Jump to content
Amigatu Choche

GDPR is coming, and it affects you

Recommended Posts

53 minutes ago, Amigatu Choche said:

Hi, does anyone know what LL is planning on doing about this GDPR if anything ?

i'm nearly sure LL complies to this... it's the inworld merchants problem if they store info.

  • Like 2
  • Thanks 1

Share this post


Link to post
Share on other sites

This should be interesting , i believe many merchants do , I was told SL does not have storage for such information so it would have to be out of Inworld, I would think ? I wonder what they will do about it . thanks for your reply ! :)

 

Share this post


Link to post
Share on other sites

I would suggest that Casper's text is somewhat too broad. Specifically, from the regulation:-

For the purposes of this Regulation:

  1. ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Things like IP addresses can sometimes be construed as personal data, particularly when other data is aggregated. An IP address by itself would not necessarily be classed as personal data.

Similarly, I doubt that merchants can identify a natural person by an avatar name even along with an IP address.

LL on the other hand clearly have a much better opportunity where they have payment info on file but as far as I read GDPR, if a data subject cannot be tied to a natural person, then it seems a bit of a leap to suggest that a list of unidentifiable pseudonyms somehow constitutes personal data, when there are no natural persons who can be identified.

Seek your own legal advice though, there are plenty of opinions and "experts" out there offering consultancy before any of this is even tested in court.

Basically, it's all a bit of a minefield and going to be a fun ride.

  • Like 4
  • Thanks 1

Share this post


Link to post
Share on other sites

Avatar names and UUID's etc are already fairly anonymous for anyone outside of LL.  For example I can save your UUID or avatar name, but only LL can connect that information to an actual person.

I would think that unless you are collecting email addresses or some other real world point of contact information, aren't rolling your own out-of-sl data services, you shouldn't have to worry about this in connection with your SL business. Compliance is entirely on LL and those providing supporting businesses Casper (etc) and as such your choice is to trust them to get it right, or switch to another supplier .. which obviously isn't applicable.

Do : Sensible stuff like making sure your marketing is fully opt-in, don't blindly spam, don't store usernames outside of SL (which with name changes approaching are going to be junk data anyway), and if you do store other data out of SL be able to dump a copy or delete it for anyone who asks, have a Privacy policy. All of this is just good practice really and you should be doing it anyway.

Don't : Panic.

The size of the fine (20 million euro!!) makes is instantly apparent who this legislation is aimed at. There is zero realistic chance that an individual running a hobby business in a video-game (as perceived by those outside SL) will be in any position to feel the full weight of the EU courts, nor would they waste time and money attempting to bring a case. Technically you are covered .. but lets just be realistic.

The main upshot of this is that Casper isn't intending to shut up shop anytime soon, which following recent news from Hippo and E2V is certainly welcome news.

  • Like 4
  • Thanks 1

Share this post


Link to post
Share on other sites

I can't identify a data subject from a marketplace receipt.

Avatar, date time, product, L$.

Where's the data that relates to a naturally identifiable person that a merchant can use?

  • Like 3
  • Thanks 1

Share this post


Link to post
Share on other sites
57 minutes ago, Sassy Romano said:

I would suggest that Casper's text is somewhat too broad. Specifically, from the regulation:-

For the purposes of this Regulation:

  1. ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

 

I think so too. That seems quite clear to me.

An avatar is not a NATURAL PERSON in any sense of the term. So, as far as merchants are concerned, they are completely shielded.

The Lab have access to account holder's identification and I am sure they will protect this in line with European Laws, but as far as avatars, Avatars are just bunches of pixels, they have no rights under law.

  • Thanks 1

Share this post


Link to post
Share on other sites
6 hours ago, Sassy Romano said:

I can't identify a data subject from a marketplace receipt.

Avatar, date time, product, L$.

Where's the data that relates to a naturally identifiable person that a merchant can use?

you can pay also without L$ at MP, that perhaps is giving more personal details?

  • Thanks 1

Share this post


Link to post
Share on other sites

To LL yes, to you .. no. You don't get to see a users payment identity if they use paypal at the checkout for example.

Although why anyone would is crazy once you factor in all the charges, seriously, if you do this .. STHAP !! BUY L$ IN ADVANCE !!

  • Like 1
  • Thanks 1
  • Haha 1

Share this post


Link to post
Share on other sites

The EU is overstepping their boudaries if you ask me. I run a company(both in SL and out) based and hosted in the US. People from the EU can access it because I don't block access based off country(except China and Russia, which get requests blocked based off an AI's suspicion level. I don't mind good users from China or Russia, it's the script kiddies probing my servers I don't want) because im lazy I'm not going to put code that I don't want into my software. If someone access my site or services, they do so under the US state of Kentucky law.

If the EU gets angry at me for doing stuff according to my law, then they can try sue me. I'd like to see them try and get past my freedom eagles.

Edited by Chaser Zaks
Clarence the clarification clam wanted me to clarify something
  • Thanks 1

Share this post


Link to post
Share on other sites

If your business is operating internationally, you can expect to be the subject of international laws. The Kentucky freedom eagles, they do nothing.

  • Thanks 1

Share this post


Link to post
Share on other sites
1 hour ago, Chaser Zaks said:

If the EU gets angry at me for doing stuff according to my law, then they can try sue me. I'd like to see them try and get past my freedom eagles.

we'll send Juncker to you... ( put a few bottles booz in the fridge and he'll kiss you

 

  • Haha 2

Share this post


Link to post
Share on other sites

The first question anyone needs to ask, to my mind, is whether they hold "personal data" about their customers.   

