[TO DEVS] Is SWTOR GDPR compliant?

[Angel_Inside]

As some of us maybe know, GDPR comes into effect today, on 25th of May. Since we do have EU servers and, obviously, EU players, I wonder, is SWTOR GDPR compliant or are developers gonna disable their services for EU players because they are not?

Me personally is very afraid of this possibility to happen soon enough since I mostly play on EU servers.

[kodrac]

If it wasn't you wouldn't have been able to get to this site.

[Angel_Inside]

If it wasn't you wouldn't have been able to get to this site.

 

I'm afraid, they forgot xD

[Celise]

As some of us maybe know, GDPR comes into effect today, on 25th of May. Since we do have EU servers and, obviously, EU players, I wonder, is SWTOR GDPR compliant or are developers gonna disable their services for EU players because they are not?

Me personally is very afraid of this possibility to happen soon enough since I mostly play on EU servers.

 

that is a matter you should take up with the legal department of EA honestly but i'm hopeful Eric has as easier answer on the matter.

[StormForceDax]

that is a matter you should take up with the legal department of EA honestly but i'm hopeful Eric has as easier answer on the matter.

 

BW's Legal department like any other online service or company in general within or operate within the EU should be up to-date with new rules coming in. The OP should not be overly concerned. He/she is just asking a question. However he/she should not need to take it up with them. They would have to be compliant or more accurately show they are taking steps towards it internally within there company. This would all be happening behind the scenes. You may get an Email about it if not already had one about how your information is used and if you still agree with it. I have had so many of these over the last few days/weeks to sink a battleship from various places I use online. A few sites ask now when you visit a webpage others via email.

Edited May 25, 2018 by StormForceDax

[JattaGin]

As some of us maybe know, GDPR comes into effect today, on 25th of May.

 

No. That came in effect more than 2 years ago. Yesterday was just the last day where you could still ignore it without having to fear to get sued by an internet lawyer.

[jedip_enguin]

This is literally nothing to do with the dev team

[Andryah]

Tempest in a teapot here.

 

GDPR is all about proper use limits on personal data, transparency in use of personal data and giving the owner of the data complete control, including opting out of things at any time, and protection of personal data under the law. It's main target of focus is social media sites that are running free with personal data.. like Facebook for example .. who actually earns all their revenue by collecting and repurposing your personal data "for sale" to any entity that will pay.

 

A) what evidence to you have that EA is not already complaint across all it's products?

 

B) how do you know that they have not been compliant for some time now.. given GDPR actually went live a couple years ago, with a ~2 year grace period for companies to get compliant?

 

C) In general terms... as MMOs go... SWTOR has been one of the better at protecting customer data through their various security interlocks on your account. And since this is not a social media application, it probably never had compliance issues with letting people have full control over their personal data to begin with.. unlike Facebook who for years refused to allow an account holder full control over their data, not letting them actually even delete the data.

 

Somebody woke up and read a news article somewhere on the internet this morning, me thinks.

 

Now.. as side note... the producers of Elite Dangerous apparently just yesterday updated all their privacy rules to be compliant (per the email they sent me) .... and I'm surprised it took them until the last minute given it is a UK based company. Maybe they were already complaint, and were just soothing the worried and fearful with an email broadcast.

 

Since someone is spreading fear, uncertainty, and doubt here... a few quotes about GDPR is appropriate for other readers here:

According to GDPR compliance checklist no personal data may be processed unless it is done under a lawful basis specified by the regulation, or if the data controller or processor has received explicit, opt-in consent from the data's owner. The data owner has the right to revoke this permission at any time.

 

The regulation applies if the data controller (an organisation that collects data from EU residents), or processor (an organisation that processes data on behalf of a data controller like cloud service providers), or the data subject (person) is based in the EU. Under certain circumstances[7], the regulation also applies to organisations based outside the EU if they collect or process personal data of individuals located inside the EU.

 

According to the European Commission, "personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer's IP address."

 

The primary drivers for this statute was abuses by Google and Facebook with respect to harvesting and selling personal data without the owners permission.

Edited May 25, 2018 by Andryah

[Jerba]

Yes, Electronic Arts has made sure they comply with GDPR. They just updated their Privacy Policy today.

