As a grown adult I don’t play video games much anymore, but nevertheless gaming remains a very interesting industry, and unlike record companies, the games industry business model appears to be keeping pace with technology.

Mobile and web-based social game creators are driving down prices for basic games, but charging premiums for in-game virtual goods or premium content. This “freemium” model is generating good income streams, and small “freemium” companies are being targeted for acquisition by major developers such as Zynga or Electronic Arts.

Privacy risks
A typical small games company is probably focused on issues such as deciding whether or not license core intellectual property, keeping core programmers, and so on. It’s arguably less likely to be thinking about data protection. Yet data protection is an area which, if neglected, has the potential for severe financial and reputational risk – see for example the tumble in Sony’s share price following data breach revelations.

Games companies are now gathering volumes of data about their gamers that would have been inconceivable even a decade ago, including performance data (to help developers fix bugs), data which enables gameplay, password details, names, addresses, dates of birth, speech, photos, videos and so on.

Although companies seek to anonymise this information, it can still be considered personal data if it is reasonably likely that it could be used (now or in the future) to link with other information which identifies an individual. These treasure troves of data are becoming increasingly attractive targets for hackers.

Key data protection issues for gaming companies
Broad data protection and privacy issues that games companies need to be aware of include:

• According to the ICO, parental consent is required if personal data is collected from children aged under 12;
• Gamers must be informed in a clear and unambiguous way about when their data is being gathered, and the extent to which their personal data is being shared with third parties (such as providers of targeted advertising);
• Companies shouldn’t hold more personal data than they need. For example, is holding the residential address of a gamer always necessary?
• For a company to gather, control and ultimately process geolocation data, express consent should be positively obtained before the data is processed (that is, not obtained via a statement buried in Ts & Cs);
• Compliance with the new laws on cookies (which Martin has been keeping up to date with), which may impact on cookies placed on a gamer’s browser or device; and
• The enduring obligation to take appropriate technical and organisational measures against unlawful or unauthorised processing of personal data (as the quantity and sensitivity of personal data held by gaming companies increases, then the technical and organisational measures which they take to protect that data should be increasing also);
• Keep abreast of the new data protection rules that are likely to come into force in Europe in the next few years – in particular, there are likely to be new obligations on gaming companies located outside the EU.

Some quick tips then, but remember – to be this good takes AGES.

The MoJ is keen to emphasise that this is not a formal consultation, but rather a “call for evidence” to assist the UK government in forthcoming negotiations at EU level.

The call for evidence is open until 6 March 2012. You can access the papers and respond by way of an online questionnaire by following this link.

To read our initial views on the draft legislation see these Techblog entries:

• e-update on the draft data protection regulation – what price harmonisation?
• The draft data protection regulation – a summary of the key provisions
• What the proposed data protection regulation means for outsourcing by UK organisations

In addition to providing guidance on how the Commissioner will exercise his new power to fine under the Privacy and Electronic Communications (EC Directive) Regulations , the guidance also includes a number of examples on how and when the Commissioner might issue monetary penalties in relation to serious contravention of the Data Protection Act.

The Commissioner’s power to issue monetary penalties for serious contraventions of the DPA came into force in March 2010, and over the last 20 months or so the Commissioner has issued a number of monetary penalties – the highest being a £350,000 fine levied on Brighton and Sussex University Hospitals NHS Trust.

The Commissioner will issue fines in relation to serious contraventions that are likely to cause <substantial damage or substantial distress, and were either deliberate or where the data controller should have known that their was such a risk and did not take reasonable steps to prevent the contravention.

To assist data controllers with complying with their obligations, the new guidance contains examples in relation to each the terms highlighted above. For example, the Commissioner considers that the following will contitute a serious contraventions:

• failure to take adequate security measures (use of encrypted files and devices, operational procedures and guidance) that result in the loss of a CD containing personal data
• Systematic failings to record and respect objections to telemarketing
• Covertly monitoring someone’s location using mobile phone geolocation data

Given the Commissioner’s increasing use of his power to issue monetary penalties, then guidance is well worth reading.

In particular, we question whether the cost savings that organisations will gain through harmonised laws throughout the EU and a simplified approach to regulatory oversight will be outweighed by additional compliance costs in other areas.

