GDPR clarification?
Moderators: Public Relations Department, Players Department
GDPR clarification?
I am aware that since May this year, in Europe at least that the laws on data management and protection changed.
The Genderal Data Protection Regulation came into effect and to be honest... it's application is vague. Some argue that it is vague on purpose to try and 'catch' organisations who would not usually be considered relevant... basically, the focus was on trading businesses as opposed to 'free-to-play' or 'free-to-accress' non-profit services
I know that Cantr has some of my details on its server(s). It has my email address and I also know that email addresses have commanded a premium in both data 'sales' and theft purely because of their value in marketing.
I am also assuming that the data stored on the Cantr servers is somehow attached to my in-game activity. Logs and/or participation in making things like notes notes. I think the last time this was mentioned on the forum was way back in 2014 because of a perceived threat to security and the implementation of an encryption?
What I am curious about is"
1. Is the game GDPR compliant (I can't find anything in the game blurb about this)? and...
2. If I choose to leave the servers, what are my options for complete data removal?
Thank you.
[I see this is a general point of debate but please feel free to move it to support]
The Genderal Data Protection Regulation came into effect and to be honest... it's application is vague. Some argue that it is vague on purpose to try and 'catch' organisations who would not usually be considered relevant... basically, the focus was on trading businesses as opposed to 'free-to-play' or 'free-to-accress' non-profit services
I know that Cantr has some of my details on its server(s). It has my email address and I also know that email addresses have commanded a premium in both data 'sales' and theft purely because of their value in marketing.
I am also assuming that the data stored on the Cantr servers is somehow attached to my in-game activity. Logs and/or participation in making things like notes notes. I think the last time this was mentioned on the forum was way back in 2014 because of a perceived threat to security and the implementation of an encryption?
What I am curious about is"
1. Is the game GDPR compliant (I can't find anything in the game blurb about this)? and...
2. If I choose to leave the servers, what are my options for complete data removal?
Thank you.
[I see this is a general point of debate but please feel free to move it to support]
- Jos Elkink
- Founder Emeritus
- Posts: 5711
- Joined: Mon Jul 14, 2003 1:17 pm
- Location: Dublin, Ireland
- Contact:
Re: GDPR clarification?
We are (and have been) discussing this internally and will provide further clarification in due course. Suggestions from players here are welcome in public discussion, but from an organisational point of view, we will not comment until we have a clear joint position. We have made some investigations and had some discussions, but we are still finalising conclusions on the matter. We will of course ensure to be compliant with the law.
- sherman
- Public Relations Chair/Translator-Finnish (PR)
- Posts: 914
- Joined: Tue May 14, 2013 10:58 am
- Location: Finland, Helsinki
Re: GDPR clarification?
This following message is my personal opinion and has nothing to do with me being member of staff:
I personally find whole GPDR a mess that is poorly made and confusing to understand. So I used following site to get idea what it is (I'm sure there's people who have no idea what it really mean so... feel free to check it) http://www.itpro.co.uk/it-legislation/2 ... ed-to-know
1) I think game is as clear as it can with said law. It's confusing mess like I said and Cantr has no paid lawyers to take care of such legal things so... The fact is games need certain data to work and make sure people can't circle around bans etc. The said law is made to control facebook, microsoft etc. So games are kinda on grey zone in my opinion. I doubt they paid much attention to gaming when it was made. It would be a mess if people could abuse the law to circle bans and punishments. Would be totally fun to play mmorgs with all the cheaters who can avoid punishments
2. Like said games need certain data to make sure rule breakers can't bypass them so complete data removal in my opinion isn't possible
I personally find whole GPDR a mess that is poorly made and confusing to understand. So I used following site to get idea what it is (I'm sure there's people who have no idea what it really mean so... feel free to check it) http://www.itpro.co.uk/it-legislation/2 ... ed-to-know
1) I think game is as clear as it can with said law. It's confusing mess like I said and Cantr has no paid lawyers to take care of such legal things so... The fact is games need certain data to work and make sure people can't circle around bans etc. The said law is made to control facebook, microsoft etc. So games are kinda on grey zone in my opinion. I doubt they paid much attention to gaming when it was made. It would be a mess if people could abuse the law to circle bans and punishments. Would be totally fun to play mmorgs with all the cheaters who can avoid punishments
2. Like said games need certain data to make sure rule breakers can't bypass them so complete data removal in my opinion isn't possible
Don't fight a battle if you don't gain anything by winning.
-Erwin Rommel-
-Erwin Rommel-
- Alladinsane
- Posts: 3351
- Joined: Thu Mar 11, 2010 9:09 pm
- Location: Fla
Re: GDPR clarification?
I wouldn't worry about it. A few legal holes exist, like the perceived ability to retroactively enforce on un-associated entities.
A constitutional lawyer in the US would salivate at the chance to make a name dismantling what I read, especially if a company in question is not based in the EU.
