Vandaag heeft noyb een klacht ingediend tegen de Franse gameontwikkelaar en -uitgever Ubisoft (bekend van Assassin’s Creed, Far Cry en Prince of Persia). Het bedrijf verplicht zijn klanten om elke keer dat ze een singleplayergame starten, verbinding te maken met internet. Dit geldt zelfs als het spel geen online functionaliteiten heeft. Hiermee kan Ubisoft het gamegedrag van gebruikers verzamelen. Zo registreert het bedrijf onder meer wanneer je een spel start, hoe lang je speelt en wanneer je het afsluit. Zelfs nadat de klager expliciet had gevraagd waarom hij online moest zijn, heeft Ubisoft geweigerd uit te leggen waarom dit gebeurt. Op grond van artikel 6, lid 1, AVG lijkt er geen rechtsgrond te zijn om dergelijke gebruikersgegevens willekeurig te verzamelen. Dit artikel gaat verder in het Engels.
Offline games – with obligation to be online. Most of the video games offered by French developer and publisher Ubisoft are designed around a single player experience. Among the most popular offerings in this category are the Assassins Creed, Far Cry and Prince of Persia franchise. Even though these games can be played without ever interacting with other players, Ubisoft forces PC players to connect to the internet and log in to a Ubisoft account before they can actually play a purchased game. This also happened to the complainant: After buying the Ubisoft game “Far Cry Primal” on the online marketplace Steam, he tried to launch it while being offline – only to notice that it wasn’t possible. Instead, he was forced to log into a Ubisoft account before being able to start playing.
Joakim Söderberg, data protection lawyer at noyb: “Imagine if the Monopoly man sat at your table and took notes every time you want to play a board game with your family or friends. Well, that’s the reality of video games. Often, it doesn’t even matter if the games are played online or offline. As long as you have an open internet connection when you play, your data is collected and analysed.”
Secret data collection. To find out more about Ubisoft’s data collection and tracking practices, the complainant filed an access request under Article 15 GDPR. Ubisoft replied with information such as a unique identifier for the complainant and information about when he launched the game, how long it was running and when he quit the game. Being a tech savvy individual, the complainant additionally examined what exact data was being sent to Ubisoft when playing. The complainant discovered that, over a period of just 10 minutes, the game established a connection to external servers 150 times. Among the recipients of the complainant’s data: Google, Amazon and US software company Datadog.
Game of cat and mouse to get more information. In an attempt to find out more, the complainant also contacted Ubisoft’s customer support. In its response, Ubisoft claimed that it just performs an ownership check on launch. For everything else, the complainant was referred to the company’s End User License Agreement (EULA) and privacy policy. There, Ubisoft confirms that it collects personal data “in order to provide You with a better game experience”, that it uses “third party analytics tools to collect information concerning your and other users’ gaming habits and use of the product” and that it collects “game data” as well as “login and browsing data”.
Not necessary – and therefore unlawful. The thing is: The complainant has never consented to this processing. According to Article 6(1) GDPR, this means that the processing operation is only legal if it is necessary – which isn’t the case for the complainant. Having bought the game on Steam, the ownership is already confirmed. Also, Ubisoft provides a (hidden) option to play the game offline, showing that the processing of all the personal data in the standard setup isn’t actually necessary. And even if it was, it wouldn’t explain the data collection while a game is played. If Ubisoft wants data to improve a game, it can just ask users for consent. The company can also ask players if they want to send individual bug reports to its servers. However, it does not appear to be legal for a user's PC to send constant reports by default.
Lisa Steinfeld, data protection lawyer at noyb: “Video games are expensive – but that doesn’t stop companies like Ubisoft from forcing their customers to play offline games online unnecessarily, just so they can make more money by tracking their behaviour. Ubisoft's actions are clearly unlawful and must be stopped."
Complaint filed in Austria. noyb has therefore filed a GDPR complaint with the Austrian data protection authority (DSB). We request the DSB to declare that Ubisoft infringed Article 6(1) GDPR with its processing of personal data without a valid legal basis. In addition, we request that Ubisoft deletes all personal information by the complainant that has been processed without a valid legal basis – and that the company ceases further unlawful processing. Last but not least, we suggest that the data protection authority impose an administrative fine. Based on Ubisoft’s turnover of more than € 2 billion, the data protection authority could issue a fine of up to € 92 million.
