Doubt about the GDPR law and scripts accessing external databases.

[JJValero Writer]

My doubt is a bit difficult to formulate. First I need to explain which point of the GDPR is the one that confuses me.

GDPR is a European law that prohibits having personal data of users if it is not strictly necessary to maintain this data and requires that they have a strong security so that they do not fall into the wrong hands. Also, there has to be a mechanism whereby any user can request from the company that maintains the database what they know about him. This law not only affects European companies but also companies from outside Europe that have European users. It seems that they are a bit strict and consider personal data such things as IP address and user names.

Initially if a script, for example a voting system or a visitor counter stores names within that script, it would not be breaking that law because the data never comes out of SecondLife.

I remember that a few years ago there was a freebie visit counter that used an external database to remind visitors when was the last visit. I also remember external Name2Key databases to get the UUID of a secondlife user from their name. There are also collective ban systems in such a way that if a user is banned from an island it is also banned from all other islands that use that system. There were also avatars lists to avoid content theft through xploits. For example when anyone wear a stolen copy of QHUD it shouts "This HUD is stolen" and the name of avatar is added in a database.

Those type of external database could be breaching the GDPR, although not necessarily, because it maintains a database with personal data. Apart from that, they should implement a mechanism in such a way that a user can request their personal data and even their deletion.

My question is if instead of storing user names, I do a digest using an algorithm such as MD5 or SHA256 could be enough to avoid falling into illegality. Algorithms such as MD256 create a summary of the data provided. and it is not possible to retrieve the data provided from that summary. According to that, the database would be anonymous so it would be complying with the law.

However, in the event that the database is stolen by a hacker, anyone knowing a name could apply the same algorithm and retrieve private data from a user. This is the reason for my doubt.

Is SHA256 enough?

 

[Fionalein]

IMHO the GDPR does not care if you can identify the RL person behind an avatar. Said avatar is identified as recurring reidentifiable individual by it's name...

[Tari Landar]

Do those databases use AVATAR identifiable information, or personal HUMAN identifiable information?

I think that is where the differences come into play, and where questions, or a question, must be asked. Though I won't pretend to know much at all about GDPR, let alone individual interpretations of it, I do believe the fact that AVATAR information is not always(or even mostly) actually able to be connected to HUMAN personally identifiable information, plays a massive role in why some things are not considered violations. It is entirely possible that some avatar information can be linked to a real life identity, but it's even more possible(factual even) that most cannot, and that it is beyond super easy to circumvent methods that DO link avatar identities with real human identities. Does the GDPR recognize avatars, or characters, or whatever other term people might like to use, as real life identities? (that's actually a serious question, because I don't know)

And I could also be entirely way off base...but that's what I understand of it (little as it may be). 

[Tari Landar]

1 hour ago, JJValero Writer said:

I also remember external Name2Key databases to get the UUID of a secondlife user from their name.

 

Sorry i wanted to add something here....an avatar's UUID is public information, you don't even need a database to get that information. It's no more a private bit of information than your avatar's name, and I don't believe it ever has been, nor was ever intended to be.  

[Callum Meriman]

My legal advice, hundreds of AU$ paid to a real lawyer was... Game characters are not covered under GDPR

The responsibility comes to the Lab.

 

Edit: You should of course do the same thing, pay a lawyer and get your own advice. Lawyers love to make money and they are far more certain then forum dwellers - who fall into two camps, both certain they are correct.

 

Edited September 14, 2018 by Callum Meriman

[Madelaine McMasters]

6 minutes ago, Callum Meriman said:

forum dwellers - who fall into two camps

I love falling into camps, dance parties, hammocks... anything with green dots.

[Bradford Mint]

@JJValero Writer

You appear to have completely misunderstood what GDPR is and what it is not.

Nowhere does it state that holding a database with personal information is illegal!

Quite the opposite in fact, especially where it's for personal use as one example.

GDPR applies to how the data is protected and what the lawful reasons for holding it are and also rights of the data subject.

Shame the other long thread got deleted, looks like we need to buckle up and go for the same ride.

[Lindal Kidd]

Doesn't matter.  An avatar display name, user name, and UUID are not "personal information." 

[Fionalein]

9 minutes ago, Lindal Kidd said:

Doesn't matter.  An avatar display name, user name, and UUID are not "personal information." 

I repeat from deleted thread...

