Mentioned in this article Games: Dota 2, League of Legends

In this series of articles on the potential impacts of the EU General Data Protection Regulation (the “GDPR”) on the esports industry, the first installment addressed obtaining consent from data subjects (“Data Subjects”). This second installment addresses the GDPR’s requirements relating to the processing of personal data.

The GDPR broadly defines “processing” as any operation or set of operations that is performed on personal data or on sets of personal data, whether or not by automated means, including collection, recording, organization, storage, and use. As a result, covered “processing” necessarily occurs when gamers are playing, buying, and even discussing games, as long as any personal data is being processed by data collectors during or in connection with any such activity (the “Data Collectors”).

Personal data includes any information relating to a Data Subject, including the Data Subject’s name, identification number, location data, IP address. Moreover, the GDPR protects factors specific to the physical, physiological and mental identity of the Data Subject. Ultimately, this means that anything and everything that is personally linked to any Data Subject is protected under the GDPR.

The inclusion of these factors is especially important in the context of esports, given the industry’s historical use of telemetrics to improve the gaming experience—telemetrics being the analysis of recorded data sets. In the context of the gaming industry, these data sets are collected from the moment a player logs into to the game, until they log out. When organized and analyzed properly, these data sets provide invaluable insight into Data Subjects, which can result in enhanced gameplay for gamers and greater profits for gaming companies.

Companies such as DotaBuff, a website that collects gameplay statistics for Dota 2 , collect and process millions of data sets from all over the EU and the world. Users can view stats from personal match history, their record with particular characters, and what items they tend to buy. These data sets have allowed esports analysts to track an esports player’s KDA (kills-deaths-assists) similar to a basketball player’s PER (player efficiency rating). As esports metrics grow in popularity so will the amount of data that is processed in order to provide those metrics. Consequently, Data Collectors will have to ensure that they have the proper policies and procedures in place to ensure that their activities comply with the GDPR.

Pursuant to Article 5 of the GDPR, personal data must be (1) processed lawfully, fairly, and in a transparent manner; (2) collected for specified, explicit, and legitimate purposes; and (3) limited to what is necessary in relation to the purpose for which it is processed. The GDPR requires Data Collectors to be more transparent about what information they are collecting, why they are collecting it, and how they are using it. To that end, at the time personal data is collected, Data Collectors should consider and address the following requirements of the GDPR:

Identity and Contact Details of the Processor. Data Collectors are required to provide their identity and contact details as well as the contact details for their representatives and, to the extent applicable, their data protection officers.

Lawful Basis. Data Collectors are required to have a “lawful” basis for all data processing. This can include, but is not limited to, situations where (i) the Data Subject has consented to the processing or (ii) the Data Collector has a legitimate interest in processing personal data that is not outweighed by the interests of the Data Subject. When relying on the latter as the basis for processing, Data Collectors must be able to show (a) there is a legitimate interest, (b) the processing is necessary to achieve it, and (c) such interest outweighs the Data Subject’s interests, rights and freedoms.

Intended Purpose of Processing. In addition to providing the lawful basis for collecting the personal data, Data Collectors are required to state explicitly the specific purpose for which the personal data is being collected. With limited exceptions, Data Collectors can only process the data for the stated purpose. However, Data Collectors can process the data for another purpose provided that it is compatible with the original purpose.

Adequate, Relevant, and Limited Data. Data Collectors should only collect personal data that is adequate, relevant, and limited to achieving the intended purpose of the processing. Provided it complies with applicable law and data retention policies, Data Collectors should delete any personal data that is no longer necessary to perform the intended purpose.

Storage Period for the Data. While the GDPR does not provide specific lengths of time, the European Commission’s position is that Data Collectors should store personal data for the shortest time possible and establish time limits to erase or review the data stored.

Limitation on Data Transfers Outside the EU. The GDPR restricts the transfers of personal data outside of the EU, particularly to regions where the European Commission has deemed to have inadequate data protection. So far, the European Commission has recognized 12 countries, including the United States, as providing adequate protection.

Notification of Data Breaches. Within 72 hours of becoming aware of a personal data breach, a Data Collector must report the breach to the applicable regulatory authority (e.g. the Commission for Personal Data Protection in the Czech Republic or the National Authority for Data Protection and Freedom of Information in Hungary. In the event a Data Collector does not report a personal data breach within 72 hours, it must provide the reasons for the delay in reporting. The notification must include (i) a description of the nature of the breach (including the approximate number of Data Subject and personal data records affected), (ii) the name and contact details of the data protection officer or other Data Collector representative, (iii) a description of the likely consequences of the breach, and (iv) a description of the corrective measures taken or proposed to be taken by the Data Collector to address the breach and to mitigate any possible adverse effects.

Due to the broad range of activities covered by the GDPR and the GDPR’s extensive requirements, Data Collectors must update their policies and procedures to: (i) address the basis and purpose for which they are collecting and processing data, (ii) determine what data is relevant to achieve such purpose, (iii) define appropriate storage periods for such data, (iv) establish procedures to address Data Subjects’ rights, (v) limit the transfer of such data outside the EU, and (vi) establish a mechanism to report data breaches.

Given the millions of data sets transmitted from gamers throughout the EU, the esports industry is particularly vulnerable to the GDPR. For example, Riot Games’ collection of performance data for League of Legends and negative player behavior to enforce its “Summoner’s Code” subjects it and other game developers engaging in similar behavior to the requirements of the GDPR. Ultimately, because of the data sets being collected and processed, the GDPR naturally extends beyond the game developers to others in the esports industry, including streaming sites, gambling sites (such as Unikrn), and coaches.

The third installment of this series will discuss the global impact that the GDPR will have as countries outside of the EU have adopted or are considering adopting their own versions of the GDPR.

Raymond K. Luk, Jr. is a business lawyer with Foley & Lardner LLP and a member of the firm’s Sports Industry Team.