Datatilsynet (Denmark) - 2019-31-2071
Datatilsynet - No. 2019-31-2071 | |
---|---|
Authority: | Datatilsynet (Denmark) |
Jurisdiction: | Denmark |
Relevant Law: | Article 15(1) GDPR Article 15(3) GDPR Article 15(4) GDPR |
Type: | Complaint |
Outcome: | Rejected |
Started: | 17.07.2019 |
Decided: | 29.08.2022 |
Published: | 09.02.2023 |
Fine: | n/a |
Parties: | Reto Moto |
National Case Number/Name: | No. 2019-31-2071 |
European Case Law Identifier: | EDPBI:DK:OSS:D:2022:457 |
Appeal: | Unknown |
Original Language(s): | English |
Original Source: | EDPB (in EN) |
Initial Contributor: | n/a |
In an Article 60 GDPR procedure, the Danish DPA determined that a game developer did not have to provide data relating to it's anti-cheat software measures, when it replied to the data subject's access request. The data subject was banned from the game because of cheating allegations.
English Summary
Facts
In this decision, the data subject was accused of cheating in a video game by the provider of this game, Reto Moto ApS (controller), a Danish game developer.
On 30 May 2019, the data subject filed an access request at the controller pursuant to Article 15 GDPR. It is not clear from the decision what the data subject specifically requested.
On 26 June 2019, the controller replied to the request, almost a month later. The controller wrote in the reply that data about game replay, anti-cheat related information, server logs and in-game chat messages would not be disclosed to the data subject.
On 28 June 2019, the data subject informed the controller that the reply was incomplete. According to the data subject, anti-cheat information was usually really private information, since anti-cheat software usually employs techniques that are only used to get an exceptional level of access to the computer. The data subject had no control over the software once it was installed. The data subject was also of the opinion this anti-cheat software was personal data, and was therefore subject to the GDPR.
On 26 June 2019, the controller confirmed that it had answered to the access request. The controller also confirmed that it did not provide the Game replay data, Server logs, anti-cheat information and In-game chat messages. The controller stated that it did not provide a copy of the game replay data and the server logs because the controller had deleted these before receiving the data subject's access request.
The controller also explained that it did not provide access to the anti-cheat information, because this could harm the controller and other players of the game. The controller explained that this information constituted a technical log with data why the data subject was excluded from the game. The controller also stated that these logs included very few personal data, and stated that the data subject had been provided with the reason for his exclusion and was made aware of the time of the cheating, which was in violation with the controller's rules of the game and it's terms of service. This log also included information about the software used by the data subject to cheat. The controller meant that this did not constitute personal data and was also of the opinion that this information was strictly confidential, since disclosing this information might reveal how players could cheat in the game, which would harm the controller itself and other players of the game.
With regard to the in-game messages, the controller explained that it could only provide the data subject with copies of conversations which directly included the data subject. The controller could not remove personal data of other data subjects in these chats, since these messages contained several different languages that the controller did not understand. According to the controller, these chat messages were also written in jargon, which made it even harder for the controller to understand the proper context of the messages. Due to these factors, the controller stated that it could not guarantee that a copy of in-game messages would not result in the disclosure of personal data of other players. For this reason, the controller was of the opinion that the protection of rights and freedoms of other players outweighed the interest of the data subject in receiving access to personal data.
On 17 July 2019, the data subject filed a complaint about the controller's answer at the DPA. The DPA continued to review the case.
Holding
First, the DPA reprimanded the controller for not providing a copy of in-game chat messages sent directly to - and by the data subject in accordance with Article 15(3) GDPR. There was no legal basis which the controller could have used to deny the data subject this information. The DPA also emphasised that the data subject would already have knowledge about the content of these messages.
Second, the DPA found that the controller was entitled to deny a copy of other in-game chat messages, pursuant to Article 15(4) GDPR. The DPA considered the fact that chats were conducted in different languages and sometimes contained jargon. It could therefore not be ruled out that the controller would disclose information about other data subjects. In addition, other players of the game should be able to rely on a certain degree of confidentiality with regard to messages sent "in the heat of the moment".
Third, the DPA also determined that the controller was entitled to deny a copy of any personal information in relation to anti-cheat measures, pursuant to cf. section 22(1) of the Danish Data Protection Act (DDPA). This provision stated that Article 15 GDPR did not apply if the data subject’s interest in this information was overridden by essential considerations of private interests. The DPA emphasised that this information could reveal how players could cheat the game and the underlying logic, which would harm the controller and other players. The data subject’s interest in obtaining this information was overridden by the controller's interest in not disclosing how it identified cheating.
Lastly, with regard to the server logs and replay data, the DPA did not find any reason to doubt the statements made by the controller, which stated that it had deleted this information before receiving the access request from the data subject.