You can read the e-update by following this link.

If you’d like to join our e-update mailing list to receive regular e-updates on outsourcing, IT and information law issues, please follow this link.

The proposals retain the general principles of data protection law, but also introduce some significant changes around:

• Fines;
• Consent;
• Notification (including 24-hour notification of breaches);
• New obligations on data processors;
• Compulsory Data Protection Officers;
• Data subject rights;
• Collection of child data; and
• The “one stop shop” approach

Firstly, as Martin noted in his earlier blog on the impact for organisations engaged in outsourcing, the regulation has direct effect. Once passed, it will not be subject to local implementation in each member state. This is intended to ensure that the laws are applied consistently across the EU.

Powers to fine
The official announcement follows last month’s leaked proposals which suggested that companies breaching data protection law might face fines of up to 5% of their annual turnovers. While this level of fine is not advanced by the official proposal, companies will still be subject to a fairly stringent sliding-scale of fines:

• a maximum of 0.5% of annual turnover for failures such as not responding properly to requests by data subjects;
• a maximum of 1% of annual turnover for failures such as leaving inaccurate data uncorrected, or failing to adopt internal policies to comply with the new Regulation; and
• a maximum of 2% of annual turnover for the most serious violations, including “risky processing operations”, or failing to obtain data subject consent.

Consent
Another key change being proposed is that data controllers can no longer rely on implied consent. Instead, controllers will have to prove that they have been provided with “explicit” consent from the data subject, while consent may not be relied upon if there is a “clear imbalance between the data subject and the controller” (which will make it difficult for, for example, employers to rely on consent from employees, as grounds for processing).

As an alternative to obtaining explicit consent, “other legitimate interests” of a controller will provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding.

Whilst this change is consistent with the opinions that have been issued by the Article 29 Working Party, this change will be particularly felt in the UK, where much of the UK Information Commissioner’s guidance has focussed on the concept of “implied consent”. For example, the Information Commissioner’s view on website privacy policies has generally been that the data controller does not need to flag up in flashing lights processing that is obvious. It will be interesting to see how guidance changes in this area.

Notification
Controllers will no longer have to notify data protection authorities that they are processing data -instead they will be asked to make available upon request evidence demonstrating their data protection policies and procedures, including “privacy by design and default” mechanisms, and privacy impact assessments.

Data breach notification
Controllers will also be expected to notify data protection authorities of data breaches within 24 hours. Where notification within 24 hours is not possible – and 24 hours looks like an onerous requirement – an explanation of the reasons for the delay should accompany the notification. Data processors, meanwhile, will be expected to “assist” controllers in cases of data breach or loss, and will be deemed joint controllers if they process personal data other than as instructed by the controller.

Data protection officers
All public sector bodies will be required to appoint a Data Protection Officer, as will private sector bodies with more than 250 staff (or whose core activities consist of processing operations).

The “right to be forgotten” and other new restrictions
Last month’s leaked document suggested that the new proposals would contain a controversial “right to be forgotten”, and many stakeholders were already pondering how such a right could possibly be guaranteed or enforced. The official proposals are less explicit regarding this right, proposing that a controller shall carry out erasure of data “without delay, except to the extent that the retention of the personal data is necessary” for a variety of grounds, including “public interest” and “compliance with a legal obligation”.

Potentially more interesting is a new right for data subjects not to be subject to a “measure based on profiling”, meaning that organisations will be potentially barred from profiling individuals based on automatic processing seeking to predict a person’s creditworthiness, economic situation, location, health, personal preferences, reliability or behaviour. This may well impact upon Amazon’s religious beliefs patent (as blogged about by Martin last month).

It’s also worth noting that under the new proposals the processing of personal data of a child below the age of 13 years shall only be lawful if and to the extent that consent is given or authorised by the child’s parent or custodian. This concept of a “child” and the parental consent requirements will almost certainly conflict with many organisations’ current practices.

The “one stop shop approach”
Finally, the draft proposes that controllers and data subjects will have a one stop shop in terms of regulators. If a data subject wishes to complain about processing by a data controller in another EU country, it will complain to its local regulator who will raise the issue with the regulator in the data controller’s home country.

