On May 25th, 2018 the European Union’s General Data Protection Regulation (GDPR) comes into force. While an EU regulation, the GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects.
The GDPR applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location. As such, it not only Linden Lab, who hold data on Second Life and Sansar users in the European Union, it can also impact those operating a business through Second Life and who collect data on customers which is stored outside of the servers operated by Linden Lab.
In preparation for the enforcement of the GDPR, on May 9th, 2018, Linden Lab issued a preliminary blog post on their compliance with the GDPR, which covers both Second Life or Sansar.
GDPR, in a nutshell.
Put simply, the GDPR puts in place new requirements for the collection, maintenance, and use of personal data for residents of the European Union (EU) and European Economic Area (EEA). It’s an important evolution in privacy practices, and one we’ve already started to account for: if you notice, our existing Privacy Policy already discloses the type of personal data we collect from you, how we use and limit any sharing of your data, and your rights to control our use of your personal data.
What you can expect.
In coming weeks, we’ll provide more information on how EU residents in Second Life can best exercise their rights under GDPR. In some cases, you may take actions through your account dashboard (to modify your personal data, for instance). In others, it may be necessary to file a support ticket and verify your identity (to better protect your privacy).
– Linden Lab May 9th blog post on the upcoming GDPR
The GDPR defines personal data as, “any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person.” This includes, but is not limited to: IP addresses, on-line identifiers (including avatar names), e-mail addresses, photographs, as well as the more usual name, address, bank details, medical data, etc.
In addition to defining requirements for how such data should be managed and protected by organisations gathering it, the GDPR also specifies a number of rights to Data Subjects who have their personal information stored by companies and other entities. These include, but are not limited to:
- The right to be informed: Data Subjects have the right to know what data is being collected, how it’s being used, how long it will be kept and whether it will be shared with any third parties.
- The right to access: generally speaking, organisations are required, within one month of receipt of a formal request, to provide a copy of any personal data concerning the requesting Data Subject.
- The right to rectification: a Data Subject can formally request that inaccurate or incomplete information relating to them is updated, and the update must be made within one month (exceptions can apply).
- The right to be forgotten: a Data Subject can request the erasure of all personal data relating to them in certain circumstances (e.g. it is no longer necessary to hold it; if the data was unlawfully processed or it no longer meets the lawful ground for which it was collected). However, there are certain exceptions to this.
(In addition, the GDPR defines: The right to object (to data being gathered); The right to restrict processing; The right to data portability; and Rights related to automated decision making including profiling.)
For those running businesses through Second Life or Sansar which use services – web sites, computers, etc., – outside of Second Life for the collection and storage of personal information on their EU Second Life / Sansar customers, the GDPR might have significant import – and exposure to the risk of fines. For such businesses, the Lab’s advice is clear and straightforward:
If you collect or process personal data of EU residents on a website associated with Second Life or Sansar, or create or make use of programs that retain information about Second Life or Sansar users or their computers, you may also have obligations under the GDPR. You should consult with your legal counsel for advice regarding your site(s) or program(s).
– Linden Lab May 9th blog post on the upcoming GDPR
To help people get to grips with GDPR, if they haven’t been aware of its arrival, the Lab offer a series of links to articles and FAQs. To these I would add:
- GDPR: A simple explainer – welivesecurity.com.
- GDPR FAQ – the official EU GDPR portal site.
- GDPR Infographic – EU Commission.
The following is a brief video outlining the GDPR in under a minute.