CLOUD GAMING: A LEGAL UPDATE

Jas PurewalPurewal & PartnersMay 2014

OVERVIEW

(1) Regulation is a mess (but they're working on it)

(2) Data protection is a headache (and turning into a migraine)

(3) The ‘right to be forgotten’

(4) Data security and the ‘Snowden Effect’

(5) Net neutrality

2

ABOUT US

• Purewal & Partners is a legal and business consultancy to digital entertainment and technology companies, founded by Jas Purewal in 2014.

• Jas is one of the leading digital entertainment and technology lawyers in the EU, with a decade of experience advising clients in the UK, EU and Silicon Valley on a range of legal and business matters – including the cloud.

• Jas writes and speaks regularly on digital entertainment and tech, including on www.gamerlaw.co.uk.

(1) THE REGULATORY MESS

•No consistency of regulation. US and EU have a mish-mash of applicable laws for B2B and B2C platforms:

•These are all objectives the EU has set for itself (in a single paper!): "Unleashing the Potential of Cloud Computing in Europe" (Sept 2012)

4

Data protection

Intellectual property

Cross-border trade

Consumer regulation

Law enforcement

Energy efficiency

TaxISP liability

Data and system securityPublic procurement

B2B business practices

Carbon reduction

Data portabilityTECHNICAL STANDARDS

(2) …BUT THEY'RE WORKING ON IT (?)

"Cloud computing is a game-changer for our economy. Without EU action, we will stay stuck in national fortresses and miss out on billions in economic gains. We must achieve critical mass and a single set of rules across Europe. We must tackle the perceived risks of cloud computing head-on." (Neelie Kroes, Vice President of the European Commission)

5

(2) DATA PRIVACY: INTRODUCTION

• No consistency worldwide, even within the EU

• Issues (there's lots) include:

– Which country's legal system applies?– When can you collect data?– What kinds of data can you collect?– What can you do with the data?– Where can you take the data?– What obligations do you have regarding the data?

6

(2) DATA PRIVACY: THE LOCATION PROBLEM

•

7

Offshore support for

mirrored D/c

IaaS data hosting

Automatic replication / back-up D/c

(2) DATA PRIVACY: THE COMING WAVE

• Proposed EU Data Protection Regulation is BIG NEWS …

8

(2) DATA PRIVACY: THE COMING WAVE

• The (sorry) saga of EU data privacy reform so far:

– Status quo: 28 similar but distinct data privacy laws

– 2012: European Commission proposes reforms

– 2012 – 2014: running battles within the EU plus big tech companies, privacy advocates and consumer groups

– Laws due to have been passed by now may not pass until ??2015?

9

(2) DATA PRIVACY: THE COMING WAVE

• What will EU data privacy look like?

– Single set of laws across the EU (probably)

– One stop shop approach to regulation

– The ‘right to be forgotten’

– ‘privacy by design’

– Data security/breach requirements

– Heavy fines: anywhere between 1 – 5% of worldwide revenue for breaches

10

(2) DATA PRIVACY: THE COMING WAVE

• What about the USA?

– No single set of laws or regulator

– FTC is most active (albeit controversially)

– Obama Administration seems to have given up on central legislative action

– State regulator seem to be getting more aggressive (e.g. NYC, CA)

– Overall, more relaxed than EU (but it’s changing)

11

(2) DATA PRIVACY: BEST PRACTICE

• Structure arrangements (server location etc) around legal as well as business/practical considerations

• Take advice regarding your EU and US arrangements

• Remember there are ways to navigate EU data privacy already

• Think consumer: the privacy policy but not just that

• Get ahead of future developments now

12

(3) THE ‘RIGHT TO BE FORGOTTEN’

“When you no longer want your data to be processed and there are no legitimate grounds for retaining it, the data will be deleted. This is about empowering individuals, not about erasing past events or restricting freedom of the press” (European Parliament).

