Datatilsynet (Denmark) - 2019-31-2071

From GDPRhub
Revision as of 10:16, 14 February 2023 by Kv (talk | contribs)
Datatilsynet - No. 2019-31-2071
LogoDK.png
Authority: Datatilsynet (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 15(1) GDPR
Article 15(3) GDPR
Article 15(4) GDPR
Type: Complaint
Outcome: Rejected
Started: 17.07.2019
Decided: 29.08.2022
Published: 09.02.2023
Fine: n/a
Parties: Reto Moto
National Case Number/Name: No. 2019-31-2071
European Case Law Identifier: EDPBI:DK:OSS:D:2022:457
Appeal: Unknown
Original Language(s): English
Original Source: EDPB (in EN)
Initial Contributor: n/a

In an Article 60 GDPR procedure, the Danish DPA determined that a game developer did not have to provide data relating to it's anti-cheat software measures, when it replied to the data subject's access request. The data subject was banned from the game because of cheating allegations.

English Summary

Facts

In this decision, the data subject was accused of cheating in a video game by the provider of this game, Reto Moto ApS (controller), a Danish game developer.

On 30 May 2019, the data subject filed an access request at the controller pursuant to Article 15 GDPR.

On 26 June 2019, the controller replied to the request, almost a month later. The controller wrote in the reply that data about game replay, anti-cheat related information, server logs and in-game chat messages would not be disclosed to the data subject.

On 28 June 2019, the data subject replied to this assessment, stating that the reply was incomplete. According to the data subject, anti-cheat information was usually really private information, since anti-cheat software usually employs techniques that are only used to get an exceptional level of access to the computer. The data subject had no control once the software was installed. The data subject was also of the opinion that personal data regarding this anti cheat software is personal data, and was therefore subject to the GDPR.

On 26 June 2019, the controller confirmed that it had answered to the access request. The controller also confirmed that it did not provide the Game replay data, Server logs, anti-cheat information and In-game chat messages. The controller stated that it did not provide a copy of the game replay data and the server logs because the controller had deleted these before receiving the data subject's access request.

The controller also explained that it did not provide access to the anti-cheat information, because this could harm the controller and other players of the game. The controller explained that this information constituted a technical log with data why the data subject was excluded from the game. The controller also stated that these logs included very few personal data, and stated that the data subject had been provided with the reason for his exclusion and was made aware of the time of the cheating, which was in violation with the controller's rules of the game and it's terms of service. This log also included information about the software used by the data subject to cheat. The controller meant that this did not constitute personal data and was also of the opinion that this information was strictly confidential, since disclosing this information might reveal how players could cheat in the game, which would harm the controller itself and other players of the game.

With regard to the in-game messages, the controller explained that it could only provide the data subject with copies of conversations which directly included the data subject. The controller could not remove personal data of other data subjects in these chats, since these messages contained several different languages that the controller did not understand. According to the controller, these chat messages were also written in jargon, which made it even harder for the controller to understand the proper context of the messages. Due to these factors, the controller stated that it could not guarantee that a copy of in-game messages would not result in the disclosure of personal data of other players. For this reason, the controller was of the opinion that the protection of rights and freedoms of other players outweighed the interest of the data subject in receiving access to personal data.

On 17 July 2019, the data subject filed a complaint about the controller's answer at the DPA. The DPA continued to review the case.

Holding

First, the DPA reprimanded the controller for not providing a copy of in-game chat messages sent directly to - and by the data subject in accordance with Article 15(3) GDPR. There was no legal basis which the controller could have used to deny the data subject this information. The DPA also emphasised that the data subject would already have knowledge about the content of these messages.

Second, the DPA found that the controller was entitled to deny a copy of other in-game chat messages, pursuant to Article 15(4) GDPR. The DPA considered the fact that chats were conducted in different languages and sometimes contained jargon. It could therefore not be ruled out that the controller would disclose information about other data subjects. In addition, other players of the game should be able to rely on a certain degree of confidentiality with regard to messages sent "in the heat of the moment".

Third, the DPA also determined that the controller was entitled to deny a copy of any personal information in relation to anti-cheat measures, pursuant to cf. section 22(1) of the Danish Data Protection Act (DDPA). This provision stated that Article 15 GDPR did not apply if the data subject’s interest in this information was overridden by essential considerations of private interests. The DPA emphasised that this information could reveal how players could cheat the game and the underlying logic, which would harm the controller and other players. The data subject’s interest in obtaining this information was overridden by the controller's interest in not disclosing how it identified cheating.