Given that non-EU data controllers collecting data from EU data subjects will also be subject to the new regulation, this will surely increase the administrative burden on the various national regulators.

These are just some of the changes to the present European data protection regime which are being proposed. It’s worth remembering that these proposals will need to be approved by the European Union’s member states and ratified by the European Parliament before they can come into effect. Given the extent of the proposed changes, that process might take up to 2 years, if not longer.

To date, data controllers in the UK have had a degree of flexibility when entering into outsourcing agreements that involve the processing of personal data outside the EEA.

Under the Data Protection Act 1998, which implemented the 1995 EU directive in the UK, transfers outside the EEA may broadly take place in the following circumstances:

• Where the European Commission has made a finding of adequacy in relation to the level of protection offered to personal data in the country or territory in question (including, for example, the US Safe Harbor scheme);
• Where the transfer is made pursuant to contract on terms approved by the European Commission (AKA the EU model clauses for data transfers);
• Where the organisation has put in place binding corporate rules that have been approved by the relevant data protection regulators; and
• Where the data controller has made a finding of adequacy in respect of the proposed transfer.

Findings of adequacy
The ability to make a finding of adequacy is particularly useful for data controllers, as it allows the data controller to make a reasoned decision based upon its diligence on the proposed data processor and the actual contractual terms that are put in place.

In particular, it allows the data controller to deviate from the approved model clauses without needing to go through the administrative burden of having those clauses approved by the Information Commissioner. For example, the data controller may wish to outsource a service through a single contracting entity on behalf of various group data controllers, rather than enter into multiple model clause agreements between each data controller and the end data processor.

The ability to make a finding of adequacy is not carte blanche to do anything – the data controller still needs to be able to justify its actions to the Information Commissioner, but it does provide some significant commercial flexibility.

The position outside the UK
But that permissive and flexible approach in the last bullet does not apply everywhere in the EU. In a number of EU member states, any deviation from the model clause agreements needs to be notified and approved by the national data protection regulator. In some member states even the use of the model clause agreements needs to be notified to the regulator.

So what will happen under the new law?
If passed as it stands, the regulation would have direct effect. Unlike a directive, there would be no need for local implementation by individual member states. The intention of the regulation is to have a uniform data protection law across the whole of the EU – a law that is not subject to local variations and differing interpretations by different parliaments, regulators and courts.

The consequence of this is that the rules on cross-border data transfers will be unified.

Under the draft regulation there is no ability for the data controller to make a finding of adequacy. If the data controller wishes to vary from the terms of the model clauses, the data controller will need to obtain the consent of the relevant data protection regulator.

Whilst not unexpected, confirmation of this restriction is disappointing and will substantially increase the red tape involved in entering into outsourcing agreements – particularly where there are complex inter-group arrangements and multiple data controllers.

The UK Information Commissioner has already issued a press release questioning this requirement, presumably with half an eye to the increased (and unnecessary) administrative burden that it will incur, when its resources are already stretched.

Of course the irony here is that as all seasoned data protection lawyers will tell you, the data processor has no direct obligations under data protection laws – it is the data controller that is responsible (contractually) for ensuring that data is securely processed. National legislation is irrelevant. Approved form processing contracts are not required within the EEA, so why should transfers outside the EEA be treated differently?

Why not simply leave it to the data controller to ensure that it has carried out its diligence and has an appropriate contract, as the law requires for outsourcing within the EEA? I’m not aware of major problems having arisen from data controllers deviating from the model clauses, so why try to fix something that isn’t broken?

It must be hoped that this change does not make it into the final draft. Those involved in outsourcing may wish to support the UK Information Commissioner in ensuring that a workable mechanism is in place for cross border outsourcing.

The fact that a bank is signing up to Google Enterprise Apps for email and other collaboration services could be taken as a considerable endorsement – banks are, by nature, very security-centric: they have to ensure that they comply with strict information security and regulatory requirements. On this basis banks normally use their own servers to store and share data.

