Ragnarok Online shuts down in Europe due to new regulations [Update: US servers blocking EU access]

    
63

Update: This story was a miscommunication in the media. It turns out that while the servers are staying up, Ragnarok Online’s North American servers are blocking IP addresses from Europe due to these regulations. The European servers will be unaffected. Thanks, Kelekelio!

One of the MMO industry’s long-time institutions is finally calling it a day in Europe.

Ragnarok Online announced this week that it is shutting down all of its servers on the continent as of May 25th. The odd part about this story is that this sunset is happening not because of declining population or revenue but because of a new law that the game’s operator was not able to circumvent. Operation in Russia and the Commonwealth of Independent States will not be affected.

The move comes because of the rollout of the European Union’s General Data Protection Regulation on May 25th, a law which addresses exporting personal data outside of the EU. WarpPortal apparently decided that it wasn’t worth the cost to upgrade storage security to meet the new regulations and chose to shut down the game instead.

newest oldest most liked
Subscribe to:
Reader
Reader
Kickstarter Donor
Loyal Patron
Jack Pipsam

You might want to send it in by the tips section on the site so they see it.

Reader
Mark Jacobs

Hey, what’s going on with all that thunder and lightning in the distance?????

Folks, time to buckle up for a hell of a ride. It isn’t going to be pretty for any of us, players, developers, publishers. I feel sorry for our European brethren, there will be a lot of negative fallout for them. While the intention of the regulations might have been well-meaning (I can’t read minds), the enforcement provisions of the regulations are so vague & open-ended, individuals and companies who collect/process/use/etc. any PII should be very, very scared. OTOH, the penalty section (2%/4% of total revenue or 10M/20M, whichever is larger) is pretty concise. Hmm…

I don’t scare easily, and I’m scared, as everybody who has a brain cell left in their head who works and plays on the Internet.

Table of Contents

You’d be surprised at the amount of information floating around the Internet that is simply wrong.

Reader
Stropp

Well there’s also the issue of MMOs with servers in Europe.

Right now a player can unsubscribe to a game, wander around for a couple of months or years, decide to resubscribe and voila! Their account and characters are all intact.

If there is now a requirement to delete all PII when someone stops being a customer does that mean stopping your WoW subscription automatically deletes all characters? I can’t see gamers being happy about that.

And how does it work with FTP games when you take a break for a while? Is there a time limit as to how long data can be kept in this instance?

Reader
Brother Maynard

I feel sorry for our European brethren, there will be a lot of negative fallout for them.

No need to. The outcome is expected to be positive for the citizens.

the enforcement provisions of the regulations are so vague & open-ended, individuals and companies who collect/process/use/etc. any PII should be very, very scared.

Not if they approach data collection in a fair, open and transparent way, while keeping in mind that personal data of a person is the property of that person and not of whichever company gets its hands on it. More control to the citizens in how their personal information is treated (including harsh penalties if necessary) is definitely a step in the right direction.

FYI, the enforcement will not be as black and white as many people predict. The enforcement will be done by data protection institutions in each EU country (or countries that demonstrated equivalent provisions through the adequacy clause) and they won’t apply it as a binary ‘yes, 20 million / No, you’re fine’ decision.

For example, the UK’s ICO already explained the approach they intend to take – the 20m/4% fines will be used in case of systematic and widespread abuse where there is no indication of a will to improve. They might even decide not to fine a company at all, despite a breach of GDPR, in specific cases where the breach is limited and as a result of an incident (as opposed to negligence or even deliberate action) and where the company actively works to contain it and to improve (i.e. if you show it was an unfortunate mistake and that you learned from it, you’ll be probably fine).

And finally, for companies like yours (for micro, small and medium sized companies) the GDPR contains derogations with regards to record keeping. Again in short, if your company is smaller than 250 employees / 50m annual turnover / 43m in balance sheet, your obligations under the GDPR will be lighter.

