I have a question

Emm i just was on work experience and I learnt that for the UK and EU a new law was passed called GDPR and came into affect on the 25th of May (not long ago) saying that the bissness needs our consent to hold personal data (like email and contact information) dose this apply To the owners of EMC that this is an American business ish

I am not an expert on any form of laws, but I think this is the case:
As far as I know, EMC does not have to follow the EU law, but Aikar has said that the only data emc has activly collected of you is your e-mail adress, which you write down yourself in the register forums and so do argree on to share. This means EMC does follow the law, even though they don't have to.
Everything you write here, of course, is also shared as it is a forum which everyone can visit, but that has nothing to do with the law.

Except that after two years of inactivity (if I recall correctly), they'll need to remove the e-mail address also. And according to some, even name and profile picture, but I think that's more than the law actually prescribes (I haven't read the original law, only what other people have done and said in reaction to it).

yeah... that was a thing too... I had forgotten, but, he does only seem to ask about if "the bissness needs our consent to hold personal data", which what you say doesn't matter to
also, I must actually start reading those things again, my knowlege is far from up-to-date lately.

Yea ok just wondered as I was at work experience

I know this hasn't been bumped since Wednesday but I thought I'd add to the discussion.

The General Data Protection Regulation Act, translated into United Kingdom law as the Data Protection Act 2018, applies to businesses and organisations who control and/or process data belonging to European Union and European Economic Area residents - so, unless you're blocking European users, like the American news websites the Daily News, Chicago Tribune, and LA Times are - you have to abide by the rules in this law. You don't have to be based within the European Union, the only requirement for the law to apply to you is having users who are - meaning that Starlis LLC, the owners of Empire Minecraft, despite being based in North Carolina, have to abide by this law and if ever found in violation of it could face a fine of up to 20,000,000€ ($23,000,000) or 4% of their annual income.


The countries this law applies to.

So how do you abide by it? Your users must consent to each and every use of their data and know exactly what that means for them and why you need the data - said consent is able to be fully withdrawn at any point and they have to have the option to opt-in and opt-out of certain sections such as cookies. Children under sixteen years of age are not allowed to consent and the company is not allowed to collect any form of data on them. This applies to IP addresses, economic, cultural, mental health information, and pseudonymised information depending on how easy it is to identify someone with it. If this data is not relevant to the company anymore, a user can request to have it removed from the database.

According to the 'Terms and Rules' page of Empire Minecraft, EMC uses Google AdWords to advertise - Google is in violation of the law on just about every definition, but EMC is not. However, EMC isn't providing opt-outs on cookies, only telling the user to do so through the browser, which isn't enough to be GDPR compliant. EMC also abides by the United States's Children's Online Privacy Protection Act, which only restricts data collection on those under the age of thirteen - this isn't complying with GDPR, which mandates the age being raised to sixteen. It also collects IP addresses and doesn't explicitly state so anywhere in the privacy policy or terms and conditions, and I don't think the data is anonymised - although since most of us are registered under pseudonyms, I don't think that's an issue.

I would just like to mention in regards to this new law that’s in place, Minecraft and Microsoft has made changes to their rules about this. So far it seems like the changes they made are only in effect in the Realms and do not effect regular servers.

What? That's terrible.

It's not, to be honest. Companies just aren't allowed to collect data on children, and the law considers an adult to be sixteen years of age. Any data collection on an under sixteen requires parental consent rather than from the child themselves. EMC has it already but for thirteen year olds, the age just needs to be raised to raised to sixteen.

It's why you now have to be sixteen to register with WhatsApp. They can't handle not being able to collect all the messages the registered accounts send and so just raised the minimum sign up age.

I don't think regular servers collect any data, beyond IP Addresses - which I'm pretty sure is mentioned in the Minecraft terms of service anyway. Their websites, however, do and don't come under the wing of Microsoft's terms.

To add to AltPunisher - to fully comply with GDPR, companies must also provide a way for a user to retrieve all their data within a month and also be able to delete all their data from the service.

Parental consent, ah. I didn't get that. That's... okay. I was afraid people would have to lie about their age, but now I understand that a parent can 'consent'?

And here we go, the EU doing its best to make the Internet a worse place one step at a time. Another braindead law which does more harm than good (they sure made things a lot better (<cough, cough>) with that cookie law!) and this is no different.

Fortunately there's also an easy way around this. Because it's quite easy to argue that if the users didn't consent with storing their data (like their e-mail address) they would not have registered and provided it. You don't need to register on these forums in order to enjoy Empire Minecraft. It's as easy as that.

Personal data such as birthday and place of residence? If you don't want that stored.. well.... I know it's very hard to grasp for some people (not aimed at you guys, just some of those hollow minded people in Brussels) but.. there's actually a way around that too! By not providing that data in the first place. Gee, who would have guessed? Amazing!

Sorry for a rant but I'm getting really tired of nonsense like this. Laws like these help absolutely no one other than those politicians. Has anyone ever wondered where all that money is going to? Isn't it weird how these laws seem to be popping up like crazy, and all involved around pretty hefty fines too. Could that have anything to do with the poor financial state the EU is currently in? I wonder....

This makes it a better place IMO. I don't care for the motive, the EU can take as much money as they want (not that the EU has a financial state anyway, having no treasury and all), any measure to protect personal privacy is a good one in my eyes. Even if someone faked their data entry, that doesn't stop Google and Microsoft and Facebook doing their best to get it, and in direct violation of the law and being held accountable for doing that.

I can't really get into it here because this isn't the controversial subsection, but coming from someone who lives in a country leaving the EU: it's a good thing. I live in an area predicted to have catastrophic economic collapse and food rioting within twenty-four hours of leaving the union - and that's with the EU not even trying to screw the UK over, it's self-inflicted. Quite likely the UK will join the ranks of 'countries who suffered hyperinflation' alongside Germany and Yugoslavia too. And 'countries who became pseudofascist dictatorships with no respect for personal liberty'.

Right, but what happens with the 'sixteen and over' age limit on data collection and turning off of cookies?

I believe it is personal information, such as IP addresses, email etc etc.

It is unimportant as to what use you do with my data, Starlis LLC has my data on their servers. As a European, the handling of this data must comply with GDPR otherwise Starlis is liable.

Small detail: IP addresses aren't personal data. For example: some ISP's provide connectivity through DHCP which means that your IP address can pretty much change every so many weeks.

Which is also one of the reasons for my rant above: it's plain out impossible for a company or organization to remove all of that data at the request of a user. Think about it... it'll get stored in logfiles, firewall data, website statistics (usually indirectly, but even so), server cache (which pretty much no one as control over), and a whole lot of other places.

What if a company keeps backups with a long retention? Basically EU is now asking those organizations to "please go delete or alter your backups". That's really beyond the scope of reasonable, it's insane.

(edit)

Also something to think about: and who is going to verify if the company doesn't simply tell you: " Ok, we deleted all your data" while simply ignoring the whole thing entirely? Who could verify that? No one, that's who.

Such a waste of time and effort...

IP addresses are personal data. They can used to track a user and as such much not be stored for any longer than required. It must be declared in the privacy policy that IP addresses are being logged, what for, and how long they're being stored for. Access logs generated by the web server that contain IP addresses can also breach GDPR if it wasn't disclosed in the privacy policy.