Emm i just was on work experience and I learnt that for the UK and EU a new law was passed called GDPR and came into affect on the 25th of May (not long ago) saying that the bissness needs our consent to hold personal data (like email and contact information) dose this apply To the owners of EMC that this is an American business ish
I am not an expert on any form of laws, but I think this is the case: As far as I know, EMC does not have to follow the EU law, but Aikar has said that the only data emc has activly collected of you is your e-mail adress, which you write down yourself in the register forums and so do argree on to share. This means EMC does follow the law, even though they don't have to. Everything you write here, of course, is also shared as it is a forum which everyone can visit, but that has nothing to do with the law.
Except that after two years of inactivity (if I recall correctly), they'll need to remove the e-mail address also. And according to some, even name and profile picture, but I think that's more than the law actually prescribes (I haven't read the original law, only what other people have done and said in reaction to it).
yeah... that was a thing too... I had forgotten, but, he does only seem to ask about if "the bissness needs our consent to hold personal data", which what you say doesn't matter to also, I must actually start reading those things again, my knowlege is far from up-to-date lately.
I know this hasn't been bumped since Wednesday but I thought I'd add to the discussion. The General Data Protection Regulation Act, translated into United Kingdom law as the Data Protection Act 2018, applies to businesses and organisations who control and/or process data belonging to European Union and European Economic Area residents - so, unless you're blocking European users, like the American news websites the Daily News, Chicago Tribune, and LA Times are - you have to abide by the rules in this law. You don't have to be based within the European Union, the only requirement for the law to apply to you is having users who are - meaning that Starlis LLC, the owners of Empire Minecraft, despite being based in North Carolina, have to abide by this law and if ever found in violation of it could face a fine of up to 20,000,000€ ($23,000,000) or 4% of their annual income. The countries this law applies to. So how do you abide by it? Your users must consent to each and every use of their data and know exactly what that means for them and why you need the data - said consent is able to be fully withdrawn at any point and they have to have the option to opt-in and opt-out of certain sections such as cookies. Children under sixteen years of age are not allowed to consent and the company is not allowed to collect any form of data on them. This applies to IP addresses, economic, cultural, mental health information, and pseudonymised information depending on how easy it is to identify someone with it. If this data is not relevant to the company anymore, a user can request to have it removed from the database. According to the 'Terms and Rules' page of Empire Minecraft, EMC uses Google AdWords to advertise - Google is in violation of the law on just about every definition, but EMC is not. However, EMC isn't providing opt-outs on cookies, only telling the user to do so through the browser, which isn't enough to be GDPR compliant. EMC also abides by the United States's Children's Online Privacy Protection Act, which only restricts data collection on those under the age of thirteen - this isn't complying with GDPR, which mandates the age being raised to sixteen. It also collects IP addresses and doesn't explicitly state so anywhere in the privacy policy or terms and conditions, and I don't think the data is anonymised - although since most of us are registered under pseudonyms, I don't think that's an issue.
I would just like to mention in regards to this new law that’s in place, Minecraft and Microsoft has made changes to their rules about this. So far it seems like the changes they made are only in effect in the Realms and do not effect regular servers.
It's not, to be honest. Companies just aren't allowed to collect data on children, and the law considers an adult to be sixteen years of age. Any data collection on an under sixteen requires parental consent rather than from the child themselves. EMC has it already but for thirteen year olds, the age just needs to be raised to raised to sixteen. It's why you now have to be sixteen to register with WhatsApp. They can't handle not being able to collect all the messages the registered accounts send and so just raised the minimum sign up age. I don't think regular servers collect any data, beyond IP Addresses - which I'm pretty sure is mentioned in the Minecraft terms of service anyway. Their websites, however, do and don't come under the wing of Microsoft's terms.
To add to AltPunisher - to fully comply with GDPR, companies must also provide a way for a user to retrieve all their data within a month and also be able to delete all their data from the service.
Parental consent, ah. I didn't get that. That's... okay. I was afraid people would have to lie about their age, but now I understand that a parent can 'consent'?
And here we go, the EU doing its best to make the Internet a worse place one step at a time. Another braindead law which does more harm than good (they sure made things a lot better (<cough, cough>) with that cookie law!) and this is no different. Fortunately there's also an easy way around this. Because it's quite easy to argue that if the users didn't consent with storing their data (like their e-mail address) they would not have registered and provided it. You don't need to register on these forums in order to enjoy Empire Minecraft. It's as easy as that. Personal data such as birthday and place of residence? If you don't want that stored.. well.... I know it's very hard to grasp for some people (not aimed at you guys, just some of those hollow minded people in Brussels) but.. there's actually a way around that too! By not providing that data in the first place. Gee, who would have guessed? Amazing! Sorry for a rant but I'm getting really tired of nonsense like this. Laws like these help absolutely no one other than those politicians. Has anyone ever wondered where all that money is going to? Isn't it weird how these laws seem to be popping up like crazy, and all involved around pretty hefty fines too. Could that have anything to do with the poor financial state the EU is currently in? I wonder....
