How does GDPR affect player groups that collect information on their members

[Dural]

Are you actually processing personal data though? Can you as a data controller link a forum name to an individual? You can certainly identify all the content posted and certain activities carried out by the user(s) of the forum account but if you wanted to find out what my real name was for instance or anything about me I haven't posted, would you be able to do that? I don't think you would. I have seen posts on this forum where people definitely identify themselves. For the majority of users I don't think you are going to be handling personal data. https://www.itgovernance.eu/blog/en/the-gdpr-what-exactly-is-personal-data https://ico.org.uk/for-organisation...a-protection-regulation-gdpr/key-definitions/

I reckon it's probably OTT but if you have nothing to lose by doing it, you could obtain and record consent from anyone participating stating what data you collect, how it's used, who it's shared with and informing the subjects of their rights. Essentially everything you have already listed) If you do that and take reasonable steps to ensure the data is secured against unauthorised access (although you are publishing it I believe anyway) and that you have a backup copy of some kind you're broadly covering the bases. You must of course only process the data for the purposes stated. You should keep details of the data set you collect and who it's shared with and for what purposes.

Is the ICO going to come after you if a copy of the spreadsheet is found unencrypted on a USB stick thereby potentially constituting a breach? Highly unlikely. Could someone make a complaint to the ICO regarding data collection and handling? Yes, that's possible I suppose but would the ICO be interested in perusing you? Seriously unlikely unless you're talking about thousands of people's personal data and that data set includes information which could be used for nefarious purposes. A list of forum names and commodities carried really isn't useful to anyone outside of how you use it within your group.

Anyway, nobody knows how the practical application of GDPR is going to pan out, it's a case of waiting to see what happens to the first sets of cases according to our lawyers.

 

[AveCandido]

Are you actually processing personal data though? Can you as a data controller link a forum name to an individual? You can certainly identify all the content posted and certain activities carried out by the user(s) of the forum account but if you wanted to find out what my real name was for instance or anything about me I haven't posted, would you be able to do that? I don't think you would. I have seen posts on this forum where people definitely identify themselves. For the majority of users I don't think you are going to be handling personal data. https://www.itgovernance.eu/blog/en/the-gdpr-what-exactly-is-personal-data https://ico.org.uk/for-organisation...a-protection-regulation-gdpr/key-definitions/

I reckon it's probably OTT but if you have nothing to lose by doing it, you could obtain and record consent from anyone participating stating what data you collect, how it's used, who it's shared with and informing the subjects of their rights. Essentially everything you have already listed) If you do that and take reasonable steps to ensure the data is secured against unauthorised access (although you are publishing it I believe anyway) and that you have a backup copy of some kind you're broadly covering the bases. You must of course only process the data for the purposes stated. You should keep details of the data set you collect and who it's shared with and for what purposes.

Is the ICO going to come after you if a copy of the spreadsheet is found unencrypted on a USB stick thereby potentially constituting a breach? Highly unlikely. Could someone make a complaint to the ICO regarding data collection and handling? Yes, that's possible I suppose but would the ICO be interested in perusing you? Seriously unlikely unless you're talking about thousands of people's personal data and that data set includes information which could be used for nefarious purposes. A list of forum names and commodities carried really isn't useful to anyone outside of how you use it within your group.

Anyway, nobody knows how the practical application of GDPR is going to pan out, it's a case of waiting to see what happens to the first sets of cases according to our lawyers.

Regards:
It is correct as indicated by Dural my personal opinion :

1 Frontier never passes data from commander A to commander B, even if they are in wing, it only facilitates nick of the game and encrypts for reasons of the game itself

2 Those who pass data from cmdr A to server are third-party programs such as EDDIsystem and the like that are third parties in ELite Dangerous

2.1) Dangerous Elite that encrypts data.

3 Create database of game events does not apply GDPR

4) Servers Frontier, EDSM, INARA etc etc are those that have GDPR obligation

Only one technical doubt remains, who can only answer Frontier,
When conxeion P2P-client -server is done, the ip of other cmdr are hidden, so that they can not be identified by clients in their windows-linux registry?

