Please notice all information provided by Qbridge is just for reference, the copyright and any other right of and in relation to which is solely owned by Qbridge or any other party it designates to. It is not allowed to use such information for profit, otherwise Qbridge reserves the right to pursue your liabilities.
Apply for 30 mins FREE Consulting!
Introduction
With the increasing degree of the Internet in the world, the network data security problems faced by the world are becoming increasingly prominent, and privacy and data protection are receiving increasing attention from all countries. According to statistics on the website of the United Nations Conference on Trade and Development, 71% of the 194 countries worldwide have enacted legislation to ensure data and privacy protection, and 9% have also enacted draft legislation. In other words, 80% of the countries in the world have legally protected data and privacy. The European Union began to implement the General Data Protection Regulation (“GDPR”) in May 2018, and the European Data Protection Authority has issued 1295 tickets related to the GDPR, with a total fine of about 2341 million euro; The California Consumer Privacy Act (“CCPA”) shall come into force in January 2020; The Personal Information Protection Law of Japan came into force on April 1, 2005, and the current valid version is the version revised three times on the basis of the 2005 version; The Personal Data Protection Act (“PDPA”) of Singapore shall come into force in stages as of January 2013, and the current applicable version is the version after the first comprehensive revision on the basis of the 2013 version; The data compliance legislation and regulation activities around the world are very active and have a profound impact on the business development of all industries, including the game industry. In 2022, the actual sales revenue of the Chinese game market was 265.884 billion yuan, a decrease of 30629 million yuan or 10.33% year on year. In addition to the current macro-economy in the recovery stage and other reasons, the data compliance supervision activities of the game industry in various countries are very active, and the game industry faces serious data compliance challenges, resulting in the obstruction of the development of the game business, which is also one of the main reasons for the sharp drop in sales revenue of the Chinese game market. For this reason, this article mainly analyzes the data compliance situation in China, the European Union, the United States, Japan, Singapore and other countries or regions, hoping to provide some help and thinking for the Chinese game industry to deal with the data compliance risks at home and abroad.
Status quo and key points of domestic data compliance in the game industry
In terms of laws and regulations, the main framework of domestic data compliance in the game industry is the “3+1+N” legal and regulatory system. “3” represents the Cybersecurity Law, the Data Security Law and the Personal Information Protection Law, “1” represents the Civil Code, and “N” represents other laws, administrative regulations, departmental rules, normative documents and standards. In administrative regulations, the Provisions on the Administration of Online Publishing Services stipulate “online publications” and “examination and approval matters for online games”. In the departmental rules, the Interim Provisions on the Administration of Internet Culture (2017 Revision) stipulates the scope of Internet cultural products, including online games produced exclusively for the Internet, so game companies need to strictly abide by the provisions when carrying out business. In the normative document, the Notice of the State Press and Publication Administration on Further Strict Management and Effectively Preventing Minors from Indulging in Online Games requires that all online games must be connected to the real name verification system of the State Press and Publication Administration for online game addiction prevention, and all online game users must use real and valid identity information to register their game accounts and log in to online games. The game company shall strictly abide by the provisions of “Access to Anti-Discipline Real Name Verification System”. Among the national standards, it is worth noting that the Technical Requirements for the Monitoring System for Minors in Information Technology Online Games has been held on June 23, 2023, and is currently in the “under review” stage. In order to ensure the normalization of data compliance, game companies can dynamically update similar laws, regulations and standards.
In terms of policy supervision, policies for the domestic game industry have been issued in recent years, and the supervision has been continuously enhanced. At the national level, in May 2022, the Ministry of Culture and Tourism issued the Decision of the Ministry of Culture and Tourism to Amend the Measures for the Administration of Places of Entertainment, which stipulates that electronic game machines set up shall not be provided to minors except for statutory holidays. In July 2022, the Central People’s Government issued the Opinions of 27 Departments Including the Ministry of Commerce on Promoting the High-quality Development of Foreign Cultural Trade, stipulating that the focus shall be on promoting the development of cultural media, online games and other fields, expanding the pilot program of online game audit, and innovating on interim and post-event supervision. At the local level, in September 2022, the Shanghai Municipal Administration of Market Regulation issued the Guiding Opinions on Promoting the Construction of the City’s Meta Cosmic Standard System, which stipulates that priority should be given to promoting the construction of relevant standard systems such as digital environment and games. At the level of punishment for violation of regulations, taking the Ministry of Industry and Information Technology as an example, the Ministry of Industry and Information Technology has recently found that 31 APPs (SDKs) infringe upon the rights and interests of users, and notified them on the official account of the Industrial and Information Technology WeChat, including the notification of multiple game APPs such as “Hungry Shark: Evolution” due to the collection of personal information in violation of regulations. The APPs required by the Ministry of Industry and Information Technology to be notified shall be rectified in accordance with the relevant provisions. If the rectification is not in place, the relevant disposal work shall be organized according to law and regulations.
