Data PrivacyData Privacy Laws: Implications for the Online Gaming Industry

INTRODUCTION

Online gaming allows players to connect, collaborate, and play despite their different physical locations through the use of the Internet. They could be accessed through mobile phones or laptops. This industry has wide gaming prospects. The mobile gaming industry is likely to witness a revenue growth from USD 1.5 billion in 2020 to USD 5 billion by 2025 as per the reports. In today’s era where the online gaming industry is more social and lucrative than ever, the data provided by the players need protection through proper regulations.

Online gaming platforms of all kinds can create, release, and promote games with the help of cutting-edge development expertise, marketing, and platform options. The industry’s evolution has the potential to be very profitable, but it also entails more legal scrutiny. The player data provided when registering for an online game needs to be regulated.

In the gaming industry, gamers will be data principals, and data fiduciaries are the gaming businesses that gather data. The law establishes general requirements, some of which have been developed through collaboration, such as consent, purpose limitation, and data reduction. The requirements will cover any information about a person that can be identified by, or in connection with, such information in digital form, as well as any personal information that may eventually be converted to digital form.

DATA PRIVACY CONCERNS IN ONLINE GAMING

The online gaming applications or websites are prone to cyber-attacks. This can result in infringement of user’s privacy and thus, violation of the data privacy because of the theft of user’s personal and financial information.

When it comes to online gaming, they are dealing with personal data of various kinds. Players may put in data that expose personally identifiable information about themselves and other players, depending on the type of game. Online gaming platforms then handle these data in the course of their business operations.

A cybercriminal can make a lot of money by only taking a player’s login information. A straightforward Google search string consisting of the title of a well-known game plus the words “cheats” or “hacks” may provide a variety of results, some of which are highly search-optimized websites meant to entice users to click on advertisements, complete surveys, or download potentially harmful files.

By creating a phishing website or hacking tool that requests a player’s credentials, hackers could gain access to a player’s account. These techniques ultimately result in access to a player’s account.

The amount of gamers worldwide have made the gaming business one of the fastest-growing on the planet owing to the availability of many platforms, including portable devices, smartphones, tablets, and personal computers and consoles. Because of its scale and popularity, the gaming industry as a whole, as well as individual players, are prime targets for cybercriminals who view the gaming industry as a platform for malware distribution, user data theft, and invasion of privacy.

Players are typically unaware of the access and information that the games have on their social media accounts when they are linked to them. Users may link to or log in with their social network accounts in certain well-known games, however these games might not disclose the information that is gathered when this kind of integration occurs. Privacy rules frequently use legalese to conceal the data processing activities of gaming companies.

REGULATORY FRAMEWORK

Entry 34, List II of the Constitution of India grants the States sole authority to regulate betting and gambling in India. As a result, no specific legislation governs the gambling industry, and this also holds true for online gaming. However, with the amendments to the Information Technology Act of 2000 and the Information Technology (Guidelines for Intermediaries and Digital Media Ethics Code) Rules of 2021, the Central Government has also recently put specific obligations on online gaming platforms.

Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Amendment Rules, 2023

On April 6, 2023, the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Amendment Rules of 2023 that amended the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 was notified by the Ministry of Electronics Information and Technology (hereinafter referred to as “MeitY”)  in the official gazette for the purpose of regulating online gaming in India.

Rule 2 (1) (qa) of the said Rules defines online gaming as “a game that is offered on the Internet and is accessible by a user through a computer resource or an intermediary”. Subsequently, Rule 2 (qb) defines online gaming intermediary as “any intermediary that enables the users of its computer resource to access one or more online games”.

Furthermore, Rule 3 talks about due diligence by an online gaming intermediary. The intermediary is required to provide users with information about its rules, regulations, privacy policy, and user agreement in either English or any other language designated in the Eighth Schedule to the Constitution.

It needs to take reasonable steps to ensure that users of its computer resources do not host, display, upload, modify, publish, transmit, store, update, or share any information that violates the right to privacy of others or is obscene or pornographic. The name of the Grievance Officer, his contact information, and the method by which a user or victim may file a complaint on a breach of this Rule’s provisions must be clearly displayed by the intermediary on its website, mobile application, or both, as the case may be. The Grievance Officer is responsible for acknowledging the complaints within twenty-four hours of receiving them and resolving the same within fifteen days from the date of receipt.