 

[iFred]

Are you actually processing personal data though? Can you as a data controller link a forum name to an individual? You can certainly identify all the content posted and certain activities carried out by the user(s) of the forum account but if you wanted to find out what my real name was for instance or anything about me I haven't posted, would you be able to do that? I don't think you would. I have seen posts on this forum where people definitely identify themselves. For the majority of users I don't think you are going to be handling personal data. https://www.itgovernance.eu/blog/en/the-gdpr-what-exactly-is-personal-data https://ico.org.uk/for-organisation...a-protection-regulation-gdpr/key-definitions/

I reckon it's probably OTT but if you have nothing to lose by doing it, you could obtain and record consent from anyone participating stating what data you collect, how it's used, who it's shared with and informing the subjects of their rights. Essentially everything you have already listed) If you do that and take reasonable steps to ensure the data is secured against unauthorised access (although you are publishing it I believe anyway) and that you have a backup copy of some kind you're broadly covering the bases. You must of course only process the data for the purposes stated. You should keep details of the data set you collect and who it's shared with and for what purposes.

Is the ICO going to come after you if a copy of the spreadsheet is found unencrypted on a USB stick thereby potentially constituting a breach? Highly unlikely. Could someone make a complaint to the ICO regarding data collection and handling? Yes, that's possible I suppose but would the ICO be interested in perusing you? Seriously unlikely unless you're talking about thousands of people's personal data and that data set includes information which could be used for nefarious purposes. A list of forum names and commodities carried really isn't useful to anyone outside of how you use it within your group.

Anyway, nobody knows how the practical application of GDPR is going to pan out, it's a case of waiting to see what happens to the first sets of cases according to our lawyers.

All wrong. As long as there is a theoretical possibility to do it, it has to be considered as personal data. IP-Adress from your service provider is such an example. Normally nobody knows who is behind that Adress, but theres a possibility that you (with some legal support) can get aware of it.

And thats where you get problems when you spread that data around. Thats what FD is doing by providing clear commandernames and ip-adresses in journal or logfiles.

 

[Dural]

Regards:
It is correct as indicated by Dural my personal opinion :

1 Frontier never passes data from commander A to commander B, even if they are in wing, it only facilitates nick of the game and encrypts for reasons of the game itself

2 Those who pass data from cmdr A to server are third-party programs such as EDDIsystem and the like that are third parties in ELite Dangerous

2.1) Dangerous Elite that encrypts data.

3 Create database of game events does not apply GDPR

4) Servers Frontier, EDSM, INARA etc etc are those that have GDPR obligation

Only one technical doubt remains, who can only answer Frontier,
When conxeion P2P-client -server is done, the ip of other cmdr are hidden, so that they can not be identified by clients in their windows-linux registry?

The key thing here is whether the data controller can use the information they process to identify an individual. Nobody running a player group needs to worry about what Frontier can do because Frontier wouldn't make information about which commander was using which IP address available to anyone. Neither would Inara or any other organisation which was able to correlate a commander name with an IP address.

As a user, it's easy enough to find out what IP addresses your machine is connecting to but unless you can tag that IP address to a commander you don't know which IP address belongs to which commander.

You aren't going to be able to identify someone from their IP address 99.99999% of the time anyway unless you can obtain information about who that IP address was issued to and / or which individual was using it to connect to a service in the case of a shared network unless you're law enforcement. An IP address itself isn't necessarily personal information unless it's collected within a data set which would enable the controller to identify an individual.

* well, you probably could if they were the only other commander in the instance or you recorded both the game and the network traffic and correlated the activities.

 

[iFred]

The key thing here is whether the data controller can use the information they process to identify an individual. Nobody running a player group needs to worry about what Frontier can do because Frontier wouldn't make information about which commander was using which IP address available to anyone. Neither would Inara or any other organisation which was able to correlate a commander name with an IP address.

As a user, it's easy enough to find out what IP addresses your machine is connecting to but unless you can tag that IP address to a commander you don't know which IP address belongs to which commander.

You aren't going to be able to identify someone from their IP address 99.99999% of the time anyway unless you can obtain information about who that IP address was issued to and / or which individual was using it to connect to a service in the case of a shared network unless you're law enforcement. An IP address itself isn't necessarily personal information unless it's collected within a data set which would enable the controller to identify an individual.

* well, you probably could if they were the only other commander in the instance or you recorded both the game and the network traffic and correlated the activities.