This is what makes the BBVA / Google deal so surprising. BBVA’s data will be stored on one of Google’s public servers, rather than on a private servers. BBVA will initially only use Google Apps for “internal communications” (with customer data and systems continuing to be hosted only in BBVA’s dedicated data centres), but it is assumed that over time BBVA may move more and more data to the cloud.

While I suspect that BBVA may have agreed a tailored solution and not signed up to Google’s Enterprise’s general terms and conditions, the standard Google Enterprise offering (as opposed to the free to use standard version) is rather attractive for businesses considering moving to the cloud, and in particular, using a cloud solution for data sharing and storage, such as Google Apps.

How safe is it to store data using Google Apps?
When storing data to an external server you have to make sure the data will be secure.

From an information security perspective Google Apps for Business has pretty good security credentials, so much so, that some of the US Government Departments use it. Google Apps is actually FISMA certified as being a secure way to store and share data. Google has also obtained an SSAE 16 Type II report (an independent audit) confirming that Google Docs actually adheres to the security controls it has in place and that these systems are operating effectively. The SSAE 16 report may give potential customers reassurance in relation to the effectiveness of Google’s security measures.

The other key information security concern for organisations is compliance with data protection rules and the security of personal data. Google Apps is currently hosted in the US and Europe, but Google Inc is a member of the US Safe Harbor Scheme. This is a US Federal Trade Commission scheme that allows US companies to certify compliance with a set of rules approved by the European Commission as being equivalent to the requirements of the EU Data Protection Directive.

This is important for organisations subject to EU data protection controls, as a transfer to an organisation that meets the Safe Harbor requirements allows the organisation to comply with the eighth data protection principle (which restricts transfers of data outside the EEA) without the need for putting in place model form contracts or making a finding of adequacy. This will give considerable comfort to users of Google Apps in relation to the any personal information that they store in the cloud.

However, potential customers should still be aware that Google may be obliged, under the Patriot Act, to disclose information stored in Google Apps to the US authorities.

How do other cloud services compare?
The fact that BBVA is using the Google Apps should not be taken as a green light for companies to store confidential, commercially sensitive or personal data on a similar cloud-computing solution. Google Apps is unique in terms of the FISMA and Safe Harbor accreditation and a number of cloud storage alternatives, such as Dropbox, simply don’t compare.

Dropbox – Information security risks
Dropbox and similar cloud-drive services are becoming an increasingly popular option for storing and sharing large files and for accessing documents from multiple devices. But, looking at the Dropbox terms and conditions, it appears to pose a number of potential information security risks which users may be overlooking.

Storing information
Firstly, Dropbox doesn’t have the greatest reputation as far as security is concerned.

Putting hacking to one side, there is a lack of certainty over what happens to your data once you remove it from the system. Normally, when you are storing confidential information on a third party’s system you want the comfort that at your request all of the confidential information is permanently deleted from the system. However, the Dropbox terms and conditions state that they are ‘likely’ to continue to hold the information on their back-up systems once you have deleted the data.

Releasing information
Another key concern is how readily Dropbox will share your data (confidential, personal or otherwise) with third parties. While there is a general obligation to release information when ordered to do so by a court order, Dropbox will seemingly release your files rather readily. In comparison, Google will inform you of the request and give you the opportunity to object.

Lack of independent certifications
Most importantly for potential customers within Europe, Dropbox states that it does not have Safe Harbor certification, nor is it able to provide a SAS 70 or SSAE 16 report in respect of its information security measures. This causes problems from a data protection perspective, and also means that their is no independent verification of the controls that Dropbox claims to have put in place.

The moral of the story is that you should carefully consider what data you are uploading to a data sharing  cloud – particularly if it is commercially sensitive or personal information – and, as boring as it is, read the site’s terms and conditions and carry out some due diligence on how your information will be protected.

The ICO’s guidance on the exercise of his power to fine
In his guidance on how he will exercise his power to fine, the Commissioner explicitly recognises that in determining the appropriate level of any fine he must consider the impact that any fine would have on the controller. In particular, the Commissioner’s guidance states that:

• The Commissioner will take into account the sector, for example, whether the data controller is a voluntary organisation and also the size, financial and other resources of the data controller.
• The Commissioner will consider the likely impact of the penalty on the data controller, in particular financial and reputational impact.
• The Commissioner will take into account any proof of genuine financial hardship which may be supplied. The purpose of a monetary penalty notice is not to impose undue financial hardship on an otherwise responsible data controller.