 

For example, section 8 changed as follows:

You can access the personal information we hold about you. To request access, send us an email at privacy_policy@ea.com headed "Subject Access Request" please contact help.ea.com. Before we process any request, we may ask you for certain personal information in order to verify your identity and we may request payment where allowed by law. Where permitted by local law, we may reject requests that are unreasonable or impractical. We will respond to your requests in a reasonable timeframe.

 

You may have additional rights under local law, including the right to request erasure or portability of personal information and the right to object to or restrict processing of information. Where applicable, you can exercise these rights by contacting help.ea.com.

 

However, this mostly refers to account information (e.g. account name, profile picture, maybe which games you own). I am curious if the in-game data would also count as personal information. That way, you'd now have the right to export all your character progress once the servers shut down, which I'd be very interested in for nostalgia.

 

According to SWTOR's EUALA, we don't have any right to our in-game data, though I'm not sure if that is legally enforceable.

You expressly acknowledge that all characters created and all objects or attributes acquired and developed during play are an integral part of the Game and strictly remain the property of EA and/or its licensors.

 

You acknowledge and agree that you have no right to any Content (including any Content generated by yourself or any other user), character/avatar, object, item or any component of the Software or Game.

Edited May 25, 2018 by Jerba

[AdornedBlood]

The primary drivers for this statute was abuses by Google and Facebook with respect to harvesting and selling personal data without the owners permission.

 

Don't forget Vodafone and Raiffeisen Bank! They want access to ALL your info, including medical history, which ( at least in my country) is restricted by law to patient/doctor. Now really, why the heck does a bank need to have my medical files? How is that any of their business?

[Andryah]

According to SWTOR's EUALA, we don't have any right to our in-game data, though I'm not sure if that is legally enforceable.

 

Correct.. because it is NOT "our" data.. it is the studios data. There is a coupling of their data to your account for the purposes of game play.. but it's not actually your data.

Edited May 25, 2018 by Andryah

[Andryah]

Don't forget Vodafone and Raiffeisen Bank! They want access to ALL your info, including medical history, which ( at least in my country) is restricted by law to patient/doctor. Now really, why the heck does a bank need to have my medical files? How is that any of their business?

 

Heh.. fair enough.. I guess we add them to the list of bastards then.

 

At least in the US.. I think we are good on medical data, since that got locked-down heavy years ago. In fact.. you cannot even stand within 10 feet of the counter at a pharmacy here now.. so as to not be able to see or overhear anything about the medications the person in front of you is picking up.

Edited May 25, 2018 by Andryah

[Jerba]

Correct.. because it is NOT "our" data.. it is the studios data. There is a coupling of their data to your account for the purposes of game play.. but it's not actually your data.

Not sure. Sandbox MMOs would probably be more affected than a themepark MMO like SWTOR. But even SWTOR does store personal data from chat logs and in-game mail. I'd argue that even how you decorated your strongholds, or the time when you completed an achievement, would be personal data.

 

It's main target of focus is social media sites that are running free with personal data.. like Facebook for example .. who actually earns all their revenue by collecting and repurposing your personal data "for sale" to any entity that will pay.

Yes, ad tech companies are the main target of the regulations (and the reason why they were implemented in the first place), but all companies that store personal data must comply with GDPR, even brick and mortar stores that have a completely offline customer loyalty program.

Edited May 25, 2018 by Jerba

[Andryah]

Not sure. Sandbox MMOs would probably be more affected than a themepark MMO like SWTOR. But even SWTOR does store personal data from chat logs and in-game mail. I'd argue that even how you decorated your strongholds, or the time when you completed an achievement, would be personal data.

 

Even chat logs are not the players.. they are the studios. Check your EULA.. the studio literally, and legally, owns everything inside the game.. including your characters. You own the right to collect and play with anything in game, but it remains owned by the studio. Basically everything you do... creates something in game.. but that something remains the sole property of the studio.

 

Yes, ad tech companies are the main target of the regulations (and the reason why they were implemented in the first place), but all companies that store personal data must comply with GDPR, even brick and mortar stores that have a completely offline customer loyalty program.

 

No disagreement. GDPR is wide ranging.. and that I believe is by design to prevent the data harvester companies from finding clever loopholes to game the system.