Forget that way of thinking. Practically you are right. But its not the way things are working.

 

[Dural]

All wrong. As long as there is a theoretical possibility to do it, it has to be considered as personal data. IP-Adress from your service provider is such an example. Normally nobody knows who is behind that Adress, but theres a possibility that you (with some legal support) can get aware of it.

And thats where you get problems when you spread that data around. Thats what FD is doing by providing clear commandernames and ip-adresses in journal or logfiles.

It's not wrong. Personal data is specifically defined as data which can be used to identify an individual by the data controller or processor using information which is available to them. An ISP would NOT release that information unless they were under a legal obligation to do so. We are talking about someone running a player group for a video game.

Personal data means data which relate to a living individual who can be identified* –
(a) from those data, or
(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,
and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.

 

[iFred]

Nope. Common example is the ip-adress or the license plate on your car. Both the same. Believe me. Nobody can practically identify the person behind it - but theres a possibility -> personal data.

End of discussion here

 

[Dural]

Nope. Common example is the ip-adress or the license plate on your car. Both the same. Believe me. Nobody can practically identify the person behind it - but theres a possibility -> personal data.

End of discussion here

I would refer you to one of our law firms who have both spent the last 3 months going through all this with me but suspect they would be wasting their time explaining

Happy not to discuss this further, especially if you're going to ignore the definition of personal data

 

[Dakron Nova]

I've just spent 12 months implementing GDPR at a large organisation as their DISO, you know what.

If I have to create one more policy or process, map one more database in relation to personal data ... Im going to jump out of a window.


Im not talking about it anymore lol.

----------------edit

oh and gesh dont even ask how much we have had to spend on our new permissions and enquiry database

 

[Olivia Vespera]

Oh my god…

being DPO in real life and reading this in a video game forum…

same here

I think problem is providing commander names and ip´s in players logs, and i think this should be reworked by FD.

XD Apologies. How are we doing? Have we done enough?

For the repair spreadsheet, you have a purpose of coordinating an online social event. You only display data people have given you for that purpose, the personal data you collect is minimal anyway, you don't use the personal data for other purposes, and if for some reason someone wanted it removing from the sheet you would. Nothing to worry about.


Broadly if you were previously handling personal data in a proportionate, respectful and secure fashion ... you will generally need to make token changes only for GDPR compliance. If you weren't, it's not the GDPR that's the problem ... but that's unlikely to be the case for informal stuff people are doing with player groups in Elite Dangerous.

It sounds like you're saying we're not excluded from GDPR and what we're not doing doesn't fall under personal activity. Have I got that right? In that case, Is the measures I have taken necessary and if so, have I done enough?
What would you advise other player groups to do? Should they post similar announcements, state the right to access and right to erasure and request explicit consent?

It's not wrong. Personal data is specifically defined as data which can be used to identify an individual by the data controller or processor using information which is available to them. An ISP would NOT release that information unless they were under a legal obligation to do so. We are talking about someone running a player group for a video game.

Personal data means data which relate to a living individual who can be identified* –
(a) from those data, or
(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,
and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.

there's also a bit which states, information that can be used to identity a natural person, directly or indirectly.

While I didn't do this, I could have recorded the time that each CMDR had hauled the commoditites. And used that to determine how long the trip had taken and thus I would have known roughly what time they play and for how long each day and which days they usually play. knowing the time they play, I can use that to assume the location that which they live. This allows me to identify them a little bit more. someone else with other bits of data (like an ip address or what not) may be able to glean more out of it.

Then there are player groups that may record emails or timezones directly, then there are player groups that connect a person's Discord with their Forum name, etc.
At least that's how I think of it.

I'd love to get a lawyer's opinion, but I believe Ian Doncaster is one so I think I have it.

 

[Ian Doncaster]

I'd love to get a lawyer's opinion, but I believe Ian Doncaster is one so I think I have it.

Nope. Not a lawyer, not legal advice.

My non-lawyer opinion would be that:
1) Player groups probably don't fall within the personal/household exemption once they get above a fairly small size. I suspect "unincorporated association" would be the UK legal concept that fitted most of them. So they are subject to GDPR if any of their members are EU citizens, and possibly in other circumstances.