It can be seen that domestic penalties or notifications for the game industry mainly focus on the collection and use of personal information in violation of regulations. When publishing and operating games, game companies often involve a large amount of personal information of game users (including minors). The compliance processing of user personal information by game companies is a key link in the data compliance of game companies. How to deal with the legal compliance of user personal information has become a must for game companies to carry out business. According to our experience and understanding, game companies should first collect and process personal information on the basis of meeting the basic principles stipulated in the Personal Information Protection Law, such as legality, legitimacy, necessity, integrity, minimum, clarity and relevance, and collect and process personal information within the statutory scope. Secondly, Articles 13-14 of the Personal Information Protection Law require personal information processors to obtain the consent of individuals before they can process their personal information, and the “consent” shall be made voluntarily and explicitly by individuals on the premise of full knowledge. Based on this, the game company may formulate a separate section on the collection and processing of personal information on the game interface to explain to the user the purpose, necessity and personal information security protection measures of the company’s collection and processing of personal information, and obtain the user’s voluntary and clear consent by checking the box on his own after the user has fully read it. Finally, game companies should also meet the requirements of Chapter V (Obligations of Personal Information Processors) of the Personal Information Protection Law, such as formulating internal management systems and operating procedures, implementing classified management of personal information, and conducting impact assessment of personal information protection when sensitive personal information is involved. In addition, the processing of personal information of minors under the age of 14 is also a problem that game companies need to pay attention to. First of all, when collecting, storing, using, transferring and disclosing children’s personal information, game companies should follow the principles of legitimate necessity, informed consent, clear purpose, security and legal utilization, and carry out the processing of children’s personal information on the basis of the above five principles. Secondly, when collecting, using, transferring and disclosing the personal information of minors under the age of 14, game companies shall provide rejection options at the same time. Finally, when a game company finds that children’s personal information has occurred or may be disclosed, damaged or lost, it shall immediately initiate contingency plan and take remedial measures; Those who cause or may cause serious consequences shall immediately report to the relevant competent departments.
Key Points of Cross-Border Compliance of Gaming Industry Data
Since 2018, Chinese game companies have rushed to choose to distribute games overseas, but the overseas distribution of games is not as smooth as expected. In 2022, the actual sales revenue of China’s self-developed games in the overseas market was $17346 million, a decrease of 3.70% over the same period last year. Chinese game companies are now facing many challenges when going abroad, of which data compliance is one of the main challenges facing games going abroad. In practice, some game companies are at a loss when they encounter cross-border data related problems when issuing and operating games overseas. Based on our years of practical experience in data compliance management for multinational enterprises and our team’s experience in providing compliance consulting services for cross-border data transmission for a well-known science and technology research and development center in Hong Kong, game companies need to focus on the following two types of data cross-border issues: personal information protection impact assessment and data exit security assessment.
