This article was originally published in the Asia Video Industry Report 2022 by the Asia Video Industry Association (AVIA). To read the full report on their website, please click here.
Legal Views: Online Gaming Privacy Regulation in Asia Pacific
Covid-19 has accelerated growth in the video game industry, with online games specifically (which include massive multiplayer online games (MMOGs) as well as casual and social games that can be either played directly in an internet browser or via clients that need to be installed) expected to generate US$24 bn in 2021,1 which is expected to rise more than threefold to US$79 bn in 2025. 2 The Asia Pacific region is projected to bring in US$12.7 bn in online gaming revenues in 2021 (more than 50% of global revenues), of which more than US$5.5 bn will be generated in China.
Video game companies are engaging with gamers around the world who are spending more time at home and interacting with others virtually. But global privacy developments have also prompted video game companies to address heightened compliance obligations that apply to collecting greater amounts and types of data and processing it in novel ways. Other regulatory developments in certain countries (e.g. China) focus on content regulation and restricting access to online games by young people.
The acceleration of change in privacy laws across APAC, a more vigilant public, the enhanced powers of enforcement and growing scrutiny of the gaming sector among regulators has given rise to a number of compliance issues. Among the key updates to privacy regulations affecting online gaming include:
1. CHINA – the Personal Information Protection Law (PIPL) (effective 1 November 2021) has some similarities with the EU General Data Protection Regulation (including data subject rights, extra territorial effect and fines linked to annual turnover for severe breaches), with some notable differences:
a. Requires a lawful basis for processing personal information but has no comparable lawful basis to the GDPR’s “legitimate interests.” Places stronger emphasis on consent for processing
b. Restrictions on disclosures to third parties and cross-border transfers of personal information out of China (including mandatory government security reviews in some cases)
c. Breaches must be notified “immediately” to the regulator rather than within the GDPR’s 72-hour timeframe
2. THAILAND – the Personal Data Protection Act (PDPA) (effective 31 May 2021) includes:
a. Requirement for a lawful basis for processing (which includes legitimate interests)
b. Enhanced data subject rights
c. Mandatory notification of data breaches to the regulator within 72 hours
d. Requirements for cross-border data transfers (including consent and
standard contractual clauses)
3. SINGAPORE – amendments to the Personal Data Protection Act (PDPA) (2012) made in 2020 have come into force in stages during 2021, including:
a. Mandatory notification of data breaches to the regulator (PDPC)
b. Expanded concept of “deemed consent” allowing businesses to use personal data based on notification to individuals where such individuals have not opted out
c. Strengthened enforcement powers of the PDPC, including increased financial penalties
4. OTHER JURISDICTIONS – personal data protection bills are currently passing through legislatures in India, Indonesia and Vietnam and amendments to existing privacy rules are currently being debated in Australia, among other countries.
Some of the issues that these changes and evolving privacy laws generates include the following:
- designing privacy into games from the outset – the concepts of “privacy by design” and “privacy by default” are becoming more commonplace, even where these concepts are not built into the law
- integrating technologies and platforms – some games may draw on personal data from multiple sources, including data from social media accounts, wearable devices, in-game player activity and telemetry from connected devices, as well as web activity tracking technologies such as cookies and beacons, making it even more important for companies
to be transparent about their privacy practices
- protecting children – game companies often have to make strategic decisions about whether to let children play their games, and then comply with all applicable children’s
privacy requirements, or use technical measures to block children from playing, and then limit the universal appeal of their games, and the age of majority often differs between territories in APAC
- responding to data subject requests – privacy laws are giving data subjects new or expanded rights, with recent or upcoming developments in China, India, Indonesia and Vietnam (among others)
- mandatory data breach notifications – privacy laws are increasingly making the notification of data breaches to the regulator obligatory, rather than voluntary
- APAC countries are increasingly seeking adequacy decisions from the EU Commission for the transfer of personal data from the EU to those countries (e.g. South Korea likely late 2021, Japan obtained this in 2019)
These developments mean that privacy is necessarily a foreground consideration
for the online gaming industry. As time goes on, we expect regulations to proliferate and develop further, giving rise to more complexity and the need for industry participants to weigh privacy compliance risks carefully in their decision-making.
At Baker McKenzie, we provide the full range of legal services for clients in the interactive entertainment industry, including video game development, publishing and distribution. Our clients benefit from our full-service capabilities and global cross-practice advice, including our media, entertainment, technology, M&A, employment and intellectual property law expertise, as well as ground-breaking experience and the technical skills to provide commercially viable advice. To learn more about our capabilities in this space and how we can help, click here.
1 https://www.statista.com/outlook/dmo/digital-media/video-games/online games/worldwide