An EVE Online corporation has been hit with a GDPR request from an ex-member

Disgruntled ex-guildie effectively invents new way to grief in EVE

    
42

We often talk about how EVE Online can sometimes mirror the real world in startling detail, with its complex politics, global power struggles, and player-run economy. What we didn’t expect was that in-game corporations would be dealing with legal red tape as a result of the 2018 European General Data Protection Regulation just as many real life companies did. That’s the situation one EVE corp finds itself in today as it’s received Right of Access and Right to Erasure requests under Article 17 of the GDPR legislation from an ex-member.

According to the post on Reddit, the corp in question was blindsided by the request just as many real-life businesses were when the law came into effect last year, and it isn’t sure how to proceed or whether it even legally must to do anything. The most hilarious part of this issue is that it does actually look like the corp may have to deal with it as the request pertains to personally identifiable information stored on its corp/guild website. But the corp is based in Canada, and the site is hosted in the US, so can it just ignore the request? Bear with me, because this is going to get complicated.

Can he just ignore the request?

Just as with most real-life cases involving GDPR, nobody seems to agree on how it needs to be implemented. Some are telling the user that his activity is exempt under a clause that permits personal use (for example, social media accounts), but this doesn’t seem to apply as he’s actually running the website rather than just having an account on one. Others have told him he can ignore it as GDPR is only for corporations, but this doesn’t seem to be a clear case either. The legislation seems broad enough to apply equally to small groups and individuals, whether or not they make a profit.

Many people have told him that he can ignore it because EU laws don’t apply in Canada, but that’s not a clear case with GDPR either. The UK’s GDPR enforcement agency (ICO) enacted its first enforcement against a Canadian company in September when it hit AggregateIQ for processing personal data of people in the EU for political campaigning without their consent. AggregateIQ tried to pull the “EU laws don’t apply in Canada” card and claimed the ICO had no jurisdiction over it, but it later complied with the ICO’s request to stop processing data from people in the UK. This was seen as a successful test case of foreign enforcement of GDPR.

What should the EVE corp do?

The EVE corporation’s website would likely be classified as a free service that is being directed to people both inside and outside the EU, potentially making the website owner a Data Controller for the personal information of those signing up from within the EU. This role is described in the GDPR legislation and carries certain obligations, such as responding to Right of Access and Right of Erasure requests and granting them where appropriate. If the individual has left the corp and severed ties, he or she does appear have a right to request erasure under Article 17 for either or both of the following qualifying reasons:

  • The personal data are no longer necessary for the purpose they were originally collected or processed for.
  • The group is relying on consent as its lawful basis for holding the data, and the individual withdraws his or her consent.

So what should the corporation actually do? It could simply ignore the request and hope that the individual involved isn’t going to escalate it to his or her country’s GDPR enforcement agency, or hope that that agency wouldn’t be bothered to help the user. It’s unlikely that something this trivial would ever be pursued the way that the AggregateIQ case was, and if the former guildie does choose to follow it up, this would likely just take the form of contacting the website owner to advise on how to easily comply. On the other hand, the corp could also reasonably comply with the request right now by removing or scrambling any personally identifiable information of the user in its database, such as real names and email addresses.

Do note, I am not a lawyer and this post does not constitute legal advice. Don’t follow my advice. In fact, pretend I’m a crazy person yelling through your window about GDPR.

Source: Reddit, Reddit

42
LEAVE A COMMENT

Please Login to comment
  Subscribe  
newest oldest most liked
Subscribe to:
Reader
Claus Vinther Larsen

Seen a few comments regarding legal jurisdiction so I thought I’d weigh in with my findings regarding GDPR (through my current position).

GDPR does not apply to general services where EU citizens are not targeted.
A company would be found to target EU citizens if they had an .eu website, an eu office, or offered their products on their website in EURO or another European currency.

You could run a cat site, discussion forum or eve corporation, welcoming players from all over the world without being affected by GDPR, however…

… if you market your website, corporation, entity as being for EU citizens (e.g. EU timezone), one could argue that you are targeting EU citizens and thus would be subject to comply with GDPR.

Storing data on EU citizens without their consent is actually one of the factors that could send you to the larger fine bracket of up to 20 million EURO, however, let’s be realistic, that’s not very likely to happen in this case unless the data was sold or otherwise abused.

It does however, in my best opinion (should the corporation have targeted EU players), actually make them subject to GDPR and thus giving the player the right to submit a Subject Access Request and be informed on all data they hold on him, as well as enabling him to exercise his right to erasure.

As far as I know sports clubs are considered subject to GDPR, so why shouldn’t a gaming club?

Disclaimer: I’m not a lawyer, this is the rules as read, know and understand them.

Reader
Armsman

It’s a GAME – said ‘Corporation’ doesn’t exist IRL. Why isn’t this even a debate?

[IE the EVE Universe is a fantasy set tens of thousands of years in the future and NOT REAL!]

Reader
Kevin McCaughey

What a mess. Glad I am not having to sort this one out! Must be a real royal PITA for the guy/gal running the corp.

Reader
Rany Ith

Waiting for eve to die.. This game is waste of time n money..

Reader
Dym Sohin

not to sound condescending, but.. so is 99% of all the other games

Reader
Kevin McCaughey

I think it will continue even longer than EQ1.

Reader
startrekforum

Only the big companies can evade GDPR data subject requests. Amazon.com has been ignoring mine for more than 6 months, and not even my lawyer was able to achieve anything…

MilitiaMasterV
Reader
MilitiaMasterV

pretend I’m a crazy person yelling through your window

I already pretty much imagine most people on the internet this way. But thanks for the laugh.

Reader
Tobi Fronk

Pretty sure Texas Law applies here.

Aelzen
Reader
Aelzen

Honestly doesn’t seem too hard to conform to. Run screen cap software and X out any identifying info from the users profile, or delete it, and send the video over.

Any claim that kill board references need to go can be ignored (as everything that comes out of the eve api is the property of CCP, and they’ve got themselves covered on this).

Anything claiming beyond the direct scope of what the gdpr applies to can be ignored, too. It’s literally a 5 minute job to deal with. Then, if he don’t like it, let’s see how invested this guy is on following up. It’s likely just a template letter sent out from the law firm.

The site owner could ask for proof that this person is the owner of said data, too. It’s probably best to anyway. You can’t just accept that some random is the actual owner of said information, it could be anyone making the request. So asking for verification is an entirely legitimate request.

Reader
silverlock

Even if it wanted to how would the EU go about punishing a private Canadian citizen anyway? I doubt the law was ever intended to be used against private people and their circle of friends.

Reader
Schmidt.Capela

It probably can be escalated to the hosting company that handles the web server, which would make it tricky for said company to do any business in Europe; in such a situation I believe the hosting company would rather drop the site for the non-compliant EVE corporation than face the threat of loss of EU business.

Also, isn’t California and a couple other US states contemplating enacting GDPR-style laws? This could make the hosting company directly liable if it’s based on any such state.

semugh
Reader
semugh

if you do business in EU, GDPR applies even if you’re from Uranus not just from Canada.

Reader
Utakata

…how about if you’re from Azeroth? O.o

Reader
silverlock

You had the time to comment but not to read the article?