First, when a game company is faced with a personal information protection assessment, it may have the following doubts: what is a personal information protection impact assessment (What), when should a personal information protection impact assessment (When) be made, and how to make a personal information protection impact assessment (How). For the first question, according to the provisions of the Guidelines for the Assessment of the Impact of Information Security Technology on Personal Information Security, the assessment of the impact of personal information protection refers to the process of inspecting the legal compliance of personal information processing activities, judging the various risks of damage to the legitimate rights and interests of personal information subjects, and assessing the effectiveness of various measures used to protect personal information subjects; For the second issue, in accordance with the provisions of Article 55 of the Personal Information Protection Law, if an enterprise is involved in providing personal information abroad when carrying out business, it shall conduct a personal information protection assessment in advance and record the processing; For the third issue, the development of personal information protection assessment is specifically divided into: assessment preparation stage, assessment implementation stage and assessment tracking stage. In the evaluation preparation stage, the game company needs to make full preparations by forming an evaluation team, formulating an evaluation plan, manufacturing the evaluation object and scope, and formulating a consultation plan for the relevant parties on the basis of the analysis of the necessity of the evaluation. At the evaluation and implementation stage, game companies need to identify risk sources and analyze the impact of personal rights and interests on the basis of data mapping analysis, and conduct comprehensive analysis of security risks based on the ratings obtained from these two paths. In the evaluation and tracking stage, the main content is to form a personal information protection impact assessment report and formulate a strategy for the release of the report. Secondly, when facing data exit security assessment, game companies need to solve two main problems: the selection of data exit security assessment and the declaration and assessment process. For the first question, the game company may judge on the basis of the assessment of necessity, legality and legitimacy: 1. Does the game company provide important data to overseas countries? 2. Are game companies critical information infrastructure operators? 3. Has the game company processed the personal information of more than 1 million people? 4. Has the personal information of 100,000 persons been provided overseas accumulatively since January 1 of the previous year? 5. Has it accumulated overseas since January 1 of the previous year? 6. Are there any other circumstances requiring declaration of data for exit security assessment? If a game company is involved in one of the above circumstances, it is necessary to declare data for exit security assessment. For the second question, the game company shall prepare the declaration materials (photocopy of the unified social credit code certificate and other materials) on the basis of the self-assessment of the data exit risk, deliver the declaration materials to the local provincial network information department, and the provincial network information department shall conduct a completeness check within 5 days. If the materials are complete, the national network information department shall make a decision on whether to accept or not within 7 days, if accepted, The national cyberspace department shall complete the assessment within 45 days and give a final written notice.
Key requirements for the compliance of overseas outbound data in the game industry
Meeting the cross-border regulatory requirements for domestic data such as personal information security impact assessment and data exit security assessment is a necessary condition for game companies to carry out overseas business. Of course, when conducting overseas business, game companies need not only to carry out the above-mentioned operations, but also to pay attention to the data compliance legal system and regulatory policies of overseas destination countries or regions. Based on this, we have summarized the relevant information on the legal systems and regulatory policies of the European Union, the United States, Singapore and Japan on data compliance, with a view to helping game companies deal with overseas data compliance risks.
EUROPE
In May 2018, the General Data Protection Regulation (“GDPR”) of the European Union came into force, replacing the 1995 EU Data Protection Directive (Directive 95/46/EC). For Chinese game companies that ship game products to the EU, the following three issues need to be addressed most: 1. What data and behavior of game enterprises entering the EU are subject to the jurisdiction of the GDPR? 2. If the GDPR is applicable, what are the risks and consequences of non-compliance? 3. How can out-bounding games comply with the GDPR? Firstly, in accordance with the provisions of Article 2 of the GDPR, the GDPR applies to the processing of personal data in whole or in part on personal data, except for those that use automated means to establish a filing system, or are expected to establish part of a filing system. Among them, game companies need to pay special attention to the fact that the GDPR is applicable to the data processing of personal data, not to the data processing of juridical persons. Secondly, on the basis of applying the GDPR to the data processing activities of game companies, if game companies fail to abide by the relevant provisions of the GDPR, they will face huge fines. Since the introduction of the GDPR in May 2018, the European data protection authorities have issued 1295 tickets related to the GDPR, with a total fine of about 2,341 million euro and a maximum single fine of 746 million euro. Finally, in order to avoid the possible huge penalties affecting the business development of game companies, game companies can comply with the GDPR from the following three aspects: clarify the types of data processing of game enterprises at sea; attaching importance to the principles of GDPR data processing and the rights of data subjects; undertake the obligations of the game company as a data controller or processor. First, according to our experience and understanding, game companies usually involve the following three main types of data under the jurisdiction of the GDPR: 1. Data actively provided by game users, such as identity information, user name and password of game users, role information such as role names and role information of game users, chat records of game users in the course of games, and transaction records of game users. 2. Data actively collected by game companies, such as game device information, location information, interaction information between game users, friend list and other data of game users. 3. Data obtained by game companies from third parties. Nicknames and other relevant information used by game users on third-party platforms. For the processing of the above three types of data, game companies need to pay attention to the relevant provisions of the GDPR. Secondly, the data processing principles of the GDPR are mainly embodied in Article 5 of the GDPR, which stipulates seven principles, such as the principle of legality, fairness and transparency, the principle of purpose limitation, the principle of data minimization, the principle of accuracy, the principle of storage within a time limit, the principle of good faith and confidentiality, and the principle of accountability.