I did not see immunity from civil action however... Its just on a cursory examination right now. Doxing is becoming serious; but an organization that arbitrarily grants itself permission to retroactively enforce its own rules upon other organizations who are not even subject to its jurisdiction in other areas... is about as effective as the self appointed 'world court' was when it tried to enforce a sanction on a US president for controlling the country that was primary responsible for the conduct of Operation Desert Storm.
I think you can trust the core members of the Cantr staff to not abuse your info... they have no history of doing so in the past and the ones that attempted such actions were promptly removed, showing good faith on the part of the core members of staff.
JMHO based on my limited legal education... use as you see fit.
A constitutional lawyer in the US would salivate at the chance to make a name dismantling what I read, especially if a company in question is not based in the EU.
I did not see immunity from civil action however... Its just on a cursory examination right now. Doxing is becoming serious; but an organization that arbitrarily grants itself permission to retroactively enforce its own rules upon other organizations who are not even subject to its jurisdiction in other areas... is about as effective as the self appointed 'world court' was when it tried to enforce a sanction on a US president for controlling the country that was primary responsible for the conduct of Operation Desert Storm.
I think you can trust the core members of the Cantr staff to not abuse your info... they have no history of doing so in the past and the ones that attempted such actions were promptly removed, showing good faith on the part of the core members of staff.
JMHO based on my limited legal education... use as you see fit.
A famous wise man once said absolutely nothing!
- Jos Elkink
- Founder Emeritus
- Posts: 5711
- Joined: Mon Jul 14, 2003 1:17 pm
- Location: Dublin, Ireland
- Contact:
Re: GDPR clarification?
Are you assuming Cantr is US-based? Cantr has always been within EU jurisdiction.
Re: GDPR clarification?
It doesn't matter.
The only difference between EU citizens and US citizens is that US citizens don't have this law protecting them (and it is a law).
Protection and access to data is attached to the citizen, not their location.
As for having 'faith'..? You'll just have to forgive me for being sceptical as to which of a bunch of volunteers that I don't know anything about are a better option than say... a published privacy policy..?
Legal holes then..? No. There are exceptions and caveats but basically, the principle remains unchanged. Lack of funds to employ a lawyer to manage the compliance is not an exclusion... neither is being a small organisation. Also... being in the "grey area" is a gamble and in the initial confusion of just how people are to meet the requirements of this new law, you think they won't look for precedent? Worse, they will be looking to form an audit trail of prosecution, not some form of liberal denial. They have invested a lot in this initiative and they will make it work.
My question regarding my own access to my data on these servers is also as yet unanswered. How do I see it and, if I don't like it, how do I get rid of it? I appreciate that's a big request, especially if my initial data produces more in-game, such as an attachment to in-game items etc... but this is the task you are faced with now, should you fail to validate the game as an GDPR exemption.
The only difference between EU citizens and US citizens is that US citizens don't have this law protecting them (and it is a law).
Protection and access to data is attached to the citizen, not their location.
As for having 'faith'..? You'll just have to forgive me for being sceptical as to which of a bunch of volunteers that I don't know anything about are a better option than say... a published privacy policy..?
Legal holes then..? No. There are exceptions and caveats but basically, the principle remains unchanged. Lack of funds to employ a lawyer to manage the compliance is not an exclusion... neither is being a small organisation. Also... being in the "grey area" is a gamble and in the initial confusion of just how people are to meet the requirements of this new law, you think they won't look for precedent? Worse, they will be looking to form an audit trail of prosecution, not some form of liberal denial. They have invested a lot in this initiative and they will make it work.
My question regarding my own access to my data on these servers is also as yet unanswered. How do I see it and, if I don't like it, how do I get rid of it? I appreciate that's a big request, especially if my initial data produces more in-game, such as an attachment to in-game items etc... but this is the task you are faced with now, should you fail to validate the game as an GDPR exemption.
-
- Posts: 521
- Joined: Sat Jun 13, 2015 1:32 am
Re: GDPR clarification?
To be honest, it's always weirded me out a bit with the activity logs. Just the fact that everything I do and say in the game is sitting there in multiple people's inboxes. The potential for doxxing would be a little unsettling if I weren't more careful what I do or say in game.
- Wolfsong
- Posts: 1277
- Joined: Sun Dec 13, 2009 5:33 am
- Location: Australia
Re: GDPR clarification?
I know in the past when Cantr II was "hacked" by a disgruntled staff member, it was revealed that all passwords were saved in plaintext. Was this ever fixed?
- Rmak
- Posts: 347
- Joined: Mon Sep 21, 2015 9:00 am
Re: GDPR clarification?
I am an EU citizen, such glorious days of being spammed by companies asking me if they can continue to keep my data
Just update the Cantr terms and conditions to reflect "by using this we have your data" and if they don't want it, they don't play.
Just update the Cantr terms and conditions to reflect "by using this we have your data" and if they don't want it, they don't play.
Quote Wolfsong:
They aren't playing children; they are playing mentally ill people.
They aren't playing children; they are playing mentally ill people.
- Jos Elkink
- Founder Emeritus
- Posts: 5711
- Joined: Mon Jul 14, 2003 1:17 pm
- Location: Dublin, Ireland
- Contact:
Re: GDPR clarification?