Many of the monetary penalties issued by the Commissioner to date have been imposed on public on public sector bodies, such as NHS trusts (and councils for that matter). Levying fines on the public sector raises tricky issues, particularly in this financial climate. When budgets are already stretched, there is a real risk that large fines will hit front line services and that, of course, would ultimately hit the public – the very people the Commissioner is trying to protect.

It’ll be very interesting to hear what level of fine is ultimately imposed on the NHS Trust in question. From the press reports, it does seem that the contravention of the DPA was particularly serious and so a substantial fine is inevitable. No doubt, in it’s representations to the ICO, the Trust will address the issue of the financial impact any fine of this scale will have on its operations.

Time for an alternative approach?
If the idea behind monetary penalty notices is really change the culture within organisations and move away from the attitude that data loss incidents are “inevitable” (c.f. “preventable”), maybe it’s time to start thinking about whether the ICO should have power to fine individuals themselves within the organisations whom he finds to be culpable.

Yes, the organisations themselves should be responsible but perhaps also it is time to recognise that individuals whose conduct is deliberate or reckless and below the standard of someone who is reasonably competent, should also be at risk of being fined personally.

Just a thought…

What do you think? Is transparency and information about behavioural advertising an issue? Did you know how it would work when you accepted the cookie, or do you not care? Add your opinion in the commments.

Amongst the things monitored are the purchasing of gifts and “the gift wrap used by such other users when purchasing gifts for this user, such as when the gift wrap evidences the user’s religion (in the case of Christmas or Hanukkah gift wrap, for example)”.

So if someone orders me a gift from Amazon, has it gift wrapped and sent to me at some point in December, Amazon will apparently assume that I am of Christian belief.

That’s quite a leap of faith (pun intended), given that a substantial proportion of people who give Christmas presents are likely to class themselves as aethiest or ambivalent in their religious beliefs.

The preamble to the patent states that:

A computer-implemented matching service matches users to other users, and/or to user communities, based at least in part on a computer analysis of event data reflective of user behaviors. The event data may, for example, evidence user affinities for particular items represented in an electronic catalog, such as book titles, music titles, movie titles, and/or other types of items that tend to reflect the traits of users. Event data reflective of other types of user actions, such as item-detail-page viewing events, browse node visits, search query submissions, and/or web browsing patterns may additionally or alternatively be considered. By taking such event data into consideration, the matching service reduces the burden on users to explicitly supply personal profile information, and reduces poor results caused by exaggerations and other inaccuracies in such profile information. [emphasis added]

What about data protection rules?
This raises some interesting data protection questions.

In the EU, religious beliefs are one of the categories of personal information that are classified as “sensitive personal data”, and therefore subject to a stronger set of rules. In particular, a data controller may only process sensitive personal data if it can satisfy one of the specific conditions set out in Schedule 3 of the Data Protection Act. The majority of these grounds relate to things like processing that is required by law, processing that is necessary to protect the vital interests of the data subject or processing for the administration of justice.

None of these are applicable to Amazon.

Which means the only condition it could rely upon is the “explicit consent” of the data subject.

It’s difficult to reconcile this need for explicit (not implied) consent with the last sentence of the preamble, which states that the system will “reduce the burden on users to explicitly supply personal profile information” – in other words, it will allow Amazon to guess the things that users don’t tell it.

European data proctection rules make it clear that Amazon cannot activate this system in respect of a user unnless he has expressly given his informed consent. So if a user decided that it would like Amazon to profile him based on his religious beliefs, would that user rather tick a box saying “would you like Amazon to guess which (if any) religious beliefs you hold?” or simply complete the details in his personal profile?

And how does this guessing system equate with the fourth data protection principle, which states that personal data shall be “accurate and, where necessary, kept up to date”? Will Amazon periodically ask you to confirm its assumptions to check that they are up to date?

Organisations such as Amazon often apply to patent new ideas without necessarily ever putting them into practical appplications. In Europe at least, I suspect that this may be one such idea.