Reader
Mark Jacobs

Unfortunately, while the UK has said that, no other member state has indicated that they will take the same approach. For example, the language you mention about 250 employees, was also an older draft of the regulations in regards to the Data Protection Officer requirement and it was pulled out, not left in, in the approved legislation. This alone adds an additional burden on anybody who collects/processes information of EU citizens.

And, I’m not sure while you think approaching the data collection in a fair, open and transparent way will protect a collector/processor. I’ve read the regulations and nowhere in them is that kind of language. While the enforcement section does talk about how the fine can be lowered/waived under certain circumstances, it is very open-ended and 100% subject to the interpretation of the seriousness of the breach and its aftermath by the member states. That’s one of the scary parts, the total lack of objective “If you do this, you will get this” language.

Now, as to control by the citizens, I have zero problem with that and I agree with it. CSE doesn’t share data, sell data, happy to delete accounts, etc., but, I don’t agree with the way the regulations were written. I think it will have an overall negative effect on the EU’s citizens, especially gamers. And I would expect other countries to take the same stance, especially if the GDPR brings in a lot of money to the EU, which could lead to companies deciding that it’s just not worth it to cover certain areas. It could also lead to some nasty international incidents.

The key is whether the GDPR is enforced in an even-handed manner across the member states and whether the harshest of penalties are reserved for the worst offenders. I’m just not a fan of possible draconian penalties that are based on regulations that are as open-ended as the GDPR. And I’m even less of a fan when they treat a mom & pop website the same way and leave the decision on how tough to be on the offenders to interpretation/mood, not objective criteria. Such things lead to abuse/bad decisions in every legal system, including the US. :)

I do hope you are right Maynard, I really do. I’d rather be know as the CEO who was pessimistic and wrong, then the CEO who was optimistic and wrong. One way I just suffer some embarrassment, the other way I could be responsible for putting my studio in a position to fail, not to succeed.

Reader
Brother Maynard

Absolutely, every business is right to be prudent when changes are coming – this is no exception. But I think there are a few things here in this new legislation and in the way it will work that may actually make it easier for smaller companies.

There is a short interview with the UK ICO where she talks very briefly about sanctions and how they intend to approach them (skip to around 4:05 – 4:10).

while the UK has said that, no other member state has indicated that they will take the same approach.

This is actually one of the biggest improvements introduced by the GDPR. Previously (or until 25/5 to be more precise), data protection in the EU has been carried out with a different type of legal instrument that left the actual implementation to each EU member state. GDPR is a regulation, which directly applies across the whole EU the day it enters into force, with no additional legal acts needed in the member states (basically directives specify a common goal, but leave it to each member state to decide how they get there, while regulations specify the goal and the means and apply immediately across the EU).

Essentially, this deceptively small change in the type of the instrument will result in a uniform application of the rules across the EU.

Also, the UK ICO is part of a network of all national data protection offices in the EU – they meet regularly and try to co-ordinate their actions. With GDPR this network will be transformed into a proper EU wide DPO authority and will have to co-ordinate all their actions. So the approach described by the ICO is very unlikely to differ from other EU states.

You should also keep in mind that the maximum sanctions under GDPR have been designed with large global corporations in mind (FB, Amazon, Google, etc.). They’re not meant to serve as a new Malleus Maleficarum for a very unexpected spanish inquisition.

I would say that the openness and deliberate vagueness of some of the text on sanctions is needed, especially in the tech sector, where things change from day to day. Take Cambridge Analytica: let’s say that CA is an SME (they could very well operate with a few dozen people). If the GDPR mentioned explicitely that for all SMEs the sanctions will be drastically lighter, there would be no way for the actual enforcement in case of system-wide serious breaches as the recent ones. Same goes for health or any kind of sensitive data processing. Small companies may still present significant risk in this.