Herein lies the issue regarding the involvement of the GDPR with regards to game data. At what point can you define what data may or may not be stored on a player file? If you had the true ability to request your data is deleted in full, then we would have to delete our square logs and there would be no record of bans/mutes/etc. This is not a logical restriction and therefore it's never going to be enforceable on Minecraft servers. You have to define what data is required to operate the business. In EMC's case, we don't keep anything that isn't 'required' in times of investigation or as provided by the user to register. If you wish to not provide an email, then we've already explained what to use instead. We aren't gathering data on your political views, shopping habits, etc to sell to other companies. We aren't selling your emails to the highest bidder. We are operating a game server and have game data.
This makes it a better place IMO. I don't care for the motive, the EU can take as much money as they want (not that the EU has a financial state anyway, having no treasury and all), any measure to protect personal privacy is a good one in my eyes. Even if someone faked their data entry, that doesn't stop Google and Microsoft and Facebook doing their best to get it, and in direct violation of the law and being held accountable for doing that. I can't really get into it here because this isn't the controversial subsection, but coming from someone who lives in a country leaving the EU: it's a good thing. I live in an area predicted to have catastrophic economic collapse and food rioting within twenty-four hours of leaving the union - and that's with the EU not even trying to screw the UK over, it's self-inflicted. Quite likely the UK will join the ranks of 'countries who suffered hyperinflation' alongside Germany and Yugoslavia too. And 'countries who became pseudofascist dictatorships with no respect for personal liberty'. Right, but what happens with the 'sixteen and over' age limit on data collection and turning off of cookies?
I believe it is personal information, such as IP addresses, email etc etc. It is unimportant as to what use you do with my data, Starlis LLC has my data on their servers. As a European, the handling of this data must comply with GDPR otherwise Starlis is liable.
Email can be removed, as we stated. That is your choice to keep it or not. IP is used in investigations on our servers for game data. It directly affects the application of some of our rules. The first few lawsuits from the GDPR change will define the limits as the true relationship between data and use are argued in front of the courts. Starlis won't be the first on that list so we'll see what happens after, as will the rest of the online gaming industry.
Small detail: IP addresses aren't personal data. For example: some ISP's provide connectivity through DHCP which means that your IP address can pretty much change every so many weeks. Which is also one of the reasons for my rant above: it's plain out impossible for a company or organization to remove all of that data at the request of a user. Think about it... it'll get stored in logfiles, firewall data, website statistics (usually indirectly, but even so), server cache (which pretty much no one as control over), and a whole lot of other places. What if a company keeps backups with a long retention? Basically EU is now asking those organizations to "please go delete or alter your backups". That's really beyond the scope of reasonable, it's insane. (edit) Also something to think about: and who is going to verify if the company doesn't simply tell you: " Ok, we deleted all your data" while simply ignoring the whole thing entirely? Who could verify that? No one, that's who. Such a waste of time and effort...
My guess is that it's going to take 4-5 years before final enforcement on the first wave of lawsuits can be handled in the US. Here's why (DISCLAIMER: ElfinPineapple is not a lawyer and none of what is about to be said should be heeded or interpreted as any form of legal advice. It is meant for educational purposes only. If you need legal advice on this issue please consult a licensed lawyer). Let's say Facebook gets fined for violating the GDRP (It's gonna be either them, Amazon, or Twitter that will be setting precedent on this). For the sake of example purposes lets say they have a physical presence in Germany. The EU would have to file suit in Germany's court system against Facebook alleging GDRP violations. It has to work through their court system which could take 2-3 years. Let's assume the EU was successful and the court allowed them to fine Facebook. From there, the EU, alongside Germany, would have to file a motion in the Central California District of the US District Court to get permission from the US government to enforce the ruling made in Germany. As Facebook is ultimately a US based corporation, foreign entities, both government and private citizen, have to get permission from the US government to enforce civil decisions made abroad on US soil. Facebook will immediately fight this motion, which could cycle through our court system and take another 2 years if it makes it all the way to the US Supreme Court. Whether it gets that far is an interesting question as Jesner v. Arab Bank (2018) has effectively blocked foreign entities from suing US corporations for tort-related matters that result in a civil liability. What happens if a company does not have a presence in the EU? Good question. Currently there doesn't appear to be a civil resolution the EU can take in that context. So does presence mean digital? Physical? Can the company even be fined? It's one of a ton of issues courts across the EU and US will be addressing for the next few years.
IP addresses are personal data. They can used to track a user and as such much not be stored for any longer than required. It must be declared in the privacy policy that IP addresses are being logged, what for, and how long they're being stored for. Access logs generated by the web server that contain IP addresses can also breach GDPR if it wasn't disclosed in the privacy policy.
(I am not a lawyer). But it is worth noting that although IP addresses may be personal data, by themselves, they are not considered personally identifying information (PII). Instead a linked PII - ref. From my understanding, meaning it by itself isn't PII, but in conjunction with other data can create a profile which collective are PII. The vast majority of the GDPR is focused on general personal data in the most vague sense.