Data privacy in E-Sports and online gaming

–Vidushpat Singhania & Kartikeya Prasad

New age technological inventions like virtual reality, Facebook’s Metaverse, blockchain, Non-Fungible Tokens and online games are now widely consumed and are known in common parlance. Game developers are using these technologies to give gamers a more enhanced playing experience. The gaming industry of India has experienced an exponential growth and is expected to reach a gross turnover of $8.6 billion by the year 2027.

The rise of the gaming industry comes with its regulatory challenges, with privacy being a key issue. Personal data like a user’s name, email address, debit/credit card details, phone numbers, etc. are being processed by the gaming companies. However, their use of digital data lacks transparency.

Data Privacy in the Esports and Online Gaming Sector

Per our understanding, an intermediary under Section 2(1)(w) of the Information Technology Act 2000 (“IT Act”), would include gaming platforms as they store, transmit, and receive the data of the users. Furthermore, Section 72A of the IT Act provides punishment for disclosure of information in a breach of lawful contract. This provision can help fix the liability of third-person parties in esports tournaments and activities, however the issue of whether interest of minors and sale of personal information has been addressed in such a contract remains to be determined.

Gaming platforms are duty bound to process the players’ data safely. This duty of protecting personal data of players has been duly recognised in international jurisdictions. Particularly, in the celebrated case of United States of America v. Epic Games, an e-sport company was penalised by the Federal Trade Commission (“FTC”) for violating data protection laws.  A hefty fine of $520 million was levied upon Epic Games Inc. to settle a FTC case for deliberate breach of children’s privacy while playing their popular game, Fortnite. The FTC held that Epic Games used deceptive interfaces and privacy-invasive default settings that tricked young gamers into shelling out an amount to the tune of $245 million! Additionally, Epic Games was also fined for collecting personal data of minor Fortnite players who were below 13 years of age without their parental consent.

India, too, has taken data privacy in games seriously.  In July 2022, the Central Government banned Battle Ground Mobile India (“BGMI”). BGMI was found to be indulging in data malpractices by gaining personal information without consent. The information was later being transferred to servers located outside India in an unauthorized manner. The compilation of personal data of BGMI users and its mining posed a threat to the security of India. While BGMI was banned, the Central Government refrained from levying a financial penalty upon the makers of BGMI.

A look at the data privacy regulations curated for E-Sports and Online Gaming of some of the countries brings forth the following:

  • China has very rigid regulations and guidelines when it comes to online gaming. In March 2022, China released draft rules titled “Regulations on the Online Protection of Minors” with the main aim being the protection of minors and youth from internet addiction which also includes playing online games. The draft rules include several stringent and arbitrary guidelines. Some of the key rules are limiting the number of hours a child can play video games in a single day and calling upon tech companies (including game-developers) to terminate the services to minor users who are found liable for giving fake credentials etc. Whereas it appears that these rules have been promulgated by the Chinese government for the primary purpose of protection of minors’ data and might possibly lead to better mental orientation for minors, one cannot help but wonder that these rules have depicted online gaming in a bad light.
  • The European Union has enacted a very comprehensive legislative framework for dealing with privacy and data protection concerns. This framework, termed as General Data Protection Regulation 2016, relies heavily on consent of the consumer or the consumer’s guardians (in case of the consumer being aged below 16 years) for providing their personal data to the gaming companies, while also barring use of this information for commercial purposes.
  • In the United States of America, there are various legislations that govern privacy on the internet. For online gaming companies, the Entertainment Software Rating Board’s “Privacy Certified” program ensures that game companies are complying with privacy laws and regulations by assessing the privacy risks associated with them. To protect the privacy of children, the USA has enacted a separate legislation called, “The Children’s Online Privacy Protection Act, 2013”. As per this Act, online services collecting, sharing, and processing personal information about children below 13 years of age are required to obtain parental consent and follow data handling requirements.
  • So far as India is concerned, the Ministry of Electronics and Information Technology (“MeitY”) notified the draft rules for online gaming for public consultation, titled the “Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Amendment Rules, 2023” (“draft IT (Amendment) Rules 2023”). The draft rules have defined an ‘online gaming intermediary’ as a platform which hosts one or more online games. The rules have introduced due diligence requirements which require a gaming intermediary to follow Know-Your-Customer (KYC) procedures to be followed for the registration of the accounts of the user. Additionally, the rules mandate the establishment of self-regulatory bodies to register such platforms. The proposed registration framework would require the intermediaries to have a mechanism for safeguarding children, and users against financial frauds. It requires a mechanism to safeguard its users from gaming addiction. Parallelly, the Government of India has also prepared the draft Digital Personal Data Protection Bill, 2022 since the previous Data Protection Bill, 2019 was withdrawn. The Digital Personal Data Protection Bill of 2022 seeks to addresses some of the important concerns for online gamers such as cross border data transfer, liability in case of personal data breach, and processing of children’s data.

Conclusion

The Indian e-sports market is precariously positioned. With the growth of smartphone usage and availability of cheap data, mobile gaming or availability of e-sports  on mobile phones is likely to grow at an exponential pace. However, while mobile based e-sports may offer an induction to users into the world of e-sports, professionals who seek to finesse their skills and eventually dream of representing India will need to move to console or PC-based gaming.

Therefore, rules will not only be required to be framed to protect the minors and the information provided by the gamers in the online gaming sphere, but also to protect the information secured by organizers of the arena-based e-sports events. Both, the draft IT (Amendment) Rules 2023 and the Digital Personal Data Protection Bill 2022 are yet to be promulgated. Thus, there is a need for an advisory, similar to the advisory issued by Telecom Regulatory Authority of India, for protecting the personal data of e-sports players’ while taking into account its nuances.

 

Vidushpat Singhania (Managing Partner, Krida Legal)

Kartikeya Prasad (Associate, Krida Legal)

Leave a Reply

Your email address will not be published. Required fields are marked *