As for fairness, for the businesses they have the same avenues for redress as in all other public matters. ICO (and other DPOs) is a public body, they have their own code and redress procedure, followed by a ton of other ways to address any mismanagement (through ICO’s parent government department, ombudsman, courts, all the way to the EU Court of Justice).

For US companies, I would say the most straighforward approach would be to join the EU-US Privacy Shield agreement. You will have to go through a certification process, I think, but once done, you will be covered by this agreement and should be automatically covered by the adequacy decisions under the GDPR. Further advantage for you as a US company would be that you would be dealing directly with the FTC, which oversees the implementation of the Privacy Shield in the US. Here is an example of a US MMO company’s record.

Of course, it doesn’t remove the necessity to comply with the GDPR if you have EU customers, but I imagine it makes the procedure less painful and you’ll be dealing with your domestic agencies.

Reader
Brother Maynard

Sorry, forgot one more thing re other countries and the international aspect.

Actually some other countries have already brought their own legislation in line with the GDPR and more are expected to follow.

In some cases it is due to the closeness of the legal systems with those in the EU (cultural and historical reasons, for instance – like Africa and South America), trade interests (as was the case of Japan and New Zealand) or simply because they see it similarly. It may very well be that a couple of years from now, there will be only a handful of countries outside these stricter data protection rules… Much of the world moves with Europe on this.

Reader
Robert Basler

I was looking into this yesterday trying to figure out what it is about the new regulations that is forcing them to close down. Apparently they are a US based company, and the US is on the list where EU data storage is approved. Maybe it’s not having the tech to support “Right to be forgotten”? Or not storing personal data securely?

There seem to be a lot of people here knowledgeable about GDPR, what problems are game devs running into?

Reader
Brother Maynard

It’s about their willingness or capacity to implement a stricter set of rules for handling data of their EU customers.

I imagine each company will do its own cost-benefit analysis and decide based on that. If you have 5 players from the EU, you probably won’t bother. If you have millions of players, you probably will.

Mitzruti
Reader
Mitzruti

On a tangentially related note, the archer character in the header isn’t from RO.

the hunter/sniper/ranger line all have bare midrifts (with the ranger’s top being little more than a green bra – yeah 3rd’s are mostly awful)

given the priest in blue (suggesting it’s archbishop) i’m guessing it’s artist doing something else because ranger’s outfit is just that bad.

Reader
Tiresias

As a project manager for application development, I’d like to state that the new EU privacy laws are inane and exemplary of incompetent politicians passing laws without understanding the domain spaces that laws will affect or the long-term impacts of their legislation.

For example, one part of the law requires a company to purge all PII for an employee who leaves a company, including their name, phone number, address, bank account information, etc. This is functionally impossible for many modern applications, as metadata in payroll alone will have transactional information trapped and stored for reference and auditing purposes. Note that this isn’t the payroll data itself — which is a whole other issue (imagine having to delete payroll information!) — but the data that tracks when the REAL data was input, who input it, whether it processed correctly etc., i.e. database logs and the like.

One of my clients is a large US bank that operates in Europe and they have already said that they literally cannot comply with the new laws. There are too many databases, applications, and business processes that rely on this data and they are not going to spend billions of dollars and millions of man-hours trying to figure out how to re-write those systems only to learn that it’s not possible and an entire re-structuring of the business would be necessary. They would rather just drop their EU line of business and focus on Asia and the Americas.

If you live in Europe, you had better brace yourself for much more of this.

Reader
Schmidt.Capela

It’s not that they literally can’t comply with the laws, but rather that they built all their systems on the assumption that they can indefinitely keep personal data about employees and customers without the consent of the person they are storing data about.

Or, in other words, they always disregarded privacy, and it’s now coming to bit them in the behind.

Reader
Tiresias

You are talking about companies that have to be HIPPA, FERPA and SOX compliant.

The problem is that the law is expecting companies to purge data based on arbitrary timescales, such as people leaving a company. This literally comes into conflict with other laws like auditing requirements or general business best practices like, you know, keeping historical payroll and employee data.