Comment
It is not entirely clear from the text of the decision itself why this is an Article 60 GDPR decision. It is not clear at which DPA the data subject filed her initial complaint or at what date it was transferred to the Danish DPA, if at all.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
RETO-MOTO ApS 29 August 2022 J.No.2019-31-2071 Doc.no.229180 Caseworker JosefineGrue Complaint about the right to access The Danish Data Protection Agency The Danish Data Protection Agency (DPA) hereby returns to the case where Carl Jacobsens Vej 35 (the complainant) on 17 July 2019 filed a complaint about Reto Moto ApS’ reply to his request 2500Valby for access. Denmark T 3319 3200 dt@data ilsynet.dk 1. Decision datatilsynet.dk After a review of the case, the DPA finds grounds for reprimanding Reto Moto for not provid- VAT No. 11883729 ing a copy of in-game chat messages sent directly to and from the complainant in accordance 1 with Article 15(3) of the General Data Protection Regulation (GDPR) . However, the DPA finds that Reto Moto was entitled not to provide a copy of other in-game chat messages, cf. GDPR Article 15(4). Furthermore, the DPA finds that Reto Moto was entitled not to provide a copy of any personal information in relation to anti-cheat measures, cf. section 22(1) of the Danish Data Protection 2 Act (DDPA) . Below is a detailed examination of the case and an explanation of the DPA’s decision. 2. Statement of the facts The complainant requested access on 30 May 2019. Reto Moto replied to the complainant’s request on 26 June 2019. Reto Moto wrote in the reply, that data about game replay, anti-cheat related information, server logs and in-game chat mes- sages would not be disclosed to the complainant, as this is property of Reto Moto and/or con- stitutes trade secrets On 28 June 2019, the complainant contacted Reto Moto regarding the reply, as the reply in his opinion was incomplete. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Regulation on data protection). 2Law No 502 of 23 May 2018 supplementing the Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the Data Protection Act).2.1. Reto Moto’s comments Page2of8 Reto Moto has stated that Reto Moto replied to the complainant’s access request on 26 June 2019. Reto Moto did not provide a copy of the following data: • Game replay data • Anti-cheat related information • Server logs • In-game chat messages A copy of game replay data and server logs was not provided as Reto Moto had deleted these before receiving the complainant’s access request. Reto Moto has stated that when the company received the access request, the company as- sessed the data subject’s wish to gain access to his personal data and the protection of the rights or freedoms of other persons, including business secrets and intellectual property rights of Reto Moto. As a result, Reto Moto did not provide a copy of personal data containing anti- cheat related information and in-game chat messages. Reto Moto has explained that anti-cheat information is a sort of a technical log with data ex- plaining why a given player is excluded from the game. Anti-cheat information contains very few personal data. In connection with the complainant’s cheating, he was given the reasons for his exclusion and made aware of the time of the cheating in the game. The anti-cheat related information that was not disclosed consists of information used to determine whether a player should be excluded from playing because the player has attempted to cheat in viola- tion of Reto Moto’s terms of business and the rules of the game. This includes information about the software used by the user to cheat the game. Reto Moto does not consider this information to be personal data, as it is software and other technical aspects that are not per- sonal data in itself, even if it is linked to the complainant. In addition, Reto Moto considers this information strictly confidential, because disclosure of this information, including the software type and properties of Reto Moto’s game, might reveal how players can cheat the game and the underlying logic, which harms Reto Moto and other players. In regard to in-game chat messages, Reto Moto has explained that this includes messages that players can exchange with each other during their online games at Reto Moto. Such mes- sages can be provided in the form of files in which chats are logged. Reto Moto has not provided copies of these conversations and their content to the complainant as this will involve disclosure of personal data of other people. Reto Moto cannot remove other people’s data from in-game chat messages. This is due, among other things, to the fact that in-game chat messages take place in a multitude of different languages that Reto Moto does not understand. In-game chat messages are also often written in “jargon”, for example using national abbreviations for actions, users etc. that Reto Moto does not understand either. In addition, even where Reto Moto understands in-game chat messages linguistically, there may be context in the messages that Reto Moto does not understand, which means that the mes- sages might relate not only to the complainant but also to another player. Thus, Reto Moto cannot guarantee that a copy of in-game chat messages will not result in disclosure of personal data of other players. Consequently, Reto Moto is of the opinion that the protection of the rights and freedoms of the other players outweighs the interest of the complainant in recieving access to personal data.In-game chat messages with the technical aids available within reasonable limits cannot be Page3of8 made public without also publishing the personal data of others. 2.2. The complainants comments The complainant has stated that Reto Moto has refused to grant him access to all the personal data they have collected about him. In regards to the anti-cheat related information, the complainant has stated that, that kind of information usually is highly private since anti-cheat software employs techniques usually only used by intelligence agencies and hackers to get an exceptional level of access on the com- puter. The user has no control over that software once it is installed, and that the data is per- sonal data covered by the GDPR. The complainant has also stated that the software regularly gets defeated by cheaters and gets adapted and updated, and therefore Reto Moto will keep updating and adapting the soft- ware even though, they might reveal some critical information. Finally, the complainant has stated, that he only wants data about him related to in-game chat messages. 