Gaming series #7: Global data flow in the gaming sector, Alex Roberts, Jennifer Calver, Tiantian Ke, Ruoyi Lu

Knowledge

Welcome to the Knowledge Portal. You can browse, search or filter our publications, seminars and webinars, multimedia and collections of curated content from across our global network. Create an account and set your email alert preferences to receive the content relevant to you and your business, at your chosen frequency.

Gaming companies are rapidly expanding their reach to virtually (pun intended) every corner of the globe. The gaming industry has replaced the simple arcade games of yesteryear with a wide range of platforms, genres, and revenue models that make it one of the entertainment sector's most lucrative segments.

One critical factor that has contributed to this growth is the increasing role of data. As the gaming industry grapples with evolving data transfer requirements, businesses must remain vigilant and adaptable in their approach to international data transfers

Global reach

Only months after its highly anticipated release in the US at the start of the year, Warner Bros quickly saw fans of its Harry Potter game, Hogwarts Legacy, popping up all over the world. Likewise, Nintendo's latest blockbuster – Legend of Zelda: Tears of the Kingdom – has already taken the gaming market by storm, captivating players from Europe to Asia.

In a real-life kingdom, Saudi Arabia has established a gaming studio within its mega city project known as NEOM, which aims to attract the most passionate international developers and gamers to kickstart a gaming revolution in the Middle East.

Free flow of data lays the foundation for gaming development

Multinational gaming companies commonly transfer data from various locations to a single data centre (in one jurisdiction) for operational efficiency. For example:

Analysing data on player behaviour, preferences, and in-game interactions enables developers to fine-tune various aspects of their games, such as level difficulty, storyline progression, and character development, to ultimately improve their product offering.
Similarly, in terms of player monetisation, data helps developers devise targeted strategies for promoting in-game purchases and offering incentives to keep players coming back to spend more to maintain a steady revenue stream.
By collecting players’ personal information (such as cultural background, gender, age and gaming behaviour), developers may generate player profiles and further predict gaming habits, preferences and consumption motives applicable across multiple games.

All these objectives require the free flow of data.

Global concerns over cross-border data flows

Increasing scrutiny

As data becomes increasingly integral to the gaming industry, data breaches also become inevitably frequent in the sector – impacting the world’s biggest to the smallest video game publishers.

Concerns surrounding data protection and data security are front-of-mind globally. We are seeing:

At customer level – increased data privacy expectations from gamers.
At organisational level – the application of corporate responsibility principles to data (aligned with the wider phenomenon of ESG compliance).
At a supervisory level – new data and technology localisation measures issued by governments to protect national security.

These all add restrictions – or at least further compliance hurdles – to the smooth execution of international data transfers, with serious penalties and the potential for class actions in some markets where companies fail to meet them.

Challenges to gaming development

Alongside a rapidly shifting geopolitical landscape, gaming companies are set to face significant challenges to freely sharing data intragroup and among development partners.

Isolated data lakes – Restrictions on data flows may result in the creation of isolated data lakes that, due to the diminished size of datasets, could adversely impact the quality of game development – which is especially pertinent in light of the increasing use of data-hungry AI in game production.
Data hub costs – Having to establish of separate data hubs incurs additional costs and creates new barriers to entry. When coupled with strong market power / market dominance in some jurisdictions, this could lead to antitrust concerns.

Global governance

GDPR – the gold standard

The EU GDPR has broadly set a global benchmark for data protection standards, influencing the development of new data privacy regimes in countries or regions around the world, e.g. in mainland China, Thailand, Indonesia, India and Vietnam, and amendments/proposed amendments to existing legislation in Singapore, Japan, Australia, and Saudi Arabia.

As a result, gaming businesses have tended, to look to the GDPR (1) as a foundation for understanding and navigating the complexities of cross-border data flows, and (2) to map compliance gaps against the data export requirements in other relevant targeted markets in order to adopt a localised position on new territories’ data protection and data transfer strategies.

Silver lining for EU-US data transfers?

The decision by the Irish Data Protection Commission to fine US tech giant, Meta, €1.2 billion cast doubts on the viability of transfers from the EU to the US of gaming data. However, the EU and the US this week finalised a year-long negotiated deal on sharing data via the Transatlantic Data Privacy Framework, which signifies an end to the legal uncertainty – at least for now.

Multilateral options – viable alternatives?

Given the diversity of data export requirements across jurisdictions, a better option for many international gaming companies may be to formulate multilateral agreements among markets.

Efforts to agree various frameworks for international data transfers are ongoing around the world including:

Asia-Pacific Economic Cooperation Cross-Border Privacy Rules and Privacy Recognition for Processors Systems – a voluntary certification mechanism to facilitate broader free data flows in the APAC region. As of today, gaming companies can leverage the mechanism in seven of the nine participating economies.
ASEAN Model Contractual Clauses – a baseline set of contractual clauses that data exporters and importers in all ASEAN Member States. The European Commission and ASEAN have also published a Joint Guide to ASEAN MCCs and EU SCCs, to promote adoption beyond the Asia trading bloc.
OECD – 38 OECD countries and the EU have adopted a non-binding inter-governmental declaration on access to personal information for national security and law enforcement purposes, although the implications of this achievement are largely yet to be realised at a practical level.

Gaming companies operating internationally should monitor developments around these alternative transfer initiatives, as some may offer more convenient approaches to data transfers compared to the GDPR and other fragmented regulatory solutions.

It may be easier to set one bar that all parts of a multinational organisation can strive to meet, even if overall a higher compliance burden is needed.

Looking ahead

Restrictions on data exports seem inevitable in the face of growing national security, data sovereignty and privacy concerns within key stakeholder groups.

Understanding the nuances and implications of the new rules and frameworks affecting international data transfers will be critical for gaming companies to stay ahead in a competitive market. Ensuring compliance with the generally data protection laws in the markets they operate is also crucial, given the potential for significant penalties and reputational damage.

See our gaming webpage for more details of and how we are supporting clients in the industry.