Keep in mind that many companies out there — mine included — go to EXTREME lengths to protect the privacy of their clients. This isn’t just about the abuse of data by bad actors; it impacts all companies (and potentially individuals!) equally, regardless of the data in question or the processes in place to protect that data.

I’m struggling to understand how working for a company is possible without providing consent to personal information. There are already laws in place about the handling of that personal information, and none of them made completely unreasonable requests like requiring companies to purge their systems of their historical business data.

Reader
Anstalt

The GDPR isn’t there to override other laws. If there is a contractual reason for storing that data then you can effectively ignore GDPR.

So, for example, my company has built a lot of ecommerce websites over the years which store a history of orders, which in turn stores names, addresses, contact numbers etc.

If a customer calls up our clients and exercises their right to be forgotten, that right does not override the legal obligation our clients have to keep a history of orders so we don’t have to delete their order history.

Same thing with employees. In the UK, business are required to keep a history of who they’ve employed, where they were living, when and how much they got paid. The GDPR doesn’t override that, we can still keep that history, the GDPR just means that once that legally required amount of time has passed, then the ex-employee can exercise their right to be forgotten.

Reader
Tiresias

Right! But how does that impact the BUSINESS?

Most businesses don’t make a habit of purging ANY employee data ever because retention requirement and statute of limitations for lawsuits vary from country to country. The requirements for retention in the US is different from that in the EU.

And don’t forget the requirement to purge ALL data. You know what you CANNOT do to a backup? Remove data from it! So when the former employee exercises their right to be forgotten, what happens to your last 6 months of backups that have their information stored in it? According to GDPR, the data in those stores have to go, but you can’t remove that data without breaking the stores, but you NEED those backups in case something goes wrong!

Like I’ve been saying, I don’t think you fully understand the ramifications of this law at a technical level.

Reader
Stropp

This raises the question as to why law enforcement didn’t object to this part of the law.

If all identifying records are erased when an employee leaves, what happens if the police need to build up a history for a suspect?

Some people will effectively become invisible.

Reader
Brother Maynard

Right! But how does that impact the BUSINESS?

The purpose of the GDPR is to protect citizens’ fundamental rights. Business interests – while legitimate – are secondary in this case.

Most businesses don’t make a habit of purging ANY employee data

What do habits of a company have to do with how new legislation meant to help the citizens is designed?

Change the habits.

If there is an overriding interest / legal requirement, as mentioned by Alex a couple of posts above, the GDPR provides for exceptions.

And don’t forget the requirement to purge ALL data.

I assume you refer to the requirement to erase personal data that is no longer relevant, e.g. a long time after your employee has left?

If so, then again, there are derogations in the GDPR which give you an option to continue processing personal data if required (by law, for example). If it’s no longer required, though, you have absolutely no business keeping the data that does not belong to you.

This specific measure was also mandatory when preparing the regulation, as per the 2014 decision of the EU’s top court.

Reader
Leiloni

But there are some laws that require you to keep PII in order to comply with them to begin with…

Reader
Tanek

I’ve said it for the lawmakers here in the US and I guess maybe it should apply to EU as well. No one in politics should be allowed to vote on a technology law unless they can pass a test showing they understand at least the basic implications of it.

Reader
Angerina

It’s about personal privacy rights, not technology itself. Programs are changeable.

Reader
Leiloni

Spoken like someone who doesn’t have a grasp of the reality of a situation. Ideas are nice, but what’s practically possible once you dive into the details of something like this is another thing entirely.

Reader
Anstalt

A fundamental paradigm shift like the GDPR is always going to be painful though, regardless of whether you understand the cost implications or not. And yeh, it sucks, whilst I don’t have to work with massive applications my company is in the process of trying to make approximately 1500 websites compliant at the moment and it’s a ballache. S

Admittedly, it would have been better if we’d have had this legislation 15 years ago rather than now, but it’s better than we have it now instead of in another 15 years.

