legal aspects of citizen science in video games · 2020-07-27 · legal aspects of citizen science...
TRANSCRIPT
Legal Aspects of Citizen Science in Video Games
Sebastian Schwiddessen
Legal Aspects of Citizen Science in Video Games Page 2
Contents I. Introduction......................................................................3
1. The idea behind citizen science ..........................................3
2. The next level: Implementing citizen science into
traditional video games or adding competitive elements........3
3. How citizen science is implemented into traditional video
games ...............................................................................3
4. Results ..............................................................................4
5. Set up of typical multi -party citizen science projects..............4
II. Data protection law ..........................................................5
1. Personal data subject to the citizen science project ..............6
a. Potential categories of personal data .............................6
aa. Category 1: General personal data of users .............6
bb. Category 2: Personal data of users collected
specifically in connection with the citizen science
project ...................................................................6
cc. Category 3: Personal data of third parties
collected specifically in connection with the citizen
science project.......................................................6
dd. Category 4: Personal data of third parties
collected and provided by the researcher for the
citizen science project ............................................6 b. Not all data is personal data (especially proteins) ...........6
2. Controller or processor? - Assessment of the role of the
parties involved in the citizen science project .......................7
a. The researcher ............................................................7 b. The service provider.....................................................7 c. The video game company.............................................8 d. Other group entities and service providers .....................8 e. The citizen scientists (players/users) .............................8
3. Legality of the processing ...................................................9
a. Requirement of a legal basis.........................................9 b. Exemption for processors .............................................9 c. The GDPR scientific research privilege........................10 d. Assessment of available legal bases ...........................10
aa. Regular personal data ..........................................10
(1) Consent (Art. 6 (1) sentence 1 lit. a GDPR)......10 (a) Freely given .............................................10
(aa)The issue of bundled and conditional
consent ............................................. 10 (bb)Other outcome where the citizen science
project is seamlessly implemented into the game? ......................................... 11
(cc) Specifics with regard to the researcher 11 (b) Specific ...................................................11 (c) Informed ..................................................12
(aa)Identity of the controller ...................... 12 (bb)Purpose............................................. 12 (cc) Personal data .................................... 12 (dd)Risks of third country data transfers..... 12 (ee)Timing of obtaining consent ................ 12 (ff) Unambiguous indication of wishes....... 12
(2) Performance of a contract exemption (Art. 6
(1) sentence 1 lit. b GDPR)............................. 13
(3) Public interest (Art. 6 (1) sentence 1 lit. e
GDPR) .......................................................... 13
(4) Legitimate interest (Art. 6 (1) sentence 1 lit. f
GDPR) .......................................................... 13
bb. Special categories of personal data....................... 13
(1) Explicit Consent (Art. 9 (2) lit. a GDPR) ........... 14
(2) Substantial public interest (Art. 9 (2) l it. g
GDPR) .......................................................... 14
(3) Public interest in the area of public health
(Art. 9 (2) lit. i GDPR) ..................................... 14
(4) Scientific or historical research purposes (Art.
9 (2) lit. j GDPR) ............................................ 15
4. Data transfers within multi-party video game citizen
science projects............................................................... 15
a. Data transfers within the EU/EEA................................ 16
aa. Controller-to-controller.......................................... 16
bb. Controller-to-processor......................................... 16 b. Data transfers outside the EU/EEA ............................. 17
aa. Step 1 ................................................................. 17
bb. Step 2 ................................................................. 17
(1) Adequacy decision......................................... 17
(2) Appropriate safeguards .................................. 17
(3) Derogations for specific situations, in
particular consent .......................................... 17
cc. Examples ............................................................ 18
5. Requirements and benefits of the GDPR scientific
research privilege ............................................................ 19
a. Scientific research within the meaning of the GDPR ..... 20 b. Appropriate safeguards .............................................. 20 c. Benefits of the scientific research privilege .................. 20
aa. Exemption from the principle of purpose limitation
for further processing ........................................... 20
bb. Exemption from the principle of storage limitation... 21
cc. Exemption from Art. 14 GDPR information
obligations........................................................... 21
dd. Exemption from the right to erasure (Art. 17
GDPR) ................................................................ 21
ee. Exemption from the right to object (Art. 21 GDPR) . 21
ff. Exemption from the right to access, rectification,
restriction and object, pursuant to Art. 15, 16, 18
and 21 GDPR on the basis of EU member state
law...................................................................... 21
gg. Exemption for special categories of personal data.. 21
hh. Broad consent ..................................................... 22
i i . Application of legitimate interest exemption is
more likely........................................................... 22
III. Copyright law (high-level comments) ............................ 22
Legal Aspects of Citizen Science in Video Games Page 3
For some time now, start-ups, health care and tech companies have been experimenting with smaller video games to have people
around the world help with categorizing or analyzing big data sets that typically take months or even years to analyze. The idea is that
if everybody invests only a few minutes, the work could be done in days or weeks instead of years. A player who participates has to
solve a few simple matchmaking or categorization tasks and can thereby help in research related to cancer, Alzheimer's disease,
and the categorization of human genomes or proteins.
