Data and technology reside at the core of the esports industry. New technologies are continuously being introduced and incorporated, creating a more personalised connection between brands and their fans, driving industry success and market growth. These new technologies, by their nature, lead to the collection and processing of various categories and volumes of data, which can introduce an array of regulatory issues if not managed correctly.

Recent Industry Developments

In the summer of 2021, Beter introduced heart rate monitors for competitors at their efootball EsportsBattle tournaments. After experiencing tremendous success with increased engagement and feedback from viewers, the technology was expanded to their in-person Setka Cup table tennis tournaments. Further tie-ups have followed, as the esports industry looks to tap into the benefits enhanced use of data can bring to the player (and viewer) experience.    

Whilst investment in technology centred around increasing the volume of data processed appears to be proving a worthy investment, it is important to consider the type of personal data being processed and the legal requirements in order to lawfully process such data.

Legal Requirements

Across European Member States, the law governing data processing is defined by the General Data Protection Regulation. In the United Kingdom, the UK General Data Protection Regulation (“UK GDPR”), supplemented by the Data Protection Act 2018 (“DPA”), govern data processing laws. These laws define Personal Data as any information relating to an identified or identifiable living individual. This can include, for example, an individual’s name or address, in addition to online identifiers, such as IP addresses and cookies.

The DPA and UK GDPR prohibit the processing of data unless there is a lawful basis for that processing. That lawful basis could be where, for example: the processing is in the legitimate interests of a party and those interests are not outweighed by the interests of the data subject; the data subject has given consent to the processing of their data; or where data processing is necessary for compliance with a legal obligation. Whatever the appropriate basis is, it must be thought about up front, so that any safeguards can be put in place and the data protection impact can be minimised.

Where special category data is collected, a data controller must again identify a lawful basis for the processing of that data, in addition to establishing an additional condition under Article 9 of the UK GDPR. Data which falls within the remit of special category data, such as religion, race or criminal record, is subject to higher standards of regulation. Special category data is considered particularly sensitive and is a marker used to denote personal data of a nature that could cause more significant impact if it was misused in some way. Medical and health data, which is the type of data being collected and processed by the heart rate monitors, also falls within the special category definition. 

Regulatory Action

A breach of the DPA or UK GDPR can result in a maximum fine of up to €20 million, or 4% of the undertaking’s total annual worldwide turnover, in addition to a myriad of other potential civil or criminal issues.

Organisations who are making use of personal data (particularly special category data) should therefore ensure that they are aware of the type of data that they are processing and have suitable measures in place to safeguard the data subject’s rights, freedoms and legitimate interests. For example, it would be good practice to carry out a data protection impact assessment, especially if processing special category data on a large scale. Data protection must be implemented by design and by default. In an industry where data is and continues to be at the heart of its day-to-day functioning, this awareness is all the more crucial.

Comment

DLA Piper regularly advise esports providers and organisations on data protection compliance. Our Esports Laws of the World guide provides an overview of relevant legislative provisions in over 40 countries. Our Data Protection Laws of the World now covers 160 jurisdictions. 

Should you have any queries arising out of this blog, please contact the authors or your regular DLA Piper contact.