what data you store and in a way that can comply with data subjects’ rights (discussed below);



improving consent collection and recording processes; and



giving controls and information for children and parents/guardians (discussed below).

Processing Grounds (changes to consent). EU data protection law requires data controllers to have the authority to use personal data. By far the most common authority comes from consent (e.g. asking a user to agree to a privacy policy and the user ticking a box to approve their data being processed). Under the GDPR, businesses must see if their particular form of customer consent is valid or if there is another appropriate ground available on which they can process data without the need for consent. Other potential grounds include “legitimate interest” (e.g. direct marketing communications about a game that a customer bought from you) and “performance of a contract” (e.g. responding to a player’s query via the email address with which he/she contacted you). If consent is appropriate, consent must be granular and specific rather than just an all-encompassing grant of consent. Third parties with whom data will be shared should be identified by name and individuals’ rights are strengthened against controllers. All of this means that businesses need to think much more carefully about how they obtain authorisation to process personal data. ePrivacy Directive/Regulation. The ePrivacy Directive (eventually to be updated by the ePrivacy Regulation) sits alongside the GDPR but focuses primarily on the use of data and privacy in relation to electronic communications, including cookies. In short, due to the stricter requirements of consent under the GDPR, it is possible that the GDPR may have indirect consequences for how user consent is validly obtained to cookies and other similar technologies. Data Subjects’ Rights. Individuals (known here as ‘data subjects’) will have greater rights, including the right to be informed (i.e. to be provided with sufficiently detailed yet concise and understandable details of the processing at hand), the right to rectify data (i.e. to correct inaccurate/incomplete data), the right of deletion (i.e. where the data subject objects to data processing and there is no overriding legitimate interest to process) and the right to data portability (i.e. where the data subject wishes to transfer personal data from one service to another). Rectification and deletion are practically achievable but will often require considerable technical and practical arrangements to enable them. It is not yet clear what ‘portability’ would look like in a digital entertainment context. Children. Verifiable parental consent is required for use of a child’s personal data (where consent is the processing ground). Any information addressed to a child (e.g. in-game notifications or privacy policies) must be in plain, clear language which a child could understand. There will be considerable real-world questions about how achievable this will be and how far in practice businesses will be able to go to verify parental consent. Reporting Data Breaches. Data controllers will need to notify most data breaches to their national data protection authority, particularly if the breach is likely to result in a risk to “the rights and freedoms of individuals” (e.g. the loss of customer data which leaves them vulnerable to identity theft). Notification to the data subjects themselves is required in “high risk” situations (e.g. discrimination, reputation damage or financial loss). Data breaches include not only unauthorised access to personal data but also unauthorised disclosures, accidental losses and loss of access to data. Processor Liability. Under the GDPR, data protection obligations are no longer just the concern of data controllers. Processors will need to, for example, implement appropriate security measures, maintain records of personal data and ensure the reliability of their staff. Processors will have greater liability if they are responsible for a breach; for example, a games developer operating a game for a publisher, or a YouTube channel operating a

2

channel for a traditional broadcaster, will have greater responsibilities regarding personal data with which they interact, even if they do not ultimately control it. Contract Requirements. Contracts between data controllers and data processors will now need to contain certain minimum details regarding the data processing, including details of the subject matter and duration of the data processing, type of personal data involved, the categories of data subject involved and the obligations and rights of the controller. International Transfers. The EU Commission will still decide which non-EEA countries have adequate levels of personal data protection to permit EU data transfers to them. If a country is not approved by the EU Commission, transfers may still be permitted on grounds of consent, but data subjects must be more explicitly informed of the risks of international data transfers than before. The GDPR also formally approves use of “binding corporate rules” (a complex system for the intra-group use, transfers and management of data) and “standard contractual clauses” remain a valid option as before. Data Protection Officers. Under certain situations the GDPR requires appointment of a ‘Data Protection Officer’, an individual who would be responsible for overseeing a company’s data protection strategy and implementation to ensure compliance with the GDPR. Even if not strictly required, anecdotal evidence suggests a number of large digital entertainment and tech businesses are moving ahead with appointing their own DPOs. Representatives. All non-EU organisations (whether controllers or processors) that are obliged to comply with the GDPR must nominate a ‘representative’ within the EU who will act as the first point of contact for the national data protection authorities and EU data subjects on all issues related to processing. These representatives do not need to be solely employed by the non-EU organisation and it is likely a number of businesses will begin providing outsourced representative services, but care should be taken when appointing a partner for this important and potentially sensitive role. It is not yet clear what the representative’s practical obligations will be and this may well vary by Member State. Fines. The level of fines that can be imposed by data protection authorities will be broken down into two tiers: •

