The GDPR and how it treats online game character names

Question

I am writing a MUD server - a multiplayer game where people connect and create characters.

I am unsure if the GDPR applies to me - offering a game to the public is not a household task, but I am also not a large company (or a company at all) and I will not be processing data at scale. For this question, let's assume it does (though answers that address this point are welcome).

The character record is easy - the basis for processing is consent. If someone does not want to enter a character name then they can simply not play the game. Likewise, if they choose to withdraw that consent at any point they can simply delete their character.

It is assumed (but not given) that people signing up for a sci-fi computer game will not use their real name, but you never know what people will do.

The sticking point for me is that I wish to build an internal forum/mail/news system into the game itself. I can see in the future that articles will be written into the game along the lines of Lord Thunderthighs recently took on the Foo monsters and won a great victory for the Terran Alliance. Once this happens, it will be incredibly difficult to process deletion requests that scan every bit of text produced in the game to remove character names from it. This goes doubly so as there is nothing stopping someone from creating a character named the or and.

I'm troubled as while there are threads on the WoW forums that state 'character names aren't personal data so they aren't covered by the GDPR'*, there are also a lot of questions here with the answer 'if it can identify a single person, even if their real identity is unknown and unknowable, it is personal data'.

The only basis I can see to keep the in-game articles after a deletion request would be 'legitimate interest', and in my professional life 'legitimate interest is the last refuge of the scoundrel' is basically my catchphrase.

The interest in my case would be 'the community of the game has a legitimate interest in documenting the history of the game world for posterity, and to communicate with each other about it'. The balance test would be that there is (should be) no real world personal data in there, only data that relates to fictional characters inhabiting a game world.

I would welcome answers on whether the GDPR applies at all to my case, and to whether all references to character names beyond the character record need to be the subject of deletion requests.

Country: Germany.

*This thread doesn't have an answer by WoW staff, only a bunch of players. Yes, it is as toxic as you imagine it to be.

Answer 1

Yes, GDPR is going to apply – but it's not going to make everything impossible. Parts of this answer:

• GDPR applies
• You are processing personal data
• Consent is rarely a suitable legal basis
• The right to erasure is not absolute

GDPR applies

GDPR is not just for large companies. It applies to any processing of personal data, unless one of the exceptions applies. More formally, the processing activity must fall under the GDPR's material and territorial scope.

Art 2 GDPR explains the GDPR's material scope – to which activities it applies. Here, it will apply, because

• you are processing personal data
• using electronic means
• and none of the exceptions apply.

There is no exception for non-profit activities or sole proprietors. The size of your organization only has implications for the question whether you have to appoint a data protection officer or whether you have to keep ROPAs (records of processing activities, de: Verzeichnis von Verarbeitungstätigkeiten).

There is an exception for purely personal or household activities. As you've correctly guessed, this exception will not apply to your MUD server. Even if running this server is a personal project, it is not purely personal. You're offering the service to the public, not just to close friends and family. Relevant CJEU case law for this exception are the C-101/01 “Lindqvist” and C‑212/13 “Rynes” cases.

You are processing personal data

Per Art 4(1) GDPR, personal data is any information relating to an identifiable person. For determining whether someone is identifiable, Recital 26 GDPR tells us that we must consider “all the means reasonably likely to be used”, including indirect identification, use of additional information, and help from third parties. In particular, being able to “single out” individuals – being able to distinguish users – already counts as identifications.

This means that usernames and all linked information (including their user-generated content) will very likely be personal data.

It is possible that one piece of information is the personal data of multiple persons. For example, a forum post by user A discussing user B's actions is definitely B's personal data (it relates to them, and they are identifiable), and probably also A's personal data (A is identifiable, but depending on context it may or may not “relate” to A).

If you've read on a WoW forum that “character names aren't personal data”, please disregard this. Many people are not aware of the GDPR's very broad concept of personal data and identifiability.

Just because something is personal data doesn't mean that processing it is illegal. It just means that GDPR is going to regulate how you can use this information. In particular, you will need a “legal basis”.

Consent is rarely a suitable legal basis

To process personal data, you are supposed to have a clear purpose, and this purpose must be covered by a legal basis. Art 6 GDPR lists six legal bases from which we can choose. While consent is listed first, it is usually the last legal basis that should be considered. Instead, it makes more sense to consider them in the following order:

• Art 6(1)(c) processing is necessary for compliance with a legal obligation: if you're required by German or EU law to do something, GDPR will not prevent that. Typical examples include financial records for a business, or complying with court orders to disclose data.