2) Basic keeping of membership lists is absolutely fine (under a "legitimate interests" justification) for basic non-sensitive personal data like name, account, contact details, and data generated as a consequence of membership (e.g. delivery totals, racing scores, ranks, etc.)

3) You do have to make clear when collecting personal data why you're doing it and who you will share it with. For most player groups this will be "to manage membership and contact our members" and "no-one outside the group"

4) You probably don't have to explicitly state rights to access, rectification, erasure - they're standard legal rights - but you obviously have to respect those rights should anyone use them. And it should be obvious one way or another who to contact to exercise those rights. A basic "privacy policy" is the easiest way to give out all this information, but not necessarily the only one.

5) Player groups should not I think in general be doing things which would require a "consent" justification in the first place. For an example, you want to know your member's names [1]. You should use "legitimate interests" as your justification for collecting and processing this information. If you use "consent" as the justification - you have to be able to provide at least most services anyway if they refuse consent (or it's not freely given and therefore not GDPR-eligible consent), and good luck providing membership services to someone who refuses to tell you who they are... If you stick to just collecting and processing the personal information you genuinely need to run the group, then you don't need to worry about the complications around the "consent" justification.

6) You have the usual obligations around personal data storage to ensure that it is not lost, subject to unauthorised modification, stolen, or kept longer than necessary.


[1] Obviously for the purposes of an Elite Dangerous player group, account or forum nickname serves just as well as an official government-sponsored name. But it's personal information either way.

 

[iFred]

While I didn't do this, I could have recorded the time that each CMDR had hauled the commoditites. And used that to determine how long the trip had taken and thus I would have known roughly what time they play and for how long each day and which days they usually play. knowing the time they play, I can use that to assume the location that which they live. This allows me to identify them a little bit more. someone else with other bits of data (like an ip address or what not) may be able to glean more out of it.

Then there are player groups that may record emails or timezones directly, then there are player groups that connect a person's Discord with their Forum name, etc.
At least that's how I think of it.

I'd love to get a lawyer's opinion, but I believe Ian Doncaster is one so I think I have it.

Question: Do you get the data directly or from Game-Logs? (Just to clarify Frontiers role here)

 

[AveCandido]

Question: Do you get the data directly or from Game-Logs? (Just to clarify Frontiers role here)

I have never detected in the game-log, journal log etc etc ...data of any cmdr. No Ip, no realname, no email

Another case apart is that you socially, through other programs such as discod, teamspeak, skype, etc, etc, know the name of cmdr in the game and your real email address by dicord, for example. But they are verifications other than the elite dangerous game itself.

There is only one technical issue, and it is the network registry of your windows or linux when making p2p-server-client connections. That can detect which ip are connecting in the instance of the game.

It is also possible that Frontier has already foreseen this, and that the ip that you receive is really a masked ip. What is the one that registers your windows in the incoming and outgoing connections

But that's normal when you connect to any internet site since your Internet service provider assigns you a public ip.


Yo no he detectado nunca en el game-log ,journal log etc etc... datos de ningun cmdr. No Ip, no realname,no email

Otro caso aparte es que tu de forma social, a traves de otros programas como discod, teamspeak, skype, etc, etc, conocozca nombre de cmdr en el juego y su direccion real de correo email por dicord, por ejemplo. Pero son verificaciones ajenas al propio juego elite dangerous.

Unicamente hay una cuestion tecnica, y es el registro de red de tu windows o linux al realizar conexiones p2p-server-client. Que puede detectar que ip se estan conectando en la instancia del juego.

Es posible tambien que Frontier ya ha previsto esto, y que la ip que recibas es en realidad es una ip enmascarada. Que es la que registra tu windows en las conexiones entrantes y salientes

Pero eso es normal cuando te conectas a cualquier sitio de intenet ya que tu proveedor de servicios de intenet te asigna una ip publica.

 

[Valen Zendaris]

I've actually gone and asked about this on a legal site, because I doubt Frontier could even answer whether collecting information of other player's activities in-game falls under GDPR or not. Couldn't blame them for that either (I would want no part in that if I were a developer, it would be enough to deal with one's own compliance already).