Caspertech sees that different, and I bet Casper payed internet lawyers for their insights as well...

https://blog.caspertech.co.uk/gdpr-is-coming-and-it-affects-you/

 

Edited September 14, 2018 by Fionalein

[Bradford Mint]

I repeat from the deleted thread...

Casper got it wrong!

[Callum Meriman]

Some of Casper's (rental) vendors deal with PayPal too don't they?

In those cases he most certainly needs to be careful, he has financial information linked to avatars.

The rest of us, are not dealing with this in real life terms, real life is nowhere near our game characters.

[ellestones]

@JJValero Writer

if what you are doing is critical to your RL income then do the same as Casper - err on the side of caution

while we can obtain a legal opinion from a lawyer, that opinion is not the law. The only legal opinion that truly matters is that of the GDPR enforcement agency. It is the agency which initiates legal proceedings that can hurt our RL income badly should the legal opinion we obtained independently turn out to be false

about caution

personally I would not try to end run the legislation if my RL was dependent on an SL business activity

is trival to create a GDPR-compliant LSL script and stick it in a prim at our inworld location

all the script has to do is llRegionSayTo() "Yes" or "No" when a avatar clicks on it

"No" we store nothing about you

"Yes" we have your avatar key, name, ... other details ...
We have your information for these business reasons...

and done

if we don't think or care that any of this matters to our RL income then can go with any opinion, scheme or non-business process, including doing nothing 

[ellestones]

1 hour ago, Callum Meriman said:

The rest of us, are not dealing with this in real life terms, real life is nowhere near our game characters.

picking up on this

if we are deriving a real world benefit from our SL business activities then I think its a little bit more than a matter of game character relationships. A real world benefit is the USD we can get from converting L$. If we are not converting L$ to USD then yes the game character scenario probably applies

[Ana Stubbs]

Without wanting to rehash the deleted thread, my interpretation broadly agrees with Casper's. Like him, I deal with sensitive information (special category data, in my case), so I am erring on the side of caution. I do also hold actual personal details that are undeniably within the scope of GDPR.

I do know that, once you have decided something might be personal data, making it anonymous is not easy. I think you would be better off asking elsewhere, as it isn't an SL-specific problem.

My suspicion is that you are correct, and hashing is insufficient. I anonymised some survey results by removing direct identifiers, separating out the responses to each question and scrambling the order, so that noone could build up a profile of information on any individual respondent.

 

If the process is reversible at all, even with extra information, it's not anonymised for GDPR purposes.

[bigmoe Whitfield]

as I said before, I'm not collecting your real information and only collecting, sale amount, what sim you rezzed it in (to apply a id number) and the avatar key (which is public information)  so that's that.

[Fionalein]

9 hours ago, Callum Meriman said:

My legal advice, hundreds of AU$ paid to a real lawyer was... Game characters are not covered under GDPR...

SIlly question: does your Lawyer fully to all extents understand what SL is? Even more than Minecraft  SL is so much more than a "game". You cannot derive person preferences from a MMORPG character's actions as in Warcraft, in SL however that's easy, you shoudl have asked him if your storing your Amazon handle without knowing the real person behind it would be OK instead... might be he would have answered different than for "a game".

Edited September 15, 2018 by Fionalein

[Callum Meriman]

23 minutes ago, Fionalein said:

SIlly question: does your Lawyer fully to all extents understand what SL is? 

Yep, I am pretty happy with the advice. Storing an amazon handle is tied to financial data. People entering a region... meh. 

 

Edited September 15, 2018 by Callum Meriman

[Phil Deakins]

12 hours ago, JJValero Writer said:

This law not only affects European companies but also companies from outside Europe that have European users.

You are mistaken. The law might say that, I don't know, but EU laws do not apply to countries outside the EU. For instance, the USA cannot make a law that we here in Britain have to abide by. What a country can do is make a law that applies to outside companies IF they have a presence in the country. Foreign customers/users are not a presence. An office in the country is a presence.

Edited September 15, 2018 by Phil Deakins

[Callum Meriman]

It's Déjà vu all over again

Why was the other thread deleted?

[Bradford Mint]

8 hours ago, ellestones said:

@JJValero Writer

while we can obtain a legal opinion from a lawyer, that opinion is not the law. The only legal opinion that truly matters is that of the GDPR enforcement agency.