What, you may ask, is (are? I am old enough to have learned Latin at school) "personal data"?  

Quote

What constitutes personal data?
Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address

https://www.eugdpr.org/gdpr-faqs.html

It's arguable whether people's usernames/uuids can be used to identify anyone -- yes, they are tied to individuals, but the only people who can connect the username to the individual who owns the account are LL, who keep this information secure.

Even if we assume that usernames/uuids do constitute "personal data," this doesn't mean it's illegal to have this information on file for your legitimate business purposes -- accounting records and customer service.   It just means you have to keep the information secure and confidential, and you can't share it with other people or otherwise use it for purposes for which it wasn't collected.

The main change, as I understand it, is that the jurisdiction of existing European data protection law has been extended to cover all businesses with EU customers rather than businesses whose data was stored and/or managed in the EU.    Though, as @Chaser Zaks suggests, it might be difficult to enforce that, even were the data commissioner minded to, on businesses that have no EU presence at all.

However, my point is that all EU nationals who have SL businesses (including me) have been subject to very similar regulations for years,  and I've never heard of it affecting any of us.  I really don't think it's worth anyone losing any sleep over unless they're planning to do things that are clearly against LL's privacy policy anyway. 

Detailed guidance in English on the new regulations can be found here: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/whats-new/

Edited by Innula Zenovka
  • Like 2

Share this post


Link to post
Share on other sites

It's going to be a complete hoot, I know i've got knives out for a handful of select companies from whom i'll be extracting my pound of flesh!

This is good: Companies being required to respond about the data which is held about a data subject at no charge. Presently there's provision for an admin fee to find out what data is held in DPA, superceded by GDPR removes this charge.

This is not: Best of all and frankly the most ridiculous is that a data subject can have a passing conversation with a toilet cleaner, a canteen worker, a pond cleaner etc. and say "please remove all my data" and that can form a perfectly legitimate request for fully qualified action on the part of the organisation and it must be actioned within 30 days or they would have to justify the delay.  There's no prescribed standard phrase, no requirement to do it in writing and no requirement to request it of a specific part or person/office within the organisation.  An absolutely reckless bit of legislation and they'll wonder why this cause headaches and problems.

Edited by Sassy Romano

Share this post


Link to post
Share on other sites
15 hours ago, CoffeeDujour said:

If your business is operating internationally, you can expect to be the subject of international laws. The Kentucky freedom eagles, they do nothing.

But EU law isn't 'international law' in the normal understanding of that phrase. It's only international aspect is within the nations that constitute the EU. Other nations may have their own laws that say that their people must comply with this or that, but, unless they do, EU laws don't apply to them.

Edited by Phil Deakins

Share this post


Link to post
Share on other sites
5 minutes ago, Phil Deakins said:

But EU law isn't 'international law' in the normal unstanding of that phrase.

This law covers the rights of it's citizens against companies world wide. If the foreign - let's say American - company wishes to have any EU customers then it needs to fully abide by those laws. If the company can't or won't abide by them, then they can't have European customers.

This is a local law that is applied internationally, not through the courts, but through trade and commercial sanctions.

As a non-European example, American companies (like Valve, Microsoft, Apple, Google, and so on) selling into Australia must abide by our countries very strong consumer protections. Valve which is an American company with no base in Australia was prosecuted under Australian law for failing to give refunds. They lost and were fined AU$3Million

Quote

 

Valve argued it technically didn't conduct business in Australia, therefore Australian Consumer Law did not apply to Valve and the games it sold through the Steam client.

The Federal Court did not agree with those claims.

 

https://www.kotaku.com.au/2016/03/why-valve-was-found-guilty-of-breaching-australian-consumer-law/

 

These are laws, enforced internationally through trade. The company can say nope, but they will then lose the right to sell into that territory, and if it's an egregious case, there could also be diplomatic pressure applied.

That diplomatic pressure could be written into Free Trade Agreements.

Share this post


Link to post
Share on other sites

That's different, Callum. A country can't make foreign companies comply with their laws, but they can impose sanctions against foreign companies that don't. That's pretty much what you said, as I understood it.

It's the same with European VAT. LL collects it from we europeans on behalf of the EU, but they don't have to if they no longer have any offices in the EU. No country, and no company, is subject to the laws of other countries. LL is not subject to foreign laws, unless their own law says that they are. However, there is a tendancy to comply with certain laws of other countries, because it make the whole thing work quite smoothly in both directions.

So getting back to what I wrote, EU law in not 'international law' in the way that that phrase is usually meant :)

Share this post


Link to post
Share on other sites
29 minutes ago, Phil Deakins said:

A country can't make foreign companies comply with their laws, but they can impose sanctions against foreign companies that don't. That's pretty much what you said, as I understood it.

They can block websites if they have control of their internet.

Share this post


Link to post
Share on other sites
3 hours ago, Phil Deakins said:

So getting back to what I wrote, EU law in not 'international law' in the way that that phrase is usually meant :)

You fell into the trap of being overly pedantic.

  • Like 3

Share this post


Link to post
Share on other sites
11 minutes ago, CoffeeDujour said:

You fell into the trap of being overly pedantic.

Phil wouldn't be Phil if he wasn't overly pedantic around here. 

:D

  • Like 3

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...