Jaetyln Posted March 27, 2022 Share Posted March 27, 2022 Hi guys, I was wondering how in-game SWTOR content would relate to the GDPR (General Data Protection Regulation). We all know IP adress and names are classified as 'personal data', but what about in-game content? Like: - Cartel Market purchases - Story choices - Friend lists - Chat logs - Characters created by you Would this classify as 'personal data' under Article 4 (1) GDPR? (I literally have no other place to ask this so I come begging to any law peeps here before I fully reject this notion and write a thesis about something else.) Link to comment Share on other sites More sharing options...
Ominovin Posted March 27, 2022 Share Posted March 27, 2022 Hi guys, I was wondering how in-game SWTOR content would relate to the GDPR (General Data Protection Regulation). We all know IP adress and names are classified as 'personal data', but what about in-game content? Like: - Cartel Market purchases - Story choices - Friend lists - Chat logs - Characters created by you Would this classify as 'personal data' under Article 4 (1) GDPR? (I literally have no other place to ask this so I come begging to any law peeps here before I fully reject this notion and write a thesis about something else.) The general 'rule of thumb' with all online games is: You Own Nothing. Everything in game is the property of the game owner (EA/Bioware in this case) and you just have permission to play with it (which can be revoked at any time). Link to comment Share on other sites More sharing options...
SteveTheCynic Posted March 27, 2022 Share Posted March 27, 2022 Disclaimer: I'm not any kind of lawyer, nor do I play one on TV. I was wondering how in-game SWTOR content would relate to the GDPR (General Data Protection Regulation). We all know IP adress and names are classified as 'personal data', but what about in-game content? Anyone who "knows" that about IP addresses is wrong. At the very best, it's a combination of the IP address and the specific time, but even then, it doesn't identify that ===> person. Why not? Let's break it down into two parts, the question of it being the combination rather than the address by itself, and the question of it identifying a specific person. 1. Combination vs just the address. It *should* be common knowledge that your "public"(1) IP address is not fixed. If you go to Starbucks and use their WiFi, the Internet sees you as coming from Starbucks's IP address, not your home's address. But even if you only use the Internet from home, your IP address isn't fixed. If your router has an outage of some kind, there's a good chance that you'll get a different IP address when it comes back. (And if someone else also had an outage, that person might get the address you were previously using...) Conclusion: the address by itself is insufficient to identify you, and the moment you were using it is of critical importance. 2. Not personally-identifying information. Even if we take the combination of which address and when you were using it, that is not enough information to identify *you*. The router in your home network has *one* public IP address, and you and the people in your home share it. In a college dorm, you may find that the whole building shares a public IP address. Some ISPs use a nasty, nasty thing called "Carrier-grade NAT", under which you share your public IP address with a random selection of other users of the same ISP. And "personal data" isn't really the interesting part anyway. The key thing is what's called "personally-identifying information" - stuff that can be used to identify some blob of data as being about *you*. (1) The 192.168.X.Y address that your router gives you is a private address, translated to a public address by your router as data leaves your network and goes onto the Internet. Note that IPv6 changes that more than somewhat - you have one address (beginning "FE80::") that's only useful for talking to other computers in the same physical network as you, and one (beginning, normally, with 2001 or 2A01 or something like that, definitely a 2 at the front) which is a public address right on your computer, shared only with other people using your computer at different times. But even there, it identifies the computer rather than the person, and must be combined with the time and date to resolve it down to a person. Like: - Cartel Market purchases - Story choices - Friend lists - Chat logs - Characters created by you Would this classify as 'personal data' under Article 4 (1) GDPR? * CM purchases themselves, probably not, since "bought a Meirm Frog speeder" isn't remotely specific to a single person. Purchases of Cartel *Coins* probably are because of the money transaction thing. * Story choices are far too limited and patterned to be useful for identifying information. * Friend lists might be, perhaps. Ignore lists even more so, now that they are whole-legacy. * Chat logs, sure. It's your actual words. * The characters themselves, hard to say, but even their names aren't *automatically* PII. (I literally have no other place to ask this so I come begging to any law peeps here before I fully reject this notion and write a thesis about something else.) Probably should have opened with the reason for the question. Link to comment Share on other sites More sharing options...
cjmarsh Posted March 30, 2022 Share Posted March 30, 2022 The general 'rule of thumb' with all online games is: You Own Nothing. Everything in game is the property of the game owner (EA/Bioware in this case) and you just have permission to play with it (which can be revoked at any time). This is essentially what all the legalese you accept without looking at is all about. Link to comment Share on other sites More sharing options...
Recommended Posts