The higher of €10m or 2% of global turnover for breaches in areas such as reporting data breaches, implementing technical/organisational measures or the data controller/processor relationship; and



The higher of €20m or 4% of global turnover for breaches in more ‘serious’ areas such as processing principles (including respecting the parameters of user consents), data subject rights or international transfers.

HOW COULD THIS APPLY TO DIGITAL ENTERTAINMENT BUSINESSES SPECIFICALLY? Many digital entertainment businesses depend in some way on data exploitation, from analytics to community engagement to monetisation methods and optimisation. The GDPR will increase regulation of that data exploitation considerably. Here are some practical examples: •

Contracts. Data protection will need to be a core part of contracts for developers, publishers, distributors and other stakeholders (e.g. broadcast networks or MCNs). It will need to cover e.g. the purpose of data processing, who will do what and how they comply with GDPR requirements, such as international data transfers and data portability. In practice, this is already causing difficulties in the short to medium term: anecdotal evidence suggests many EU developers are not well versed in EU data protection law, but publishers, distributors and service providers are often more informed and have already been circulating data protection agreements or addenda to existing agreements and requiring them to be signed preGDPR.



F2P Data More Complex to Use. We expect that mobile free to play businesses will face particular challenges in GDPR compliance given the very substantial amount of data that they collect and use. The increasingly blurred distinction between personal and non-personal data is likely to be a particular problem, particularly if post-GDPR the EU data protection authorities continue to take a sceptical stance to anonymisation. Basically, metrics data on which many free to play games depend (such as DAU/MAU, ARPU/ARPPU and other retention and monetisation data) will continue to be vitally important but we expect to see greater regulatory scrutiny in the future.



Privacy by Design. This will become a core aspect of the legal/regulatory aspect of product development, especially video games. Again, we expect practical challenges in the short-medium term, particularly for games developers who are not used to building in legal/regulatory considerations during development.

3

Over time, this will no longer be good enough and games development teams will have to think about the regulatory cost of using data in a game, not just the creative/business advantage. •

Privacy Policies Need to Change. The ubiquitous privacy policy (either hyperlinked or tick boxed) will no longer be the automatic way to comply with EU data protection law – digital entertainment businesses will need to establish whether there are other more appropriate grounds for processing data. Where privacy policies and consent are still good enough, they will have to be updated and expanded, including where a new use of data is significantly different from the original purpose for which the data was collected.



Considerable Uncertainty in 2018 – 2019 and Onwards. Generally, there are several uncertainties regarding how GDPR principles will apply to digital entertainment products. For example, how will data portability work between different online games, if at all? How will non-EU games business without an EU base actually ensure compliance with EU data protection law? Are influencers in a MCN processors or controllers?

TEN TIPS FOR GETTING READY FOR THE GDPR 1.

Data. Assess what personal data you collect, where, for what, with whom you share it and what happens to it when it is no longer needed. This can be done through a data audit/assessment.

2.

Internal Processes and Training. Review the level of knowledge/training on data protection amongst your staff and assess the need for internal data protection policies and documentation.

3.

Grounds of Processing. Establish which grounds you will need to use to process each type of data. Consent-based processing will need to be in line with the new GDPR standards.

4.

Privacy Policies. Revisit your privacy policies and other data policies (e.g. cookie policies) to ensure they are GDPR compliant - e.g. do they set out all the information needed? Substantial changes are likely. If your product/service is aimed at children, would they be able to understand your policies and how will you obtain and record verifiable parental consent?

5.

Infrastructure. Consider whether your current systems (e.g. technical infrastructure, customer support) are ready to deal with data subjects’ requests, including where these are exercised unreasonably or erroneously. How is your infrastructure protected?

6.