• Art 6(1)(b) processing is necessary for the performance of a contract: if users sign up to your service, you are allowed to do whatever is necessary to provide that service

  For example, it is necessary for your MUD to have usernames so that users can interact with each other. It is necessary to store progress and stats in a database. When people use the forum, it is necessary to store the posts and to display them to other users. If you ask for subscription fees, payment processing is strictly necessary.

  Here, the main limitation is that necessity must be considered from the user's perspective. For example, personalized ads are generally not necessary to provide a service. Facebook did attempt the argument that its users had contracted Facebook to show them personalized ads, leading the EDPB to write a lengthy treatise about the correct interpretation of Art 6(1)(b).

• Art 6(1)(f) processing is necessary for a legitimate interest: you have a good reason to do something, and you've done a balancing test to show that this has an acceptable privacy impact. Legitimate interest gives rise to the right to object (opt-out).

  For example, security and and anti-abuse measures are typically founded on a legitimate interest. They are not strictly necessary for the service to work, but there's a pretty compelling legitimate interest (e.g. safety of other players, maintaining security of your service).

  Depending on the legitimate interest pursued, requests to object can also be denied. For example, it would make no sense if malicious actors could opt out from the security measures designed to reign them in.

  Recital 47 gives criteria for conducting a legitimate interest balancing test. In particular, a legitimate interest might work if the data subject can reasonably expect the data processing to occur, given the time and context in which the personal data was collected.

• Art 6(1)(a) consent: finally, we get to consent. Consent is appropriate when a processing activity is not necessary for your services, and if the legitimate interest balancing test weighs against the activity, in particular if the data subject can't reasonably expect their data to be used this way. Requesting consent serves as a signal to the data subject that a potentially privacy-invasive activity is about to happen. It is in many ways the legal basis of last resort.

  The GDPR defines consent in Art 4(11), and gives further conditions for valid consent in Art 7. The EDPB has written guidelines on consent.

  In your context, it's important to note that consent must be freely given. Art 7(4) GDPR says that you cannot generally make access to a service conditional on unrelated consent. Saying that “they can simply not play the game” does not provide valid choice.

• Art 6(1)(d) necessary to protect vital interests: primarily applicable in life-threatening emergency situations.

• Art 6(1)(e): necessary for a public interest or official authority: generally not applicable to the private sector.

Looking at these legal bases, it is likely that you will base your main processing activities on Art 6(1)(b) necessity for performance of the contract, and secondarily on Art 6(1)(f) necessity for legitimate interests. Consent is going to be more appropriate for non-essential aspects of your services. For example, you might ask for consent to show profile stats publicly (if this isn't necessary for the game to work).

Different legal bases give rise to different sets of data subject rights.

• As mentioned, a legitimate interest allows the data subject to object (opt-out), though the objection can be denied if you can demonstrate overriding grounds. But this should be a case by case determination, taking into account the data subject's individual circumstances.

• Consent can be withdrawn at any time, and it must be possible to do so without detriment. While consent does not invalidate past processing activities, future processing for that purpose is now impossible. Thus, when you ask for consent to process data for some purpose, this gives the data subject total control. If you can't deal appropriately with withdrawn consent, this is a strong indication that a different legal basis could be more appropriate, or that the processing activity is illegal in entirety.

The right to erasure is not absolute

The Art 17 GDPR right to erasure lets users ask you to delete their data. In particular, this request should be granted if keeping the data is no longer necessary for the purposes for which it is being processed, or if the legal basis for processing expired (e.g. successfully objected to legitimate interests, consent withdrawn).

But compared to other data subject rights (like Art 13/14 information, Art 15 access), this right is fairly qualified and subject to conditions. If you still have a legitimate interest to keep the data around, or if keeping the data is otherwise necessary, the request to erasure can be (partially) rejected. This underlines the importance of selecting a suitable legal basis for processing, instead of going straight to consent which is going to unnecessarily limit your options.

In the context of forums with user-generated content, it is indeed common to only delete the account, but not all associated posts. Whether this is compliant depends on context, in particular on whether you have a good reason to keep the data around.

It is also entirely normal to not hunt down any post that could mention a particular data subject. Where one post is the personal data of multiple data subjects, you must balance the rights of all involved people. Clearly, the mentioned person's rights would prevail e.g. in the case of doxxing. But otherwise, you should consider in particular the exception in Art 17(3)(a): that the right to erasure won't apply if continued processing is necessary for exercising the right of freedom of expression and information.