Reader
Tiresias

If we had this legislation 15 years ago, EU would simply not be able to do things they take for granted right now.

For example: transfer money from an EU bank account to a US bank account using online services. No developer I’ve spoken to has been able to figure out how to make that work within the bounds of GDPR while staying within US regulatory requirements.

Reader
Brother Maynard

For example: transfer money from an EU bank account to a US bank account using online services.

The GDPR very clearly provides for exceptions. There are legitimate reasons for them.

Also, SWIFT is based in Belgium and as such will automatically have to comply with the GDPR (and again, will be exempt if necessary, in justified cases). You’re not suggesting the whole inter-bank transfer system will stop because of GDPR, are you? If it’s just a few US banks, it’s simply their decision – don’t blame GDPR for it, other banks manage fine…

Reader
Brother Maynard

There are actually quite a few very tech savvy members of the European Parliament, you’d be surprised…

This specific piece of legislation was proposed in 2012 and was open to all kinds of public consultations (including tech companies) until its adoption four years later. It’s not like some distant emperor with no clue about the real world waved a hand and said ‘this is our will, let it be so!’.

Reader
thirtymil

While you have my sympathies as a project manager, I don’t have a lot of sympathy for any company that comes up with this kind of reasoning. I worked as an IT project manager for 15 years for a number of FTSE 100 financial services companies, and in my experience any IT system can be rewritten or replaced – it’s all a matter of cost. If your US Bank has determined that it’s too expensive to update their systems, then either their systems are archaic to the point of needing rewriting anyway, or their business is doing very badly in Europe.

Reader
Tiresias

If you truly believe this, you must not have much experience with integrated applications development.

Changing one application can have a cascading effect to every application that is dependent on it. Removing data from a database can also have a cascading effect.

Sometimes things aren’t “just a matter of cost”. It’s kind of like saying “cracking 2048 bit encryption is just a matter of time”.

Reader
thirtymil

No, your assumption is incorrect – I’ve got plenty of experience with integrated applications development, also legacy systems, unified database views across applications, and so on. Financial services companies typically (in my experience) have systems from all difference eras that they only replace when forced to and they will engineer to work together by any means necessary.

I’m prepared to bet that for your US bank it is actually ‘just a matter of cost’. Banks are in the business of making money and they will go with whichever route makes them the most money or costs them the least. If they’re talking of shutting down their European operations then their systems simply cost too much to upgrade compared to how much their operations are making them.

Reader
Leiloni

It is simply not that easy in a large company to merely upgrade one application. We have programs here that are ancient and just dumb to work with, because upgrading wouldn’t be worth the trouble. Most of the upgrading we’ve done the past several years has been out of necessity because outside forces gave us no other choice.

Reader
Armsman

You must be a project manager that’s hopped between company with zero legacy systems; or not many transactions because to think you can comply with something of this scope in a month….wow.

(Working IT since 1983 – and yeah, the implications are nightmarish for any large entity to be able to comply by 5/25/18).

Reader
thirtymil

I’ve worked with companies that have everything as far back as AS400s and mainframes, still running alongside Java systems. As a general rule I don’t hop between companies.

And yes, completing anything like this in less than a month would be impossible. But I’ve just checked the ICO website docs and the details appear to have been available for over a year…? The companies I’ve worked at all have the capability to turn big multiple-system projects and programmes around in less than 12 months.

Reader
Leiloni

I work for a large, international law firm and I work with one of the internal databases affected by this, so I’m knee deep in this poo trying to figure out how we’re going to handle our piece of this so I agree that it’s just insane. Unfortunately for us, we can’t just say ef that s and ignore the laws, because nobody will hire a law firm that can’t comply with the laws itself. Especially one with several EU offices. The amount of people here working on some aspect of this is mind boggling. We have attorneys working on agreements with our EU clients because without such agreements in place prior to May 25th, they can’t even email their own clients to do business. FFS. So yea, people are going to begin to understand, even if just a bit, how widespread, complex, and insane this law is come May 25.