I am not a lawyer obviously, but from my understanding the issue comes into play in the form of a simple common scenario in MMO games:

Monitoring player activity. With squadrons coming out in 3.4 we will have a "guild system" in place with limited member capacity. Anyone who has managed a guild in an MMO will know that monitoring member activity can be crucial for a healthy community of players especially when these various communities are intended to compete against one another in-game (we don't know if such will be the case for ED, but that's beside the general point). If such a game does not provide the means to determine member activity through an in-game mechanic, one must do it outside of the game (which could be via a digital spreadsheet, or written down on paper). That means collecting data such as player usernames and linking these with the times and dates when they are playing a game - which is definitely a form of collecting personally identifiable information.

To be clear here: online communities are a form of organisation. Especially as some of these can span thousands of members, with data processed from each individual member.

From my understanding GDPR in it's most basic form is simply about increasing the awareness of when one's data is being processed, what is being used, by whom and the right that one can revoke the consent for any further use of that data. It's nothing new in general, however the scope of people that must comply by it is. We used to be able to collect data on player activity for "personal use", though this could be deemed as a gray area. With GDPR that gray area no longer exists, or at least that appears to be the aim of it.

In short: collecting player data isn't an issue, but the consent to do so might need to be more formal than simply stating it somewhere in a guild or channel description/via word of mouth. It needs to be clearly stated what you're collecting and why. That's my opinion on it.

 

[iFred]

I have never detected in the game-log, journal log etc etc ...data of any cmdr. No Ip, no realname, no email

Another case apart is that you socially, through other programs such as discod, teamspeak, skype, etc, etc, know the name of cmdr in the game and your real email address by dicord, for example. But they are verifications other than the elite dangerous game itself.

There is only one technical issue, and it is the network registry of your windows or linux when making p2p-server-client connections. That can detect which ip are connecting in the instance of the game.

It is also possible that Frontier has already foreseen this, and that the ip that you receive is really a masked ip. What is the one that registers your windows in the incoming and outgoing connections

But that's normal when you connect to any internet site since your Internet service provider assigns you a public ip.


Yo no he detectado nunca en el game-log ,journal log etc etc... datos de ningun cmdr. No Ip, no realname,no email

Otro caso aparte es que tu de forma social, a traves de otros programas como discod, teamspeak, skype, etc, etc, conocozca nombre de cmdr en el juego y su direccion real de correo email por dicord, por ejemplo. Pero son verificaciones ajenas al propio juego elite dangerous.

Unicamente hay una cuestion tecnica, y es el registro de red de tu windows o linux al realizar conexiones p2p-server-client. Que puede detectar que ip se estan conectando en la instancia del juego.

Es posible tambien que Frontier ya ha previsto esto, y que la ip que recibas es en realidad es una ip enmascarada. Que es la que registra tu windows en las conexiones entrantes y salientes

Pero eso es normal cuando te conectas a cualquier sitio de intenet ya que tu proveedor de servicios de intenet te asigna una ip publica.

When you get all the data from "outside" the game I don´t see problems. I just see problems that Frontier in their role as data controller are giving the data away to 3rd party (basically everyones data to everyone via the journal/logfiles) without having them masked. They are responsible and if someone uses the IP from another player to hack or DDOS him, Frontier are the guys that will be held resposible (if there is proof that the data was received through the game). (only solution right now: don´t play open or group).

 

[AveCandido]

When you get all the data from "outside" the game I don´t see problems. I just see problems that Frontier in their role as data controller are giving the data away to 3rd party (basically everyones data to everyone via the journal/logfiles) without having them masked. They are responsible and if someone uses the IP from another player to hack or DDOS him, Frontier are the guys that will be held resposible (if there is proof that the data was received through the game). (only solution right now: don´t play open or group).

That is not right
You only receive data from your role, and status of your ship in the form of journal log, status.log you do not receive any data from other commands that you are not, assumed in the game as the name of the other cmdr its status status .. something you can see on the screen during your game. So certain affirmations of your post, I consider them invalid

 

[iFred]

That is not right
You only receive data from your role, and status of your ship in the form of journal log, status.log you do not receive any data from other commands that you are not, assumed in the game as the name of the other cmdr its status status .. something you can see on the screen during your game. So certain affirmations of your post, I consider them invalid

Sorry, thats wrong. In the journal you receive at least the commandernames when you play in open and have the honor to meet one (i know, thats not often the case right now ), and in the log/extended log you have a list of P2P-Connections including IP´s of your instance.