Actually, just to be somewhat pedantic, the only legal opinion that truly matters is that of the judge with the final say. Meaning that the opinion of the first judge doesn't count if it goes to appeal.

This is kinda highlighted at the moment by a recent case where the UK Electoral Commission had a legal opinion which the judge ruled against.

https://www.bbc.co.uk/news/uk-politics-45519676

[Phil Deakins]

I didn't even know it had been deleted until I read the posts in this thread.

[Bradford Mint]

2 minutes ago, Callum Meriman said:

It's Déjà vu all over again

Why was the other thread deleted?

Because not everyone in the forums is a Rhinoceros

[Callum Meriman]

 

[ellestones]

55 minutes ago, Bradford Mint said:

Actually, just to be somewhat pedantic, the only legal opinion that truly matters is that of the judge with the final say. Meaning that the opinion of the first judge doesn't count if it goes to appeal.

This is kinda highlighted at the moment by a recent case where the UK Electoral Commission had a legal opinion which the judge ruled against.

https://www.bbc.co.uk/news/uk-politics-45519676

true that the courts have the final say. What ruins our RL is the fact that we have been prosecuted. A prosecution brought by the enforcement agency according to their legal opinion. We may eventually be vindicated by the courts, assuming that the enforcement agency doesn't appeal the rulings all the way to the end

personally I wouldn't gamble on any of this if my RL income was at stake. Not when compliance is a simple LSL script away. We can always get all philosophical tho when we have little to zero at stake, or when is some other person's money we are philosophically gambling with

some people on here have thought about what this might mean for them, and have just gone meh! Which I think is a pretty good response, philosophically speaking

 

[Bradford Mint]

So just to put some of this into perspective of what's perceived to be a problem and the likely outcome, i'll share some recent fun around some requests for personal data from large, highly "credible" organisations (I use that term loosely depending on your point of view but each of them is a well known organisation.  I'll keep them brief but you'll see where this goes:-

A previous employer - "we don't hold any personal data beyond 7 years". I pushed hard and magically they came back with my employment details, entire record and banking details from over 10 years ago. I asked them to delete it all as they had no lawful need to keep it. Ah bit of a problem there because it's all archived in the same dataset as others and they can't delete individual records (write only media).  What am I going to do, cry boohoo to the Information Commissioner?

A parking provider - "we have no data". I pushed on this one, they  magically came back with a bunch of data, CCTV, locations of vehicles etc.  "Delete it all" I said, it's of no use to you.  They said they had. I asked for proof, they said they didn't need to provide any.  What am I going to do, cry boohoo to the Information Commissioner? Besides, i'll be back in those car parks and the cars will be recorded again so back to square one.

An insurance provider - These guys were really good, 8/10 on the GDPR SAR response scale, immediately understood my deliberately vague request, came back with all the data.  "Delete it all" I said, I have no contract with you anymore and haven't had for 3 years. They said "no way, we're keeping it for 8 years just in case!". What am I going to do, cry boohoo to the Information Commissioner?

A major airline - Hopeless, 2 hours trying to get an agent in a call centre to first of all understand that they really do have databases other than the flight booking one. Eventually, I got the data haul by going through obtuse channels but it was late, far beyond the 30 days they're permitted.  What I am going to do, cry boohoo to the Information Commissioner?  In this case they said that the I.C. was already aware but then they were rather busy as they had already had to fess up to a breach of 380,000 customers credit card details a week ago.

In perspective, given the above, lets just consider for one moment the likely response from the Information Commissioner when presented with the following:-

Complainant: *sobs* "I think someone who I don't know, in a game, just might have logged my avatar name and public UUID and *sniffs* it's not fair, I want something done!"

Information Commissioner to their office buddy: "Bob, pass me the "Petty Complaints" file again would you please?" and responds back "thanks for your report" *closes file*

Now i'm not suggesting that the issue isn't potentially genuine but in terms of traction with regard to potential penalties, most of these concerns are up there with complaints to the police about people in the street looking at them in a strange way.

Now, on the other hand, if said database holds SL AND RL data and sensitive PII pertaining to religous and sexual traits which is then breached and releases the entire SL database to the internet, that may get more than a raised eyebrow.

But....then if the database is only for personal use, it falls outside the remit of GDPR anyway so *slam dunk* end of thread.

Thanks, you're welcome!