• But what does that actually mean?

13

(3) THE ‘RIGHT TO BE FORGOTTEN’

Step forward, Mario Costeja Gonzalez…

•

14

vs

(3) THE ‘RIGHT TO BE FORGOTTEN’

Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González (May 2014):

•

15

“An internet search engine operator is responsible for the processing that it carries out of personal data which appear on web pages published by third parties…”

(3) THE ‘RIGHT TO BE FORGOTTEN’

“…Thus, if, following a search made on the basis of a person’s name, the list of results displays a link to a web page which contains information on the person in question, that data subject may approach the operator directly and, where the operator does not grant his request, bring the matter before the competent authorities in order to obtain, under certain conditions, the removal of that link from the list of results.”

16

(3) THE ‘RIGHT TO BE FORGOTTEN’

• What might all this mean for cloud gaming?

• Potentially, holding or using any personal data at all could be challenged by affected individuals, e.g. chat logs/records, digital broadcast, achievements

• Very few defences (apart from public interest)• Technical arrangements needed to pull personal data• This risk will need to be managed throughout the cloud

gaming value chain• What happens when a regulator picks on a cloud

services provider outside the EU…?

17

(3) THE ‘RIGHT TO BE FORGOTTEN’

The jurisdictional noose is tightening…

18

(4) DATA SECURITY AND THE ‘SNOWDEN EFFECT’

19

(4) HAS THERE REALLY BEEN A ‘SNOWDEN EFFECT’?

20

(4) HAS THERE REALLY BEEN A ‘SNOWDEN EFFECT’?

• Unclear, but anecdotal evidence suggests yes:

• Considerable political fallout

• Increased legislative pressure from EU hardliners

• EU businesses putting more pressure on US businesses

• Some Silicon Valley businesses have lost business from it

• But has the sky caved in for cloud services? No.

21

(4) DATA SECURITY BEST PRACTICE

• Remember there is little international consistency

• Server location and data storage is key

• Data security provisions in contracts: reps + warranties, notification, termination rights etc

• Internal policy if government involvement occurs

• Good PR

22

(5) NET NEUTRALITY

23

(4) NET NEUTRALITY

• The US position:

• Pre-2010: no legislation or regulatory position• 2010: Federal Communication Commission’s Open

Internet Order• 2010 – 2013: lawsuits over new rules• 2014: US courts effectively kill the rules. FCC

reviews rules.• 2014: FCC proposes new rules permitting paid

prioritisation deals that are "commercially reasonable.“

• Media backlash.• FCC now to review the reviewed rules

24

(4) NET NEUTRALITY

What is the US position now?

25

Sound any clearer to you?

(4) NET NEUTRALITY

• The EU position:

• Pro-net neutrality legislation introduced at EU level

• Some Member States considering national laws…

• …And some have national codes encouraging or requiring net neutrality

• Previous preferential schemes have been shut down

26

WHAT DOES THIS MEAN FOR CLOUD GAMING?

• USA may permit preferential schemes for cloud gaming…

• …While the EU bans them altogether or makes them significantly harder to put in place.

27

THERE ARE MANY OTHER LEGAL ISSUES IN CLOUD GAMING…

• Getting contracts right in the cloud

• IP and content ownership in cloud gaming

• Consumer protection

• Advertising and marketing

• Taxation…

28

THE TAKE-HOME POINTS:

1. Identify key regulatory hurdles and steer a middle path

2. Understanding data privacy is key to the long-term success of any cloud business

3. The ‘right to be forgotten’ is coming to the cloud…

4. There has been a Snowden Effect…but it hasn’t yet seriously affected cloud gaming

5. Net neutrality may become one of the great issues for cloud gaming

29

THANKS!

30

Jas PurewalPurewal & Partners LLP............................................................E: jas@purewalandpartners.comW: www.purewalandpartners.comM: +44 774 760 3449T: @gamerlaw............................................................