Lastly, with regard to the server logs and replay data, the DPA did not find any reason to doubt the statements made by the controller, which stated that it had deleted this information before receiving the access request from the data subject.

Comment

It is not entirely clear from the text of the decision itself why this is an Article 60 GDPR decision. It is not clear at which DPA the data subject filed her initial complaint or at what date it was transferred to the Danish DPA, if at all.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

RETO-MOTO ApS
                                                                                                          29 August 2022

                                                                                                          J.No.2019-31-2071

                                                                                                          Doc.no.229180
                                                                                                          Caseworker
                                                                                                          JosefineGrue












Complaint about the right to access
                                                                                                          The Danish Data
                                                                                                          Protection Agency
The Danish Data Protection Agency (DPA) hereby returns to the case where                                  Carl Jacobsens Vej 35

(the complainant) on 17 July 2019 filed a complaint about Reto Moto ApS’ reply to his request             2500Valby
for access.                                                                                               Denmark
                                                                                                          T 3319 3200

                                                                                                          dt@data ilsynet.dk
1. Decision                                                                                               datatilsynet.dk
After a review of the case, the DPA finds grounds for reprimanding Reto Moto for not provid-
                                                                                                          VAT No. 11883729
ing a copy of in-game chat messages sent directly to and from the complainant in accordance
                                                                          1
with Article 15(3) of the General Data Protection Regulation (GDPR) .


However, the DPA finds that Reto Moto was entitled not to provide a copy of other in-game

chat messages, cf. GDPR Article 15(4).


Furthermore, the DPA finds that Reto Moto was entitled not to provide a copy of any personal

information in relation to anti-cheat measures, cf. section 22(1) of the Danish Data Protection
             2
Act (DDPA) .


Below is a detailed examination of the case and an explanation of the DPA’s decision.


2. Statement of the facts

The complainant requested access on 30 May 2019.


Reto Moto replied to the complainant’s request on 26 June 2019. Reto Moto wrote in the reply,

that data about game replay, anti-cheat related information, server logs and in-game chat mes-

sages would not be disclosed to the complainant, as this is property of Reto Moto and/or con-
stitutes trade secrets



On 28 June 2019, the complainant contacted Reto Moto regarding the reply, as the reply in

his opinion was incomplete.








Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with
regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General
Regulation on data protection).
2Law No 502 of 23 May 2018 supplementing the Regulation on the protection of individuals with regard to the processing of
personal data and on the free movement of such data (the Data Protection Act).2.1. Reto Moto’s comments                                                                           Page2of8

Reto Moto has stated that Reto Moto replied to the complainant’s access request on 26 June
2019.


Reto Moto did not provide a copy of the following data:

    •    Game replay data
    •    Anti-cheat related information

    •    Server logs
    •    In-game chat messages


A copy of game replay data and server logs was not provided as Reto Moto had deleted these
before receiving the complainant’s access request.


Reto Moto has stated that when the company received the access request, the company as-

sessed the data subject’s wish to gain access to his personal data and the protection of the
rights or freedoms of other persons, including business secrets and intellectual property rights

of Reto Moto. As a result, Reto Moto did not provide a copy of personal data containing anti-
cheat related information and in-game chat messages.


Reto Moto has explained that anti-cheat information is a sort of a technical log with data ex-

plaining why a given player is excluded from the game. Anti-cheat information contains very
few personal data. In connection with the complainant’s cheating, he was given the reasons

for his exclusion and made aware of the time of the cheating in the game. The anti-cheat
related information that was not disclosed consists of information used to determine whether

a player should be excluded from playing because the player has attempted to cheat in viola-
tion of Reto Moto’s terms of business and the rules of the game. This includes information

about the software used by the user to cheat the game. Reto Moto does not consider this
information to be personal data, as it is software and other technical aspects that are not per-

sonal data in itself, even if it is linked to the complainant. In addition, Reto Moto considers this
information strictly confidential, because disclosure of this information, including the software

type and properties of Reto Moto’s game, might reveal how players can cheat the game and
the underlying logic, which harms Reto Moto and other players.


In regard to in-game chat messages, Reto Moto has explained that this includes messages
that players can exchange with each other during their online games at Reto Moto. Such mes-

sages can be provided in the form of files in which chats are logged.