 

I do very much wish the US would harmonize with the EU on all of this... because the internet is not bound by borders.

Edited May 25, 2018 by Andryah

[Jerba]

Even chat logs are not the players.. they are the studios. Check your EULA.. the studio literally, and legally, owns everything inside the game.. including your characters. You own the right to collect and play with anything in game, but it remains owned by the studio. Basically everything you do... creates something in game.. but that something remains the sole property of the studio.

Yeah, I suppose so. Though I don't think that is the reason; e.g. Facebook can't just say in their ToS that all uploaded images become their property, and evade the GDPR that way.

 

I found a thread in the WoW forums where the consensus seems to be that since you cannot be identified based on your in-game character, it is not personal information. And should you divulge your real name via chat etc., then that's your free decision and it's not the developer's fault.

That makes more sense to me. Alas, it would have been nice to export our data. But if not even WoW offers that, we can't expect SWTOR to add such a feature.

Edited May 25, 2018 by Jerba

[Andryah]

Yeah, I suppose so. Though I don't think that is the reason; e.g. Facebook can't just say in their ToS that all uploaded images become their property, and evade the GDPR that way.

 

True. And Facebook would certainly try to game the laws if they could. [full disclosure: I saw Facebook for what it was (a personal data pirate, that resold everything it pirates) years ago.. and will never have a Facebook account.. no matter what Zuckerberg "promises". That guy is the biggest sleeze-bag on the internet in my view.] Facebook is a data parasite, for profit, posing as a social media provider.

 

But in an MMO... what exactly can we upload into the game, that is ours.. other then our time?

Edited May 25, 2018 by Andryah

[AdornedBlood]

True. And Facebook would certainly try to game the laws if they could. [full disclosure: I saw Facebook for what it was (a personal data pirate, that resold everything it pirates) years ago.. and will never have a Facebook account.. no matter what Zuckerberg "promises". That guy is the biggest sleeze-bag on the internet in my view.] Facebook is a data parasite, for profit, posing as a social media provider.

 

But in an MMO... what exactly can we upload into the game, that is ours.. other then our time?

 

What do they do with all that data? Most of it is just common stuff, for example " Enjoying a pizza at "X" restaurant with my wife". How does that have any value whatsoever? Sorry but i'm not into social networking, never had and never will have a Facebook account.

[StormForceDax]

True. And Facebook would certainly try to game the laws if they could. [full disclosure: I saw Facebook for what it was (a personal data pirate, that resold everything it pirates) years ago.. and will never have a Facebook account.. no matter what Zuckerberg "promises". That guy is the biggest sleeze-bag on the internet in my view.] Facebook is a data parasite, for profit, posing as a social media provider.

 

But in an MMO... what exactly can we upload into the game, that is ours.. other then our time?

 

It's not about your characters or what you upload to the game. BW would now have to watch what it does with your personal data. Such as your Name, Email address, age, gender and so on such as putting cookies on your PC which tracks which other website you go to. Now I am sure BW don't abuse personal data, it just not all other companies are as honest. it just now any company within or operate within the EU are legally bound to protect your data or ask permission first to use it. This was the issue before this rule. Most already did this anyway and as said confident that BW already did. However the amount of personal data passed on or sold on to other parties was a joke by far to many. So even with BW they have a lot of info on any player Sub, or F2P person. So this act is still relevant even to MMO's

Edited May 25, 2018 by StormForceDax

[Joonbeams]

Yes, Electronic Arts has made sure they comply with GDPR. They just updated their Privacy Policy today.

 

For example, section 8 changed as follows:

 

However, this mostly refers to account information (e.g. account name, profile picture, maybe which games you own). I am curious if the in-game data would also count as personal information. That way, you'd now have the right to export all your character progress once the servers shut down, which I'd be very interested in for nostalgia.

 

According to SWTOR's EUALA, we don't have any right to our in-game data, though I'm not sure if that is legally enforceable.