Table 1: Key Points for Attention of Games Sailing to the EU Based on the GDPR Principles
GDPR Data Processing Principles | Key Points for Attention When Games Entering into the Europe |
Principle of legality, fairness and transparency | The information sent by the game company to the game user shall be legal, fair and transparent, and shall be described to the user in clear language or charts. |
Principle of limitation of purpose | When processing the data of game users, specific, clear and legitimate purposes shall be followed. |
Data minimization principle | The processing of game users by game companies shall be appropriate, relevant and necessary for the purpose of data processing. |
Principle of accuracy | Games companies need to keep data up to date where accurate and necessary |
Principle of storage within a time limit | When a game company processes personal data that can identify the data subject, it shall keep it in a manner not longer than the period necessary for the purpose of personal data processing. |
Principle of complete confidentiality | The processing of personal data by game companies shall ensure the reasonable security of personal data through reasonable technical or organizational means. |
Accountability principle | When a game company becomes a data controller, it shall abide by the above principles and be able to prove that it has fulfilled the above obligations. |
In practice, the personal data of game users is one of the most important data sources of game companies, and also an important matter of data compliance that game companies need to deal with prudently. This is because the GDPR not only stipulates the principles of data processing, but also gives data subjects a wide range of rights, including the right to know, the right to access, the right to correct and delete, the right to restrict processing, the right to carry, and the right to refuse, game companies may refer to the following forms for processing to comply with the provisions of the GDPR.
Table 2: Key Points for Attention of Games Sailing to the EU Based on GDPR Data Subject Rights
GDPR Data Subject Rights | Key Points for Attention When Games Entering into the Europe |
Right to know | The game company shall provide the identity information and personal information of the game user it collects to the game user, and shall provide more detailed information to the game user when necessary. |
Access | The game user has the right to know from the game company whether the personal data of the game user is being processed, and if so, he shall have the right to access the personal data and to know the type and purpose of the processing. |
Right to correct deletion | The game user shall have the right to know from the game company in a timely manner the correction of incorrect information related to him and the right to delete his personal data. After confirming the right to request correction or deletion of personal data, the game company shall correct or delete its personal data. |
Restriction of processing rights | Under the circumstances that the game user has objections to the accuracy of his personal data, considers that the data processed by the game company is illegal, and no longer needs personal data for processing purposes, the game user has the right to restrict the game company from processing his personal data. |
Portability | On the premise of automation and with the consent of the game user, the game user has the right to receive his personal data from the game company. |
Right of Refusal | The game user has the right to refuse the processing of his personal data by the game company at any time. |
Thirdly, as the GDPR specifies the obligations of data processors and data controllers in detail, game companies need to pay attention to their obligations as data processors or controllers while abiding by the above rights of data subjects. To avoid serious or irreparable consequences, game companies need to focus on the provisions of informing within 72 hours and keeping data processing records. In terms of “notification within 72 hours”, according to the provisions of Article 33 of the GDPR, when personal data leakage occurs, the game company shall, if feasible, inform the competent regulatory authority of the leakage of personal data within 72 hours at the latest after knowing it, and may provide information in a timely manner by stages in case of failure to provide information at the same time at one time. In terms of “keeping data processing records”, game companies shall keep records of data processing in a timely manner, mainly including the names and methods of travel and data protection professionals.
United States
The United States is an important global game market. At the federal level, the United States has promulgated the Child Online Privacy Protection Law and the Clarification of Overseas Legitimate Use of Data Law, and at the state level, it has promulgated a series of laws and regulations on data privacy, such as the California Consumer Privacy Bill and the California Sunshine Bill. The most influential and typical bill is the California Consumer Privacy Act (“CCPA”).
First, the CCPA has established a personal information system with “identification” as the core. When a game company goes to California, the United States, it shall closely focus on the scope of “personal information”, the collection, processing and sale of legal compliance in order to comply with the requirements of the CCPA.