Reto Moto has not provided copies of these conversations and their content to the complainant
as this will involve disclosure of personal data of other people. Reto Moto cannot remove other

people’s data from in-game chat messages. This is due, among other things, to the fact that
in-game chat messages take place in a multitude of different languages that Reto Moto does

not understand. In-game chat messages are also often written in “jargon”, for example using
national abbreviations for actions, users etc. that Reto Moto does not understand either. In

addition, even where Reto Moto understands in-game chat messages linguistically, there may
be context in the messages that Reto Moto does not understand, which means that the mes-

sages might relate not only to the complainant but also to another player. Thus, Reto Moto
cannot guarantee that a copy of in-game chat messages will not result in disclosure of personal

data of other players.


Consequently, Reto Moto is of the opinion that the protection of the rights and freedoms of the
other players outweighs the interest of the complainant in recieving access to personal data.In-game chat messages with the technical aids available within reasonable limits cannot be              Page3of8

made public without also publishing the personal data of others.


2.2. The complainants comments
The complainant has stated that Reto Moto has refused to grant him access to all the personal

data they have collected about him.


In regards to the anti-cheat related information, the complainant has stated that, that kind of
information usually is highly private since anti-cheat software employs techniques usually only

used by intelligence agencies and hackers to get an exceptional level of access on the com-
puter. The user has no control over that software once it is installed, and that the data is per-

sonal data covered by the GDPR.


The complainant has also stated that the software regularly gets defeated by cheaters and

gets adapted and updated, and therefore Reto Moto will keep updating and adapting the soft-
ware even though, they might reveal some critical information.


Finally, the complainant has stated, that he only wants data about him related to in-game chat

messages.

3. Reasons for the decision of the DPA

3.1. It follows from Article 15 of the GDPR that the data subject has the right to obtain confirm-
ation by the controller of whether personal data relating to him or her are processed and, where

appropriate, access to the personal data and a number of additional data. In addition, it follows
from paragraph 3 that the controller in principle is required to provide a copy of the personal

data processed.


However, a data controller may refuse to comply with an access request from a data subject

if one of the exceptions to the right of access under Article 15(4) of the GDPR or section 22 of
the DDPA can be invoked.


It follows from Article 15 (4), that the right to obtain a copy referred to in paragraph 3 shall not

adversely affect the rights and freedoms of others.


According to section 22(1) of the DDPA, Article 15 of the GDPR does not apply if the data
subject’s interest in this information is found to be overridden by essential considerations of

private interests, including the consideration for the data subject himself.


The controller must make an assessment of the opposing interests.

                                                                       3
It is clear from the preparatory work of section 22(1) of the DDPA that the private interests
which may, among other things, justify secrecy are decisive considerations of business secrets

or decisive considerations of people involved other than the data subject, e.g. a minor child of
the data subject. Furthermore, it appears that the provision can only be applied where there is

an obvious danger that the interests of individuals will be adversely affected.

3.2. The DPA finds that Reto Moto by not provinding a copy of in-game chat messages sent

directly to and from the complainant has infringed Article 15(3) of the GDPR as there was no
basis for exempting this information.





3L 68 Proposal for a law supplementing the regulation on he protection of individuals with regard to the processing of personal
data and on the free movement of such data.                                                                                                  Page4of8
The DPA has emphasised that the complainant already would have knowledge about the con-

tent of these messages.
3.3. However, the DPA finds that other in-game chat messages may be exempt according to
Article 15(4) of the GDPR.


The DPA has attached weight on the fact that chats are conducted in different languages and
in jargon, and therefore it cannot be ruled out that Reto Moto will disclose information about

other people when disclosing the messages.

In addition, the other participants in the game must be assumed to expect a certain degree of

confidentiality regarding messages sent in the heat of the moment.

3.4. Furthermore, the DPA finds that Reto Moto was entitled not to provide a copy of any

personal information in relation to anti-cheat measures, cf. section 22(1) of the Danish Data
Protection Act (DDPA).


The DPA has emphasised the fact that disclosure of the information in question can reveal
how players can cheat the game and the underlying logic, which harms Reto Moto and other

players. In the light of this, the complainant’s interest in obtaining any such information is over-
ridden by Reto Moto’s interest in not disclosing how the company identifies cheating.


3.5. In regards to game replay data and server logs, the DPA finds no reason to disregard the
statement by Reto Moto, that the company has deleted the information before receiving the

access request.


4. Final remarks
A copy of this letter is sent to the complainant for information.


The DPA’s decision may be appealed to the courts, cf. Article 63 of the Danish Constitution.