3. Reasons for the decision of the DPA 3.1. It follows from Article 15 of the GDPR that the data subject has the right to obtain confirm- ation by the controller of whether personal data relating to him or her are processed and, where appropriate, access to the personal data and a number of additional data. In addition, it follows from paragraph 3 that the controller in principle is required to provide a copy of the personal data processed. However, a data controller may refuse to comply with an access request from a data subject if one of the exceptions to the right of access under Article 15(4) of the GDPR or section 22 of the DDPA can be invoked. It follows from Article 15 (4), that the right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others. According to section 22(1) of the DDPA, Article 15 of the GDPR does not apply if the data subject’s interest in this information is found to be overridden by essential considerations of private interests, including the consideration for the data subject himself. The controller must make an assessment of the opposing interests. 3 It is clear from the preparatory work of section 22(1) of the DDPA that the private interests which may, among other things, justify secrecy are decisive considerations of business secrets or decisive considerations of people involved other than the data subject, e.g. a minor child of the data subject. Furthermore, it appears that the provision can only be applied where there is an obvious danger that the interests of individuals will be adversely affected. 3.2. The DPA finds that Reto Moto by not provinding a copy of in-game chat messages sent directly to and from the complainant has infringed Article 15(3) of the GDPR as there was no basis for exempting this information. 3L 68 Proposal for a law supplementing the regulation on he protection of individuals with regard to the processing of personal data and on the free movement of such data. Page4of8 The DPA has emphasised that the complainant already would have knowledge about the con- tent of these messages. 3.3. However, the DPA finds that other in-game chat messages may be exempt according to Article 15(4) of the GDPR. The DPA has attached weight on the fact that chats are conducted in different languages and in jargon, and therefore it cannot be ruled out that Reto Moto will disclose information about other people when disclosing the messages. In addition, the other participants in the game must be assumed to expect a certain degree of confidentiality regarding messages sent in the heat of the moment. 3.4. Furthermore, the DPA finds that Reto Moto was entitled not to provide a copy of any personal information in relation to anti-cheat measures, cf. section 22(1) of the Danish Data Protection Act (DDPA). The DPA has emphasised the fact that disclosure of the information in question can reveal how players can cheat the game and the underlying logic, which harms Reto Moto and other players. In the light of this, the complainant’s interest in obtaining any such information is over- ridden by Reto Moto’s interest in not disclosing how the company identifies cheating. 3.5. In regards to game replay data and server logs, the DPA finds no reason to disregard the statement by Reto Moto, that the company has deleted the information before receiving the access request. 4. Final remarks A copy of this letter is sent to the complainant for information. The DPA’s decision may be appealed to the courts, cf. Article 63 of the Danish Constitution. The DPA thus considers the case closed and does not take any further action. Kind regards Josefine Grue Page5of8 Annex: Legal basis.Annex: Legal basis Page6of8 REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) Article 2(1) This Regulation shall apply to the processing of personal data carried out in whole or in part by means of automatic data processing and to other non-automatic processing of personal data which is or will be contained in a register. Article 4 For the purposes of this Regulation: 1) ‘personal data’ means:any information relating to an identified or identifiable natural person (‘the data subject’);identifiable natural person means a natural person who can be identified directly or indirectly, in particular by an identifier such as a name, identi- fication number, location data, an online identifier or one or more elements specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; 2) ‘treatment’ means:any activity or set of activities, whether or not using automatic pro- cessing, which personal data or a collection of personal data is subject to, such as collection, recording, organisation, organisation, storage, adaptation or modification, retrieval, search, use, disclosure by transmission, dissemination or any other form of entrustment, alignment or combination, limitation, erasure or destruction; [...] 7) ‘data controller’ means:a natural or legal person, a public authority, an institution or other body which, alone or jointly with others, determines for what purposes and with what means personal data may be processed;where the objectives and means of such processing are laid down in Union or Member State law, the controller or the specific criteria for its designation may be laid down in Union or Member State law; 8) ‘data processor’ means:a natural or legal person, a public authority, an institution or other body that processes personal data on behalf of the controller; [...] Article 12. The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appro- priate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means. [...] 5. Information provided under Articles 13 and 14 and any communication and any actions taken under Articles 15 to 22 and 34 shall be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either: a) charge a reasonable fee taking into account the administrative costs of providing in- formation or notifications or taking the requested action; or b) refuse to comply with the request. Page7of8 The burden of proof that the request is manifestly unfounded or excessive shall be borne by the controller. [...] Article 15. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: (a) the purposes of the processing; (b) the categories of personal data concerned; (c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; (d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; (e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; (f) the right to lodge a complaint with a supervisory authority; (g) where the personal data are not collected from the data subject, any available information as to their source; (h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. [...] 3. The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form. 4. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others. Act on supplementary provisions to the regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the Danish Data Protection Act) § 22. The provisions of Articles 13(1) to (3), Article 14(1), Article 15 and Article 34 of the Data Protection Regulation shall not apply if the data subject’s interest in this information is found to be overridden by essential considerations of private interests, including the consideration for the data subject himself.Page8of8