Firstly, in terms of the scope of personal information, the CCPA stipulates that “personal information” means information that identifies, relates, describes, can be directly or indirectly related to, or can reasonably be related to, a particular consumer or family, and that personal information includes, but is not limited to, identifiers, business information, biometric information, information on Internet or other electronic network activities, geo location data, audio, electronic, visual, thermal, smelling or similar information, educational information, etc. According to the provisions of the CCPA, whether the information collected by game companies from game users constitutes “personal information” under the provisions of the CCPA is as follows:
Table 3: Personal Information Judgment Table under the Scenario of the Game Industry
Games companies collect common information about game users | Whether it belongs to the “personal information” stipulated by the CCPA |
Name, e-mail, mobile phone, address, user name, nickname, sex, age, interest, location information, advertising browsing records, consumption records, chat records, etc | √ |
Game health, hardware information | × |
Secondly, in order to comply with the provisions of the CCPA and meet its requirements for legal and compliant collection of personal information, the game company shall notify the game user of the purpose of collection when collecting the personal information of the game user, and without notification, the game company shall not collect other categories of personal information beyond the stated purpose of collection; games companies should also note that companies that have the right to request that game users sell their personal information to third parties shall not sell their personal information.
Finally, game companies should be cautious about the sale of personal information. The CCPA does not prohibit game companies from selling the personal data of game users they collect, but requires game companies to set up and provide “opt out” mechanisms to game users. However, in accordance with the provisions of the CCPA, in order to implement the “opt out” mechanism, the game company shall provide a clear and eye-catching chain entitled “Do not sell my personal data” in the game interface in a form reasonably available to the game user, and the “opt out” path provided shall also be easy for the game user to implement, and only require the least steps for the game user to opt out.
Secondly, the CCPA provides two relief routes for game users: private relief and public relief. According to the provisions of the private relief route, if the game company fails to take sufficient protective measures in accordance with the provisions of the CCPA, resulting in the unauthorized access, disclosure, theft or disclosure of the personal information of the game user, the game user may bring a civil action, and the amount of the fine is usually $100 to $750. According to the provisions of the public relief route, the Attorney General of California has the right to formulate regulations for the implementation of the CCPA, decide whether to take legal measures against illegal operators and have the right to bring lawsuits against illegal operators, and the maximum fine for a single violation is $7500.
Japan
The Japanese data protection legal system has absorbed the national leading mode of the European Union and the industry self-discipline mode of the United States at the same time, and has adopted a comprehensive protection mode in combination with its own characteristics to comprehensively protect the security of personal information through industry self-discipline and administrative guidance. The most important part of the Japanese data protection legal system in practice is the Personal Information Protection Law, in which the Personal Information Protection Law stipulates the obligations of personal information processors in the form of special chapters, mainly including “purpose of use”, “accuracy of content” and “restrictions provided to third parties”.
In terms of “purpose of use”, according to the provisions of the Personal Information Protection Law, when dealing with the personal information of game users, game companies must determine the purpose of use as far as possible, and if the game company needs to change the purpose of use, it shall not go beyond the scope that can reasonably be considered relevant to the purpose of use before the change. It is worth noting that, without the consent of the game user, the game company shall not process the personal information of the game user beyond the scope necessary for the above-mentioned use purposes, except that it is difficult to obtain his consent in order to protect the life, body or property of a person.
In terms of “content accuracy”, game companies shall, on the basis of the above-mentioned scope that meets the purpose of use, ensure that the personal data of game users are accurate and updated, and shall delete the personal information of game users in a timely manner when it is no longer necessary to use it.
With respect to “restrictions provided to third parties”, the game company shall not provide the personal data of the game user to a third party without the consent of the game user, except for the need to protect human life, body or property and the difficulty of obtaining the consent of the data subject. In particular, if, in accordance with the rules of the Personal Information Protection Committee, a game company notifies the game user in advance or places matters such as “the name, name and address of the operator who provides personal information to a third party” and “the personal data items provided to a third party” in a state easily accessible to the game user and reports to the Personal Information Protection Committee, A game company may provide the personal data of a game user to a third party.