Reader
Tiresias

Best of luck to you! Projects of this nature are my #2 request right now (behind the ever-popular operations automation), and I’m largely punting on them. I’ve told most of my clients to simply house all EU data entirely in EU datacenters and bunker down until we see what the audits actually shape up to be.

This isn’t possible for all of my clients, of course.

Reader
Brother Maynard

We have attorneys working on agreements with our EU clients because without such agreements in place prior to May 25th, they can’t even email their own clients to do business.

If this is what your attorneys told you to do, I would probably start looking for new attorneys.

You sign up to the EU – US Privacy Shield agreement and you won’t have to sign any individual contracts or agreements.

As a US company (I assume), you’ll probably want to have a look here.

Reader
Brother Maynard

The GDPR adoption was widely welcomed in the EU, especially by citizens and consumer advocavy groups. It is definitely a step in the right direction.

I understand that after 30 years of a complete wild west bonanza where companies were doing whatever they wanted with their customers’ data, it is difficult to change the mindset.

However, it’s good that we finally see a strong legal framework that has at its heart the privacy by design principle.

In the end, this is not a tech issue – it’s a political one. While some companies that are not prepared will have it difficult, this regulation is designed to give the citizens more power and control over their own personal data.

Reader
Tiresias

You know what they say about the road to hell being paved with good intentions? The GDPR could be used as the exemplar of that cliche.

The law literally asks for things that are not possible within the framework of technology as it stands today. This wouldn’t be an issue if implementation was years or even a decade out, but it’s not. As such, you are going to see more companies doing the same thing that RO is doing and simply pulling out of the market.

Anyway, your entire viewpoint seems to be slanted by a lack of accurate information. Things haven’t been a “wild west bonanza” for 30 years; laws such as HIPPA and FERPA, SOX standards, and their analogs in the AU, AUS, Japan, etc. do exist and already provided strict standards for control of sensitive data. Expanded laws patterned after those already-existing standards would have worked just fine, but the GDPR takes a very scorched-earth approach to many aspects of privacy, demanding the deletion of critical line-of-business data on demand, such as employee records, financial records, etc.

In short, nobody should have the “right to be forgotten” when they have entered into an employment agreement or business agreement with an individual or a company. Those business entities need a way to retain historical data for analysis, auditing, and business planning purposes. Limitations on how such data can be shared, sold, or used make sense, but the GDPR’s approach is but ignorant and inane.

Reader
Brother Maynard

The law literally asks for things that are not possible within the framework of technology as it stands today. This wouldn’t be an issue if implementation was years or even a decade out, but it’s not.

You do realise that the GDPR legislative proposal was introduced six years ago, don’t you? After which it was open for four years for public consultations (and was also discussed by the EU institutions)…? After which there were two whole years of transitional period for even the less responsive companies to take notice…? And that it was all happening in a very sensitive area of very high political importance and not some obscure technicality that nobody cares about…?

In short, nobody should have the “right to be forgotten”

In the EU yes, everybody has the right to be forgotten, under certain limitations (such as other legal requirements, among other reasons). The so-called ‘right to be forgotten’ stems from a 2014 decision of the top EU court. This cannot be avoided in the EU.

Edit: just to clarify this bit. Even with the ‘right to be forgotten’ in force, each request can be denied in justified cases and companies can fight such requests in court, if necessary. Google receives millions of these requests and has successfully fought off many of them for legitimate reasons.

do exist and already provided strict standards for control of sensitive data.