The DPA thus considers the case closed and does not take any further action.


Kind regards


Josefine Grue                                                                                            Page5of8



Annex: Legal basis.Annex: Legal basis                                                                                      Page6of8


REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
of 27 April 2016 on the protection of natural persons with regard to the processing of

personal data and on the free movement of such data, and repealing Directive 95/46/EC
(General Data Protection Regulation)


Article 2(1) This Regulation shall apply to the processing of personal data carried out in whole

or in part by means of automatic data processing and to other non-automatic processing of
personal data which is or will be contained in a register.


Article 4 For the purposes of this Regulation:


     1)  ‘personal data’ means:any information relating to an identified or identifiable natural
         person (‘the data subject’);identifiable natural person means a natural person who can

         be identified directly or indirectly, in particular by an identifier such as a name, identi-
         fication number, location data, an online identifier or one or more elements specific to

         the physical, physiological, genetic, mental, economic, cultural or social identity of that
         natural person;

     2)  ‘treatment’ means:any activity or set of activities, whether or not using automatic pro-
         cessing, which personal data or a collection of personal data is subject to, such as

         collection, recording, organisation, organisation, storage, adaptation or modification,
         retrieval, search, use, disclosure by transmission, dissemination or any other form of

         entrustment, alignment or combination, limitation, erasure or destruction;
[...]

     7)  ‘data controller’ means:a natural or legal person, a public authority, an institution or
         other body which, alone or jointly with others, determines for what purposes and with
         what means personal data may be processed;where the objectives and means of

         such processing are laid down in Union or Member State law, the controller or the
         specific criteria for its designation may be laid down in Union or Member State law;

     8)  ‘data processor’ means:a natural or legal person, a public authority, an institution or
         other body that processes personal data on behalf of the controller;

[...]



Article 12. The controller shall take appropriate measures to provide any information referred

to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to
processing to the data subject in a concise, transparent, intelligible and easily accessible form,

using clear and plain language, in particular for any information addressed specifically to a
child. The information shall be provided in writing, or by other means, including, where appro-
priate, by electronic means. When requested by the data subject, the information may be

provided orally, provided that the identity of the data subject is proven by other means.


[...]


5. Information provided under Articles 13 and 14 and any communication and any actions
taken under Articles 15 to 22 and 34 shall be provided free of charge. Where requests from a

data subject are manifestly unfounded or excessive, in particular because of their repetitive
character, the controller may either:


     a)  charge a reasonable fee taking into account the administrative costs of providing in-

         formation or notifications or taking the requested action; or     b)  refuse to comply with the request.                                                             Page7of8


The burden of proof that the request is manifestly unfounded or excessive shall be borne by

the controller.


[...]


Article 15. The data subject shall have the right to obtain from the controller confirmation as
to whether or not personal data concerning him or her are being processed, and, where that
is the case, access to the personal data and the following information:


(a) the purposes of the processing;


(b) the categories of personal data concerned;


(c) the recipients or categories of recipient to whom the personal data have been or will be

disclosed, in particular recipients in third countries or international organisations;


(d) where possible, the envisaged period for which the personal data will be stored, or, if not
possible, the criteria used to determine that period;


(e) the existence of the right to request from the controller rectification or erasure of personal

data or restriction of processing of personal data concerning the data subject or to object to
such processing;


(f) the right to lodge a complaint with a supervisory authority;


(g) where the personal data are not collected from the data subject, any available information

as to their source;


(h) the existence of automated decision-making, including profiling, referred to in Article 22(1)
and (4) and, at least in those cases, meaningful information about the logic involved, as well

as the significance and the envisaged consequences of such processing for the data subject.

[...]


3. The controller shall provide a copy of the personal data undergoing processing. For any

further copies requested by the data subject, the controller may charge a reasonable fee
based on administrative costs. Where the data subject makes the request by electronic

means, and unless otherwise requested by the data subject, the information shall be
provided in a commonly used electronic form.


4. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights

and freedoms of others.


Act on supplementary provisions to the regulation on the protection of natural persons
with regard to the processing of personal data and on the free movement of such data
(the Danish Data Protection Act)


§ 22. The provisions of Articles 13(1) to (3), Article 14(1), Article 15 and Article 34 of the Data
Protection Regulation shall not apply if the data subject’s interest in this information is found

to be overridden by essential considerations of private interests, including the consideration
for the data subject himself.Page8of8