Singapore
Singapore has been rated as the most open economy in the world and has a highly developed free market. In recent years, more and more Chinese game companies have chosen to sail to Singapore, and understanding the legal and regulatory requirements of Singapore has become a necessary option for the long-term development of offshore game companies. In terms of data compliance, Singapore has established a relatively sound system of data privacy protection laws. In October 2012, Singapore promulgated the Personal Data Protection Act (“PDPA”), which establishes the basic system of personal data protection in Singapore. The PDPA was amended in Singapore in November 2020, and the amended version shall come into force on February 1, 2021. In the actual law enforcement process, the PDPA is more active in the two aspects of “notification consent” and “custody of personal data”, so I will elucidate and analyze them from the above two aspects.
First, in terms of “informed consent”, the PDPA first stipulates that, in addition to the exemption from the obligation of consent and other circumstances required by law for the collection, use and disclosure of personal data, game companies shall obtain the consent of individuals in principle for the collection, use or disclosure of personal data. The PDPA also provides for a range of circumstances such as deemed consent and notification obligations. For example, according to the provisions of Article 15 of the PDPA, when a game user voluntarily provides personal data to the game company for a specific purpose and it is reasonable to voluntarily provide such information, the game company shall be deemed to have “deemed agreed”. According to the provisions of Article 20 of the PDPA, for the explicit consent or oral consent of the game user, the game company shall inform the individual of the following contents before obtaining the individual’s consent on the collection, use and external disclosure of personal data: 1. The current or previous purpose of personal data collection, use and external disclosure; 2. Other purposes for the collection, use and disclosure of personal data not previously informed; 3. At the request of the game user, inform the game user of the contact person who explains the collection, use and disclosure of personal data.
Second, with respect to the custody of personal data, the PDPA requires that game companies must protect the personal data they own or control through reasonable security arrangements to prevent similar risks such as unauthorized access, collection, use, disclosure, duplication, modification or disposal, as well as the loss of any storage media or devices storing personal data. Games companies should also take care not to transfer any personal data to countries or regions other than Singapore unless the relevant requirements of the PDPA ensure that the recipient provides at least the same protection as the PDPA for the personal data transmitted. According to our observation and understanding of the practice of the PDPA, the PDPA does not force Singaporean entities to sign separate data processing agreements with third parties, but allows Singaporean entities to clarify the rights and obligations of both parties on cross-border data transmission and protection by signing agreements with the parent company, and authorizes the parent company to perform the relevant cross-border data transmission and protection obligations on behalf of the subsidiaries of the group, so as to form a chain of obligation performance. Games companies can realize cross-border data transmission by signing data processing agreements to clarify the distribution of data protection rights and obligations between parent companies and Singaporean entities.
Responses and Opportunities to Data Compliance in the Gaming Industry
Under the increasingly stringent global privacy and data legislation and regulation, the data compliance challenges of the game industry are very serious. Chinese game companies are faced with major challenges to data compliance, whether they conduct business domestically or overseas, such as the “3+1+N” legislative system and endless regulatory policies at home, and the data compliance pressure from countries or regions such as the European Union, the United States, Singapore and Japan abroad. If the Chinese game industry fails to comply with the data, it may face huge fines in the future, and overseas, the European data protection authorities have issued 1576 fines related to the GDPR, with a total fine of about 277 million euro and a maximum single fine of 746 million euro. Domestically, the Tencent Research Institute has compared China’s Personal Security Law with the EU’s GDPR and California’s privacy legislation in 29 aspects. China’s Personal Security Law is stricter than the GDPR in 38% of the aspects and the same as the GDPR in 48% of the dimensions. At the same time, the actual sales revenue of the Chinese game market in 2022 has dropped by 30,629 million yuan on a YOY basis, the survival and development of the Chinese game industry has been greatly impacted, and the development of the game industry is in a fog heavy environment. Only by taking the initiative to lift the fog and embrace the data compliance legal systems of various countries and regions can Chinese game companies guarantee the continuous income generation of their business.
In order to effectively respond to domestic and overseas data compliance risks, game companies need to make improvements and improvements in many aspects, and building a data compliance system is the first task. Although it may increase certain operating costs, a complete and scientific data compliance system will lay a good foundation for the future development of game companies, enhance the value of enterprises and create competitive advantages. The establishment of an enterprise data protection compliance system can generally be divided into four steps: data verification, risk identification and formulation of compliance plans, establishment of data compliance rules, and implementation of data compliance rules.