Existing Contracts. Review existing contracts with third parties and consider whether they are processing any data on your behalf and which contracts will need to be amended. This could cover development/publishing/licensing partners, analytics/software/service providers and even staff and contractor agreements.

7.

Privacy by Design. Data protection needs to be built into business processes, especially product development, just like ensuring proper contracts and intellectual property protections are in place. Businesses should think from the outset what data they will need/not need.

8.

Data Breach Strategy. Build a data breach strategy involving technical, legal and PR resources. Consider what different data breaches could occur and how these would be handled.

9.

Data Protection Officer / Representative. Appoint a Data Protection Officer or local representative if required, but at minimum there should be someone in the business responsible for data protection matters.

10. International Transfers. If your business is transferring data outside the EU (even intra-group), examine whether or not you have legitimate grounds for doing this and how you might alert customers. FAQS We’re a games development studio with a publishing deal – who is responsible for GPDR? For the game: it depends on the publishing contract’s terms but usually we would expect it to be the publisher if the publisher has final say over what can and cannot be done with data collected (but remember you will still have obligations as a data processor). For your studio’s own business: you. For the publisher’s own business: the publisher.

4

We self-publish our software/games/content on a distribution platform (e.g. iTunes, Steam, YouTube) – who is responsible for GDPR compliance? For data that you collect and use, e.g. if you have user newsletters or collect data via the platform: you. For data the platform collects and uses for its own purposes from the platform: the platform. We’re an esports team and work with a number of leagues and broadcaster – who is responsible for GDPR compliance? Regarding your day to day business operations and your own relationships with your fans: you. Regarding league events and related matters like broadcasting: it depends on your contractual relationships, but we would typically expect this to be a partner obligation. But remember you will still have obligations as a data processor. What steps are other games industry companies currently taking? It varies, but on the whole the major industry players (e.g. publishers, distributors, platforms) have been preparing for the GDPR – some for a long time, some quite recently. But on the whole the games industry has reacted slowly to the GDPR due to resource constraints, lack of familiarity with legal/regulatory requirements generally but also a desire to see what happens at the higher levels of the industry first. Clearly there are risks with adopting such a ‘wait and see’ approach given that all companies need technically be GDPR compliant as of 25 May 2018, but companies may deem these risks acceptable (at least in the short term) while market practice settles and new rules clarified. We only collect anonymised data – is all this relevant to me? Yes. Businesses still need to be clear about what data they gather to ensure it is not personal data. Anonymised data and analytics and metrics data is vital for digital entertainment businesses, but thus far some data protection regulators have been sceptical about whether it could still constitute personal data (e.g. if it is susceptible to ‘reverse-anonymisation’). The point is that businesses cannot ignore data protection law even if they are confident the data they use is probably not personal data - they have to take steps to be sure. We gather all our data via data services providers – isn’t this their problem? No. If they are gathering data about your users on your behalf, then you are ultimately responsible as the data controller – both for their work as well as your exploitation of their work. Of course, they will have obligations too. You will need to review your contractual obligations with them as the GDPR approaches, since our experience is that many providers have under-invested in the data protection aspects of their contractual and practical arrangements. We have a privacy policy and cookie banner already, isn’t that enough? No, unfortunately – that is just the starting point even under existing EU data protection law, let alone under the GDPR. But that seems excessive, do we really have to do all that? There is no way of getting around the fact that the GDPR is a big change, negotiated at the highest levels of the EU for some years, and it will require work to implement. Your implementation requirements depend on your business of course. We are a US/Asian/non-EU business but operate globally online, we regard ourselves as not subject to EU data protection law, is that OK? In legal terms: no, the EU is clear that you will be subject to EU data protection law. In practical terms: the EU has given itself strong sanction powers but we will have to see how they are actually deployed in practice. At the same time, EU data protection law often provides a gold standard that other countries follow and so there are good reasons to look seriously at implementation steps even leaving aside the sanctions risk.

How do I find out more?

JAS PUREWAL Partner

PETER LEWIN Associate

+44 (0)774 760 3449 [email protected]

+44 (0) 7544 797 715 [email protected]

@gamerlaw

@LegalGamerUK

Obligatory fine print: needless to say this note is not legal advice, so please do not rely on it and always take advice specific to your facts and circumstances.

5