Wolfsong wrote:I know in the past when Cantr II was "hacked" by a disgruntled staff member, it was revealed that all passwords were saved in plaintext. Was this ever fixed?
Yes, that was fixed.
- Alladinsane
- Posts: 3351
- Joined: Thu Mar 11, 2010 9:09 pm
- Location: Fla
Re: GDPR clarification?
By signing up, you sign an implicit agreement...if you enter no data, no data can be processed.
saying that you gave up anything willingly...good luck with that legally, people only have what you give them.
*******************************************
No Jos, I was not saying it was/is a USA company, only analyzing how us laws apply
I don't know if the eu can apply any of its territorial laws to the us or not.
They tried before and now that we have a madman in control of the USA... he might cut the funding and troop protection.
stranger things have happened and we have a strange leadership now, I have no accurate position on what will happen.
Be well,
saying that you gave up anything willingly...good luck with that legally, people only have what you give them.
*******************************************
No Jos, I was not saying it was/is a USA company, only analyzing how us laws apply
that were the case.IF
I don't know if the eu can apply any of its territorial laws to the us or not.
They tried before and now that we have a madman in control of the USA... he might cut the funding and troop protection.
stranger things have happened and we have a strange leadership now, I have no accurate position on what will happen.
Be well,
A famous wise man once said absolutely nothing!
- Money
- Posts: 929
- Joined: Fri Feb 15, 2008 1:05 pm
Re: GDPR clarification?
Just wanted clear up some particular points as I've worked on GDPR compliance.
Any company which collects data within the EU regarding EU citizens must abide by the requirements and restrictions of the GDPR when handeling that data. Unless Cantr is going to implement two tiers of data storage and handeling the GDPR will effectivly apply to non-EU citizens as well. Side note: I would be concerned if Cantr stores the data of EU citizens outside the EU.
Exemptions are very few and far between. Games are definitely not exempt from the GDPR. They're actually one of the main targets of it. A lack of funds or technical expertise also doesn't exhempt you from the GDPR. Fun fact: financial regulators are actually pushing back against the GDPR because they've essentially lost their former exemption from EU privacy legislation.
If any data is stored in plain text, especially if it can be linked together in such a way as to identify the person, I would change that immediately. I would also limit access to even encrypted data to the bare minimum of essential personnel.
I might post more later, but those are the important points.
Any company which collects data within the EU regarding EU citizens must abide by the requirements and restrictions of the GDPR when handeling that data. Unless Cantr is going to implement two tiers of data storage and handeling the GDPR will effectivly apply to non-EU citizens as well. Side note: I would be concerned if Cantr stores the data of EU citizens outside the EU.
Exemptions are very few and far between. Games are definitely not exempt from the GDPR. They're actually one of the main targets of it. A lack of funds or technical expertise also doesn't exhempt you from the GDPR. Fun fact: financial regulators are actually pushing back against the GDPR because they've essentially lost their former exemption from EU privacy legislation.
If any data is stored in plain text, especially if it can be linked together in such a way as to identify the person, I would change that immediately. I would also limit access to even encrypted data to the bare minimum of essential personnel.
I might post more later, but those are the important points.
Re: GDPR clarification?
Thanks for that, Money. It makes a lot of sense...
...it doesn't do anything to fill me with confidence but it makes sense.
...it doesn't do anything to fill me with confidence but it makes sense.
- SekoETC
- Posts: 15523
- Joined: Wed May 05, 2004 11:07 am
- Location: Finland
- Contact:
Re: GDPR clarification?
I've heard that generally when sites are asked to delete identifiable information, it doesn't mean that you have to delete everything, just the parts that allow connecting that information to a user. So for example for a webstore, when a user requests their information to be deleted, it deletes their email address, bank information, name, address, etc, but what is allowed to remain is purchase history bound to a "ghost account" that can never be linked back to who owned it. Then the information about purchases can be used for statistics, but no one can ever tell who the buyer originally was.
When somebody has an active account in Cantr, the information bound to that can be used to ensure that the user cannot open a secondary account while the first one is active, but when a user quits playing Cantr, by law they now have the right to have their identifying information deleted/obscured, so that even though there can be a list of character spawn and death dates attached to an account id, the username, email address, real name etc. must be purged on request. But apparently it's still legitimate to keep a registry to identify banned individuals based on "legitimate interest". https://www.reddit.com/r/gdpr/comments/ ... ing_users/
When somebody has an active account in Cantr, the information bound to that can be used to ensure that the user cannot open a secondary account while the first one is active, but when a user quits playing Cantr, by law they now have the right to have their identifying information deleted/obscured, so that even though there can be a list of character spawn and death dates attached to an account id, the username, email address, real name etc. must be purged on request. But apparently it's still legitimate to keep a registry to identify banned individuals based on "legitimate interest". https://www.reddit.com/r/gdpr/comments/ ... ing_users/
Not-so-sad panda
Return to “General Discussion”
Who is online
Users browsing this forum: No registered users and 1 guest