I don’t argue their existence – I do argue their relevance to data protection of regular citizens (Sarbanes-Oxley is specifically aimed at companies and their accounting transparency, following the Enron scandal, if my memory serves and as such has virtually no relevance to the discussion of the protection of citizens’ data). I also do argue their effectiveness or even the willingness to use them to protect the private lives of ordinary people. Excuse me for a moment while I refresh my memory with all the Cambridge Analyticas, Facebooks, Yahoos, Equifaxes and so on… I’m sure they follow their clients’ data interests religiously.

Reader
Tiresias

The law has changed and shifted over and over again. No company is going to expend real-world man-hours and money to hit a rapidly moving target that might not even pass into law.

My point was not that SOX is a great privacy law, it’s that it provides a framework for handling data in a reasonable manner that new laws could be structured around. It’s utterly ridiculous that organizations have to spend time and money attempting to purge all data of someone on demand (spoiler alert: not possible, and even the regulators know this) or respond to thousands of requests daily.

The onus should not be on the data holder but on the data provider to show why the data should be destroyed. The person who volunteered the data should be held responsible for it.

Allow me to say that I’m not that sympathetic to the people swept up in the Cambridge Analytics issue. I read the user agreement for FaceBook, realized that they are well within their rights to do what they did because of said agreement, and never created an account.

Reader
Anstalt

If companies are shutting down due to GDPR, or closing off services due to GDPR, it means they were doing some shady stuff with your personal data in the first place and so you’re probably better off in the long run.

Reader
Tiresias

That’s an utterly ridiculous statement that demonstrates a complete lack of understanding of the legislation.

Reader
Anstalt

I work in IT in the UK and have been working with my clients over the last 6 months to make them compliant with the GDPR.

If all you’re doing is using the personal data of your customers in order to provide them with your service, there is very little you need to do to become compliant. You need to pay closer attention to where the personal data is stored, so that it is secure, but if an MMO (or any business) isn’t securing my personal data in the first place then they were already setting themselves up for a fall.

It’s when businesses are using personal data for reasons other than providing their service that the problems begin. So, selling personal data is a big no-no and from what I can tell, that’s what this company has been doing. But it also extends to unsolicited marketing and other “common” activities that have plagued us for years.

Whilst the GDPR is definitely making my life harder (e.g. anonymising databases when working on a local copy of a website is a bit of a ballache), it is a very good bit of legislation. We’ve all had 2 years to prepare for this and companies should want to comply with it and we as customers should want businesses to be compliant.

If a company doesn’t want to be compliant, it means they want to use my data for things I won’t approve of. If the cost for becoming compliant is really that high, it definitely means that their existing uses and storage of my data is already something I would not approve of.

Reader
Tiresias

…Did you miss the part where any data being kept on servers outside of the EU needs to be utterly purged when a client or employee severs their relationship with your business?

That’s something that SOUNDS reasonable until you realize that it’s basically impossible in this day and age of the internet.

For example, how do you handle online banking transactions where the former client wired money to someone in America? Are you expected to wipe all non-EU servers, databases, applications, etc. of that historical data?

What about an Australian company hiring people for an office in the EU? When the employee leaves, is the AU-based company expected to purge their AU-hosted servers of all payroll data?

What about all that metadata that is flying around out there? A lot of it has PII, but tracking it all down is nearly impossible and purging it will literally break some systems (such as the transaction logs in database backup systems).

And this is just ONE aspect of the law! It’s the one I’ve been asked to solve the most recently, but — again — I don’t have any elegant solutions so I’ve largely been punting on it. I have massive, multi-national corporations with access to some of the best developers on the planet who are just shaking their heads and shrugging their shoulders at the challenge.

This isn’t just about bad actors, as I keep reiterating. I am working with companies that are going to extreme lengths to protect their data and literally not allowed to share that data because of HIPPA, FERPA, SOX, etc. requirements.

Reader
Anstalt

Admittedly, yes, I was unaware of that ruling.

I work in the UK and all of our servers are based in England so that particular detail is something we’ve luckily not had to deal with!

