Strategies for GDPR Compliance in Gaming: Adopting the All-EU Storage and Processing Approach

Written by Jerry Wong

Introduction

At GGWP, we offer tailored solutions for organizations, including those opting to retain their data entirely within the European Union (EU). Our architectural approach is meticulously designed to guarantee full adherence to regional data protection laws. This commitment provides a secure foundation for the responsible management of user data amidst the complexities of international data transfer frameworks.

Data Privacy Perspectives and Industry Trends

In today’s digital age, the secure management and storage of user data are crucial, especially with the increase in global regulatory scrutiny. This is particularly true in the face of intensifying regulatory oversight globally. As a provider of video game moderation services, we have keenly observed and identified several pivotal trends in data management within the EU.

Is Gaming Data Personal Data?

A common area of confusion involves recognizing text chat or player report data as user data. Overlooking this can result in data protection measures that fall short of regulatory standards. However, if user chat and report data are stripped of personally identifiable information (PII) and usernames are anonymized, they might not be classified as personal information. Opting against self-certification for data transfer, not setting up infrastructure in multiple regions, or failing to anonymize data is often seen as a justified, risk-based decision due to compliance costs and efforts.

Is Data Localization of Game Data Required?

Considering game data as personal data necessitates keeping EU citizens’ information within the region, unless compliance with the Data Privacy Framework (DPF) is achieved under GDPR. Despite the push for data localization, a trend towards data centralization is noticeable, sometimes overlooking the specific requirements of regional data protection laws. The costs and operational challenges of multi-regional data infrastructure may lead some companies to centralize data as a pragmatic solution.

With the EU-U.S. Data Privacy Framework’s introduction on July 10, 2023, there’s now a compliant pathway for transferring personal data from the EU to the United States. This framework addresses previous shortcomings, offering enhanced data protection for EU citizens and a solid basis for transatlantic data transfers. Nevertheless, the complexity of self-certification poses significant challenges for many organizations.

What About Content Moderator Access?

Access to EU data by internal player support teams or through Business Process Outsourcing (BPO) for moderation can risk GDPR compliance if such data is accessed from outside the EU. Ensuring that all data processing, including access by contractors, complies with GDPR, regardless of location, is crucial. Adhering to these requirements by restricting access to EU-based teams incurs additional costs.

Keeping All Data in the EU

Despite new frameworks like the EU-U.S. Data Privacy Framework, many platforms prefer to exclusively store their data within the EU, driven by desires for simplicity, reduced legal complexity, and assured data protection compliance. This approach, while beneficial for developers with a predominantly EU player base, can introduce challenges like increased latency for global games or the risk of contravening laws in other jurisdictions. Navigating these regulatory demands becomes increasingly complex as each data center must effectively operate in isolation.

Our Approach

As a service provider, our approach is to best support our customers game and platform owners in appropriately managing and storing their data.  To support an all EU option, we have designed a comprehensive solution that ensures complete isolation of customer data within the EU, both in the ingestion and retrieval of the data. Our platform is built on a major cloud provider’s infrastructure, leveraging the capabilities of various services to achieve this isolation. For data ingestion, we have implemented a dedicated virtual network within the EU region, with strict network access controls and encryption to ensure that all incoming data is confined within the EU boundaries. This virtual network is further segmented into separate subnets, creating a fully isolated environment for data processing through each machine learning model hosted in this isolated virtual network within the EU boundaries. For data retrieval, we have implemented a similar approach, with each customer’s data stored in a dedicated data storage service within the EU region. These storage areas are accessible only through a set of custom-built API services, which enforce strict access control and data encryption policies. This ensures that customer data can only be accessed and retrieved by authorized parties, and that the data remains confined within the EU. All data stored within our platform is encrypted at rest and in transit, using industry-standard encryption algorithms and key management practices. By offering this fully isolated, EU-based solution, we are committed to providing our customers with the highest levels of data privacy and security, while enabling them to leverage the power of our platform to deliver exceptional game moderation to their end-users.

This article is intended for informational purposes only and should not be construed as legal advice. The content provided herein is based on research and general knowledge about the General Data Protection Regulation (GDPR) and its implications for the gaming industry. It is not a substitute for professional legal counsel.


About Jerry Wong

Jerry Wong
Jerry Wong – LinkedIn

Jerry is the Head of DevOps at GGWP