 

[Olivia Vespera]

Question: Do you get the data directly or from Game-Logs? (Just to clarify Frontiers role here)

I get my data from players who post in the forums or discord. They volunteer the information that I use. Here is the thread in question: https://forums.frontier.co.uk/showt...5-truckers-to-help-repair-an-attacked-station
And the spreadsheet: https://docs.google.com/spreadsheets/d/15-DcjOppH9ThhKLt04TkyIEIVt2HaaXCdlWL_grpERA/edit#gid=0

Nope. Not a lawyer, not legal advice.

My non-lawyer opinion would be that:
1) Player groups probably don't fall within the personal/household exemption once they get above a fairly small size. I suspect "unincorporated association" would be the UK legal concept that fitted most of them. So they are subject to GDPR if any of their members are EU citizens, and possibly in other circumstances.

2) Basic keeping of membership lists is absolutely fine (under a "legitimate interests" justification) for basic non-sensitive personal data like name, account, contact details, and data generated as a consequence of membership (e.g. delivery totals, racing scores, ranks, etc.)

3) You do have to make clear when collecting personal data why you're doing it and who you will share it with. For most player groups this will be "to manage membership and contact our members" and "no-one outside the group"

4) You probably don't have to explicitly state rights to access, rectification, erasure - they're standard legal rights - but you obviously have to respect those rights should anyone use them. And it should be obvious one way or another who to contact to exercise those rights. A basic "privacy policy" is the easiest way to give out all this information, but not necessarily the only one.

5) Player groups should not I think in general be doing things which would require a "consent" justification in the first place. For an example, you want to know your member's names [1]. You should use "legitimate interests" as your justification for collecting and processing this information. If you use "consent" as the justification - you have to be able to provide at least most services anyway if they refuse consent (or it's not freely given and therefore not GDPR-eligible consent), and good luck providing membership services to someone who refuses to tell you who they are... If you stick to just collecting and processing the personal information you genuinely need to run the group, then you don't need to worry about the complications around the "consent" justification.

6) You have the usual obligations around personal data storage to ensure that it is not lost, subject to unauthorised modification, stolen, or kept longer than necessary.


[1] Obviously for the purposes of an Elite Dangerous player group, account or forum nickname serves just as well as an official government-sponsored name. But it's personal information either way.

Thank you! Which articles apply to point 5?

 

[Navigare Necesse Est]

A nickname and email adress don't make for identifiable natural people. Don't log the IPs and don't keep a book of grudges and you're good. No need to overthink this.

 

[Olivia Vespera]

I have another question. This is a little off topic This was something that happened a long time ago in my elite history.

I had wanted to get involved in powerplay with a certain power but due to my affiliation with a particular player group I wasn't allowed.
I had shared the logs of our communication (it was in text) as to why I wasn't allowed. This apparently wasn't taken very well by the admin in question.

We had gotten onto a voice channel one day with a representative of a player group and the admin/moderator of the powerplay operation's group to sort this out.

Apparently the reason for this was to ensure that no text logs could be made. Learning of this, I had quickly started recording the conversation because I believe that a person that would go to lengths to avoid being cited wants to say something they know would paint them in a bad light. Within it contained what I would deem flagrant toxicity from these leaders of powerplay operations and player group.

At the time, due to the international nature of the voice communication, It is unclear legally whether a one party notification or a two party notification would apply. That means, do both side need to know that it's being recorded or just one side? It's one party for mine and where I was at the time, and two party for their country of origin at the time but only if it's for businesses. I never did find out how it applied to natural people.

I believe I was in the right to be allowed to recorded my specific conversations with these people for future reference without notification (that means telling them that they're being recorded) because it was an international call.

Here's the thing, I had an audio file with evidence of generally terrible and bullying behaviour from specific leaders of powerplay. Under GDPR, would a voice recording be considered personal information?
And I would have been able to share it for the purpose to shedding light on an instance of bullying and toxicity that I had personally bore witness to?

Would GDPR in its current form prevent such? Or does it contain provisions towards sharing information about general bad behaviour?

I have not shared the file in its entirety and would likely never do so.