I wouldn’t have thought the GDPR would overrule laws that require you to keep a history of that sort of thing? Certainly in the UK, the GDPR doesn’t overrule the tons of financial laws requiring us to keep this sort of history.

Reader
Tiresias

The law has a requirement that allows someone to request immediate removal of any data not stored on a server located within an EU-based organization. It allows this clause to be enacted at ANY time, so a customer can give consent up-front and then revoke it later on, possibly creating an unsolvable problem for the business.

Reader
Morgan Feldon

This is also going to make it hell for site administrators to stop bullying if we are required to remove all history and identifying information about banned users. They absolutely DID NOT THINK THIS LAW THROUGH.

Reader
Robert Mann

The EU has this, which technically over-rules everything as written. However, the idea that they will actually get anywhere seeking legal issue on foreign companies that don’t have EU based offices is just laughable. They might try, but given how international law has zero real bite to it…

Reader
Brother Maynard

The EU has this, which technically over-rules everything as written.

No, you’re wrong. Read section 5, article 23.

Reader
Brother Maynard

You wouldn’t have thought correctly (does this sentence of mine even make sense?)

The EU and the member states may restrict the application of the GDPR (section 5, article 23 – Restrictions).

Reader
Brother Maynard

If a company doesn’t want to be compliant

Well, it could also mean they think it’s just not worth the effort / money…

Reader
Morgan Feldon

Go read the law before commenting. It’s unconscionable.

Reader
Brother Maynard

I have read it many times. Is it perfect? Hell, no. But it’s a clear improvement over the law of the jungle that has been here for decades and unquestionably a win for the protection of citizens’ right.

Reader
Kickstarter Donor
Darthbawl

The EU: doing what is best for the interests of the citizens of Europe.

/s

Reader
Robert Mann

Called it with GDPR. It’s going to spread, as more and more businesses realize the fines for any minor issue are so much more than the profit to be had. I feel sorry for the people in the EU who want to play… this may actually be WORSE than Russia’s control move.

Reader
Brother Maynard

the fines for any minor issue are so much more than the profit to be had

That’s simply not true and is nothing more than scaremongering. See above.

I feel sorry for the people in the EU who want to play

Again, GDPR is first and foremost about the protection of the fundamental rights and freedoms of the EU citizens. Servers shutting down and players unable to get into their MMOs is not even a secondary issue in this debate, it’s far at the end of the concerns that the GDPR addresses.

If you think that people in the EU will be fine with the continuing abuse of their rights and freedoms so that some of them can play (play, for crying out loud!) then you have a very strange sense of priorities…

Reader
Robert Mann

Oh, I’m all for some work on making the internet more responsible… but this seems like a terrible way to do it, regardless of whether the servers aren’t actually shutting down on this particular game (others already have vacated, some content simply is no longer available at all as people in the EU have quit providing out of fear of this.)

Yeah, government talks it up all pretty, but in the end this doesn’t work. People will stop using something that is so punishing, and has so much legal grey area. The objective stated isn’t bad… the means are.

Reader
Brother Maynard

Well, we have one more month before it begins – I think it will be very interesting to watch!

Reader
Kickstarter Donor
Loyal Patron
Jack Pipsam

I’ve come across a couple smaller websites already having to buckle under this new EU thingy. But hopefully in the long-term it’ll all work out, but i’m calling chaos until it settles.

Reader
Morgan Feldon

The law is unfollowable by all but massive corporations with deep pockets that can absorb the compliance costs. You will see MANY small forum communities and games just close altogether.

Reader
Kickstarter Donor
Loyal Patron
Jack Pipsam

It was a fandom/community based site as well.

Reader
Brother Maynard

Have you even read it? There are important derogations in the text for the micro, small and medium sized companies.

Or are you just repeating random sensationalist internet comments?

Reader
Zen Dadaist

Well, it’s not like they didn’t know this was coming…

Reader
Morgan Feldon

I think a lot of companies were hoping for sanity to prevail and the law to be overturned.