 

They have to comply. And as for that portion of the EULA - it's garbage now under GDPR, and will certainly need to be amended. One of the core principles of GDPR is that users don't waive rights to your personal data simply by signing on for a service. The key is "personal data" - data that can be used to ID you. So certainly our email addresses, IP addresses, payment info and such is clearly protected. And certainly stuff like a CM item you bought and sold is not. But things like your chats, your character names (if identifying), etc. fall into gray area that most smart companies will err on the side of caution with and treat as protected. Twitch personalities and such that play here are almost certainly protected for most things (even stuff that other players might not be).

 

That said, it's not hard to comply - many of the components are common sense, best practices anyway...

[rumpol]

What do they do with all that data? Most of it is just common stuff, for example " Enjoying a pizza at "X" restaurant with my wife". How does that have any value whatsoever? Sorry but i'm not into social networking, never had and never will have a Facebook account.

 

Targeted adverts etc. They know you like pizza, you have a wife, you go to certain restaurants. All information like that is valuable to companies.

[aerockyul]

What do they do with all that data? Most of it is just common stuff, for example " Enjoying a pizza at "X" restaurant with my wife". How does that have any value whatsoever? Sorry but i'm not into social networking, never had and never will have a Facebook account.

 

That's a fun rabbit hole to jump down....

 

It's not just social media--every single thing you do on an Internet connection (even stuff you're not doing on "the Internet" (Explorer, Safari, Firefox, etc.)) has value to corporations and governments.

 

Your physical LOCATION has value right now (and lol lol if you think turning Location Services off of your phone actually "hides" you)

[Batwer]

The GDPR is scrap. Once again how accessible he can not think further. I'm curious how many people, because of small issues get in trouble.

Well, we Germans (generally EU) are the best. We let ******** . (Do not warn me that I did not pronounce the bad word) Come to trial with 2 years. For our GDPR this is so strict that you have to make statements during the school visit. The best sixfold. I love my country. :D:D:D

[Andryah]

They have to comply. And as for that portion of the EULA - it's garbage now under GDPR, and will certainly need to be amended. One of the core principles of GDPR is that users don't waive rights to your personal data simply by signing on for a service. The key is "personal data" - data that can be used to ID you. So certainly our email addresses, IP addresses, payment info and such is clearly protected. And certainly stuff like a CM item you bought and sold is not. But things like your chats, your character names (if identifying), etc. fall into gray area that most smart companies will err on the side of caution with and treat as protected. Twitch personalities and such that play here are almost certainly protected for most things (even stuff that other players might not be).

 

That said, it's not hard to comply - many of the components are common sense, best practices anyway...

 

^^ Very well stated. With respect to in game data.. there is absolutely no reason for the studio to ever disclose that to any 3rd party.. ever. In fact.. doing so compromises the integrity of their IP to some degree. But yes... since people throw all manner of personal info in chats in game..... the studio would keep those closely held.. even though other players can and will see said info and do whatever they want with it.. which is why disclosing anything personal in game chat in an online game is foolish beyond belief.

 

This all really boils down to stopping companies from harvesting and selling your personal data to a 3rd party without your consent, as well as blocking them from using it themselves...period. I hope this new statute really puts the crimp on Facebooks revenue model ... which is 100% about taking personal data and selling it to 3rd parties... or even worse.. have APIs that allow 3rd parties to rummage through all the data.

Edited May 25, 2018 by Andryah

[kodrac]

The GDPR is scrap. Once again how accessible he can not think further. I'm curious how many people, because of small issues get in trouble.

Well, we Germans (generally EU) are the best. We let ******** . (Do not warn me that I did not pronounce the bad word) Come to trial with 2 years. For our GDPR this is so strict that you have to make statements during the school visit. The best sixfold. I love my country. :D:D:D

 

Sword in a box?

[Celise]

BW's Legal department like any other online service or company in general within or operate within the EU should be up to-date with new rules coming in. The OP should not be overly concerned. He/she is just asking a question. However he/she should not need to take it up with them. They would have to be compliant or more accurately show they are taking steps towards it internally within there company. This would all be happening behind the scenes. You may get an Email about it if not already had one about how your information is used and if you still agree with it. I have had so many of these over the last few days/weeks to sink a battleship from various places I use online. A few sites ask now when you visit a webpage others via email.

 

so far from the previous two pages and a bit, it is obviously concern enough that there is some confusion as to the GDPR and how it works on EA services. I would still strongly suggest you make inquiries around these legalisms all the same.