An EVE Online corporation has been hit with a GDPR request from an ex-member

By Brendan Drain

We often talk about how EVE Online can sometimes mirror the real world in startling detail, with its complex politics, global power struggles, and player-run economy. What we didn’t expect was that in-game corporations would be dealing with legal red tape as a result of the 2018 European General Data Protection Regulation just as many real life companies did. That’s the situation one EVE corp finds itself in today as it’s received Right of Access and Right to Erasure requests under Article 17 of the GDPR legislation from an ex-member.

According to the post on Reddit, the corp in question was blindsided by the request just as many real-life businesses were when the law came into effect last year, and it isn’t sure how to proceed or whether it even legally must to do anything. The most hilarious part of this issue is that it does actually look like the corp may have to deal with it as the request pertains to personally identifiable information stored on its corp/guild website. But the corp is based in Canada, and the site is hosted in the US, so can it just ignore the request? Bear with me, because this is going to get complicated.

Can he just ignore the request?

Just as with most real-life cases involving GDPR, nobody seems to agree on how it needs to be implemented. Some are telling the user that his activity is exempt under a clause that permits personal use (for example, social media accounts), but this doesn’t seem to apply as he’s actually running the website rather than just having an account on one. Others have told him he can ignore it as GDPR is only for corporations, but this doesn’t seem to be a clear case either. The legislation seems broad enough to apply equally to small groups and individuals, whether or not they make a profit.

Many people have told him that he can ignore it because EU laws don’t apply in Canada, but that’s not a clear case with GDPR either. The UK’s GDPR enforcement agency (ICO) enacted its first enforcement against a Canadian company in September when it hit AggregateIQ for processing personal data of people in the EU for political campaigning without their consent. AggregateIQ tried to pull the “EU laws don’t apply in Canada” card and claimed the ICO had no jurisdiction over it, but it later complied with the ICO’s request to stop processing data from people in the UK. This was seen as a successful test case of foreign enforcement of GDPR.

What should the EVE corp do?

The EVE corporation’s website would likely be classified as a free service that is being directed to people both inside and outside the EU, potentially making the website owner a Data Controller for the personal information of those signing up from within the EU. This role is described in the GDPR legislation and carries certain obligations, such as responding to Right of Access and Right of Erasure requests and granting them where appropriate. If the individual has left the corp and severed ties, he or she does appear have a right to request erasure under Article 17 for either or both of the following qualifying reasons:

  • The personal data are no longer necessary for the purpose they were originally collected or processed for.
  • The group is relying on consent as its lawful basis for holding the data, and the individual withdraws his or her consent.

So what should the corporation actually do? It could simply ignore the request and hope that the individual involved isn’t going to escalate it to his or her country’s GDPR enforcement agency, or hope that that agency wouldn’t be bothered to help the user. It’s unlikely that something this trivial would ever be pursued the way that the AggregateIQ case was, and if the former guildie does choose to follow it up, this would likely just take the form of contacting the website owner to advise on how to easily comply. On the other hand, the corp could also reasonably comply with the request right now by removing or scrambling any personally identifiable information of the user in its database, such as real names and email addresses.

Do note, I am not a lawyer and this post does not constitute legal advice. Don’t follow my advice. In fact, pretend I’m a crazy person yelling through your window about GDPR.