Citizen sciences in video games have of late been getting more attention from well-known backers from the games industry, such
as CCP with Eve Online and Gearbox with Borderlands. Some video game companies have also started to leverage their huge
player base by asking players to carry out smaller tasks to improve the company’s own technology, which is essentially the same
concept as citizen science. Furthermore, new start-ups are emerging, which help connect video games with traditional citizen
science projects. As a result, some projects have not only made it to the front page of The Wall Street Journal but also to some of the
most successful citizen science projects overall. With that in mind, it is not surprising that the EU recently decided to fund, to the tune
of EUR 1 mill ion, the idea of connecting video games with actual science under the Horizon 2020 research and innovation
programme.
Headlines were also made when several tech companies, including
Nvidia, recently called on PC gamers to help fight COVID-19 by donating unused graphical processing power to Folding@home, a
distributed computing project based at the Washington University in St. Louis School of Medicine, which performs molecular
dynamics simulations of protein dynamics.
The following article describes the phenomenon of citizen science around the video games industry and addresses some of the most
striking data protection law aspects, mainly from the perspective of the EU General Data Protection Regulation (GDPR). The GDPR
remains one of the most practically relevant data protection regimes due to the significant sanctions it administers, and
because it also applies to the processing of personal data of persons within the EU/EEA even if the relevant company is
established abroad but offers goods or services to persons within the EU/EEA. Since video games are often played by players across
the globe, the territorial scope of the GDPR catches most video game companies as video games are typically also played by
players in the EU/EEA. At the end, the article also briefly touches
on copyright questions.
I. Introduction
1. The idea behind citizen science
Citizen science is scientific research conducted, in whole or in part, by amateur or nonprofessional scientists. Citizen
scientists can take over simple tasks, such as taking the temperature at a certain location and transferring the data to
the researcher, or categorizing/analyzing large data sets with regard to certain patterns (e.g., genomes/proteins). Even
though many data sets only require simple pattern analysis, they are often too large to be processed by the researcher
alone. In some cases, the required work can amount up to several hundred years of work time. However, if only a small
portion of the world’s population voluntarily participated in the effort with very little time investment, the work could often be
done in a few days or even hours.
Other forms of citizen science do not even require the player
to become active at all. When players were asked to donate unused graphical processing power to help fight COVID-19,
all they had to do was install a small tool on their PC, which allowed remote access to their GPU and connected the
GPUs of thousands of players around the world to one giant cloud network that analyzed the homologous structure of the
SARS-CoV spike protein to identify therapeutic antibody
targets.
2. The next level: Implementing citizen science into traditional
video games or adding competitive elements
Despite the advantages from a social, scientific and economical perspective, many traditional citizen science
projects struggle with high drop-out rates and decreasing motivation. While citizens are often motivated at the
beginning by the sole purpose of doing something good, their interest fades over time, in particular with long or indefinitely
running projects. For many, the work is simply too repetitive, out-of-context and yields no reward. This is why game
developers, start-ups and some larger tech and health care companies have started to experiment with developing
smaller casual video games (e.g., puzzlers) to make the work
more motivating and fun for the participants.
Recent projects even went a step further with the idea of
connecting traditional and hugely successful AAA video games with citizen science (e.g., Eve Online). This way,
three basic motivation factors are modified: (1) the citizen science project is fully integrated in the world and story of a
video game with the players sometimes not even knowing that the game content they are currently playing (e.g., a side
quest) is part of a science project; (2) the players receive an incentive for their participation, typically in form of an in-
game reward (e.g., in-game currency, a character skin or weapon); and (3) the task and amount of work is l imited right
from the start (e.g., by having the players analyze only 250 data sets to receive the relevant in-game reward instead of
an indefinite number).
Under this concept, video game companies can help
researchers such as universities or science projects with valuable input or can even take over scientific work for
companies in exchange for remuneration. Some video game companies also have adapted the concept by leveraging the
potential workforce of their player base to improve their own technology, such as by having mobile players take and
transfer pictures of public places, which can subsequently be used to build virtual environments or improve AR
mechanisms.
Successful projects l ike Folding@Home, which use hardware resources voluntarily donated by citizen scientists
(e.g., to fight COVID-19 and other diseases) also apply additional motivational elements. Participants are awarded
points and receive credits for the performance of their system. Users can register their contributions under a team. All points
are combined and therefore allows teams to compete amongst each other, a chal lenge appreciated by hardware
enthusiasts such as PC overclockers.