First, data verification. The normal practice of data verification from the perspective of information security is to use software to “sense” the types of data in a system and propose an overall security plan for the system based on the sensitivity of these data. For example, game companies can assist in data verification in cross-border data transmission, contract review, product services, privacy regulatory review, due diligence and other aspects through data compliance tools such as SERVICE NOW, ONE TRUST and HIPEROS. Data verification can not only understand the status quo of enterprise personal information collection and processing, but also serve as an important basis for enterprises to understand the status quo, identify risks and establish data compliance systems.
Second, risk identification and formulation of compliance plans. On the basis of identifying the status quo, gap analysis and risk identification are carried out in combination with the compliance obligations stipulated by applicable laws and regulations. Conduct overall compliance planning on the IT system, user interface, user registration process and transparency of personal information collection, use and protection of game companies.
Thirdly, data compliance rules are established. Establish data compliance rules and improve relevant systems and processes in light of the actual situation of game companies. Conduct employee awareness training to enable employees to understand and understand data compliance requirements and how to implement system requirements in business processes. After the data protection compliance system is established, the game company needs to continuously track the implementation of the data protection compliance system, improve the data compliance mechanism, and ensure that the company’s data compliance system continues to escort the company.
Fourthly, the implementation of data compliance rules. Here, we take the launch process of individual products as an example to briefly describe the implementation process of a data compliance system. First of all, in the product brewing stage, enterprises may invite privacy protection experts to attend the discussion of product development as nonvoting delegates, and the experts shall provide compliance suggestions for personal information protection and prompt compliance risks and solutions. This process shall be marked in the form of meeting minutes or e-mails. Secondly, in the preliminary product design stage, the product design team establishes control and architecture for the types of data used to handle the product design of the first draft, and the product design of the first draft needs to reflect the solutions to privacy and personal information protection risks proposed in the previous stage. Thirdly, the product design team will conduct a Data Protection Impact Assessment (DPIA) on the completed product design. The censorship of DidiTaxi has also strongly demonstrated the necessity and importance of enterprises’ personal information security assessment of data-related products. All new products and services related to data of Accent, from research and development to online, require data security and personal privacy experts to intervene in advance, conduct comprehensive assessment of personal information security from three dimensions of law, commerce and technology, and form a personal information security impact assessment report to prevent data security risks, prevent enterprises from suffering heavy losses due to data security non-compliance in the future and affect enterprise development. Finally, the final product can handle the previously identified privacy and personal information protection risks, as well as clarify the corresponding technical means and controls, which are demonstrated through the final product presentation meeting (including legal, risk control, compliance, security and other departments) and demonstration.
Summary
Through the analysis of data compliance in China, the European Union, the United States, Japan, Singapore and other countries or regions, first of all, we can clearly see that the data compliance supervision of the game industry in China is continuously increasing. For example, the National Press and Publication Administration issued a notice requiring all online games to be connected to the National Press and Publication Administration’s online game addiction prevention real name verification system, all online game users must use real and valid identity information to register their game accounts and log in to online games, and the Ministry of Industry and Information Technology has frequently notified violations of laws and regulations on game apps; Secondly, we can clearly see that when data cross-border is involved, game companies should pay special attention to the two key links of personal information protection impact assessment and data cross-border assessment. Thirdly, we can clearly see that the overseas data compliance supervision is very strict, for example, the European data protection authorities have issued 1576 fines related to the GDPR, with a total fine of about 277 million euro and a maximum single fine of 746 million euro, which should be particularly vigilant for game companies engaged in overseas business.
To help game companies effectively respond to domestic and overseas data compliance risks, I discussed the steps to build an enterprise data protection compliance system in light of my own data compliance experience, including four steps: data verification, risk identification and formulation of compliance plans, establishment of data compliance rules, and implementation of data compliance rules.
Finally, it is worth noting that, in the current situation of increasingly stringent legislation and supervision of domestic and overseas data compliance, game companies should maintain confidence, adopt a positive attitude, take the initiative to embrace the data compliance legal systems of various countries and regions, and thoroughly implement and continuously consolidate the data protection compliance system. This is because only by integrating the data protection and compliance system into the blood of the company and achieving systematization, institutionalization and normalization can the game company guarantee the continuous income generation of its business and ensure that the game company will remain stable in the face of the challenges of strong data compliance supervision at home and abroad.
Get more information tailored to your needs by click Here.