Within thirty days of receiving communication from the Grievance Officer, anyone who feels wronged by a decision made by the Grievance Officer or whose grievance is not resolved within the specified period of time may file an appeal with the Grievance Appellate Committee. The intermediary or online gaming self-regulatory body in question shall comply with all orders passed by the Grievance Appellate Committee, as applicable, and a report to that effect shall be uploaded on its website.

Digital Personal Data Protection Act, 2023

The Digital Personal Data Protection Act, 2023 (hereinafter referred to as “DPDPA”) has been notified but it has not come into force yet. However, once enforced, the sectors pertaining to personal data processing need to comply with its provisions. Similar to the EU’s General Data Protection Regulation (hereinafter referred to as “GDPR“), the Central Government is probably going to grant the industry some time to adjust to the Act’s requirements. The DPDPA’s provisions and principles is now expected to be complied with in all fields of personal data processing.

The DPDPA is likely to classify gaming intermediaries and platforms that onboard users for gaming services and decide how and why user data is processed as “Data Fiduciaries,” whereas those that process user data under the former’s supervision or command like cloud gaming service providers, payment processors, analytics, or support service providers as “Data Processors.”

Under the DPDPA, all digital data collection will adhere to the data minimization principle, and entities may only gather the minimal amount of personal data required to fulfil their intended purpose.

Subsequently, data fiduciaries that would include online gaming platforms must process personal data for a specific purpose and, with very few exceptions, only with consent or for certain legitimate uses. When it comes to obtaining consent from the players, then under the DPDPA, it is required to be free, specific, and unambiguous. There needs to be affirmative action on the part of the users. The onus of proving these requirements is on the data fiduciary that is, the online gaming platforms.

One of the basis for lawful data processing under the DPDPA is the online gaming platform’s or its designated third party’s legitimate purposes. In order for online gaming platforms to rely on this legal basis, the amount of processed data must be proportionate to the interests of the data subjects and must not exceed what is strictly necessary for achieving the legitimate interest. Keeping user correspondence for quality control, gathering meta-data to strengthen server defences, and measuring in-game function for product development are a few instances of acceptable uses.

Under the DPDPA a data principal has the right to withdraw his or her consent as well. Users of online gaming platforms will have to be afforded the same right and should ideally be able to withdraw their consent as easily as they gave it. It might be necessary for online gaming platforms to implement age-based user separation and restrict targeted advertising and monitoring to users who are of majors.

When it comes to the processing of data of children, requirements associated with processing children’s data remain one of the key considerations for entities in the gaming sector. One of the most important factors to be take into account is the requirements around the processing of children’s data. The DPDPA mandates that before processing the personal data of children who is defined as any individual under the age of eighteen and people with disabilities, the parent or guardian must provide their “verifiable consent.” Furthermore, the processing of children’s data is prohibited in any way that could lead to behavioural monitoring, tracking, targeted advertising, or other negative effects on wellbeing.

Entities in the online gaming industry must realign and rethink their data gathering and processing procedures in light of the DPDPA. While many platforms may already have some implementations in place as standard practices, such as age verification, consent mechanisms, and privacy notifications, these measures may need to be evaluated for adequacy in order to comply with the DPDPA requirement.

AMLEGALS REMARKS

With rising user engagement and expanding investments, the Indian online gaming business has experienced exponential growth. Therefore, a specific legislation of the online gaming industry has been long overdue, particularly in cases where the games involve real money and carry a high risk of cyberbullying, shortcomings in security, inappropriate content, moral dilemmas, cheating and hacking.

In an effort to combat harmful information on social media, the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, which govern social media intermediaries, were released in February 2021. The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Amendment Rules, 2023 were notified in light of the growing scope of online gaming. The amendment allows the Government to define terms like “online game,” “permissible online game,” “permissible online real money game,” and “online gaming intermediary.” It also establishes an online gaming self-regulatory body to oversee online gaming.

Furthermore, the DPDPA establishes a thorough framework for India’s data protection laws. This new law respects the right to privacy of individuals to whom personal data belongs and provides a framework for online gaming platforms, game developers, and players for processing of personal data.

– Team AMLEGALS assisted by Ms. Nishtha Garhwal (Intern)