3. How citizen science is implemented into traditional video
games
Considering that citizen scientists are nonprofessionals and
because it must be expected that a certain number of players will not take the task seriously enough or might even willfully
produce false data, the question that comes to everybody’s mind is: Does it really work? Two citizen science projects that
were both implemented into the hugely popular sci -fi game Eve Online clearly show that the answer to the question is
“yes.” In a joint effort between the Human Protein Atlas, the
Legal Aspects of Citizen Science in Video Games Page 4
Swiss start-up Massively Multiplayer Online Science (MMOS) and Eve Online developer CCP, a first citizen science project
was implemented into Eve Online, which required players to conduct research by the in-game organization Sisters of Eve
to discover the origin of the Drifter race. The latter had been introduced in the game’s lore a few years before. Called
Project Discovery, the project asks players to categorize proteins according to specific criteria. Players first have to go
through a short tutorial that has them categorize some examples with varying degrees of difficulty. Afterwards, the
player has to categorize unknown pictures. To determine the precision of the player, training pictures that serve as a
benchmark are regularly implemented into the flow. If the benchmark turns out to be non-satisfactory, the player will
only be provided with training pictures for the rest of the game. The same treatment is applied to so-called trolls. Later, a
second citizen science project was launched, which asked players to analyze patterns to identify real exoplanets in the
virtual Eve Online universe.
4. Results
Project Discovery exceeded all expectations. At the beginning, the organizers were hoping for 40,000
classifications each day, with 100,000 being regarded as a maximum positive peak result. However, after Project
Discovery went online, 900,000 classifications per day were
reached immediately, later evening out at 100,000 classifications per day. After only six weeks, the Eve Online
player base had generated the equivalent of 163 working
years in protein classifications.
The second project that had players analyze patterns to
identify real exoplanets in the virtual Eve Online universe was even more successful. With 13.2 mill ion classifications
submitted during the first week alone, the project resulted in one of the most successful citizen science projects of all time
in terms of user activity.
Even more successful was the call to PC gamers to donate
unused GPU resources of idle PCs to fight COVID-19. Before such call, the Folding@home project was already one of the
world’s fastest computing systems, with a speed of approximately 98.7 petaFLOPS as of early March 2020.
However, after several tech companies such as Nvidia and Intel called upon PC owners to donate their GPU power in
the midst of the corona virus crisis, it was announced on April 13, 2020 that Folding@Home now has approx. 2.4
exaFLOPS of compute power, making it faster than the 500
fastest super computers combined.
5. Set up of typical multi-party citizen science projects
The idea of connecting citizen science projects with video games is sti l l quite recent , and it is sti l l difficult to classify a certain set up as standard. From a legal perspective, citizen scientists donating computing power to a researcher is relatively simple. The researcher
provides a client software that users must install on their PC or other device. The researcher might also engage a third-party cloud service
provider where data is stored and processed. Such a scenario could be illustrated as follows:
Researcher
(e.g., university / pharma cooperation)
Client software agreement
Computing power donator
(e.g., PC user)
Se
rvic
e a
gre
em
ent
Service provider
(e.g., cloud service)
Legal Aspects of Citizen Science in Video Games Page 5
Scenarios in which a company or researcher directly develops a video game that includes a citizen science project look similar:
However, the setup of citizen science projects that are directly implemented into a traditional AAA video game (e.g ., Eve Online as described above) is significantly more complex. Here, the typical setup can involve a researcher (e.g. , a university, science lab, pharma
company), a service provider that provides expertise on implementation strategies and/or IT interfaces, and lastly the video game company. The video game company can be part of a group of companies located in different jurisdictions and maintain service providers such as
cloud servers from where the video game is operated. The relationships between the different participants could be illustrate d as follows:
II. Data protection law
Considering the number of parties and individuals involved in citizen science projects and the fact that any citizen science
project is almost inevitably a multijurisdictional project, the first area of law that comes into mind when assessing citizen
science from a legal perspective is data protection law. The
Citizen science game developer
Software agreement
Players
(citizen scientists)
Se
rvic
e a
gre
em
ent
Service provider
(e.g., cloud service)
Researcher (e.g., university /
pharma cooperation)
Service provider
(provides expertise,
organization and IT services)
Other group entities
(e.g., parental company)
Service agreement or
cooperation
Video game
company
Se
rvic
e
ag
ree
me
nt o
r
co
op
era
tion
Several service providers
(e.g., cloud service provider)
Se
rvic
e
ag
ree
me
nt
Players
(citizen scientists)
Legal Aspects of Citizen Science in Video Games Page 6
following sections describe some data protection law aspects
that come up when this area of law is assessed.
1. Personal data subject to the citizen science project
a. Potential categories of personal data
Depending on the specific setup of the citizen science project,
four different categories of personal data could (but do not
have to) be involved:
aa. Category 1: General personal data of users
This group concerns personal data of users that is, for instance, used for the purpose of providing the video game
but that is also needed for the citizen science project. Examples are user ID, IP address, name and email address.
Since such data will be processed for an additional purpose, amending existing privacy policies, processing agreements
and other data protection documents might be required. Data category 1 only concerns those cases where the citizen
science project is integrated into a video game and not for citizen science projects that, for instance, leverage unused
processing power of players (such as Folding@Home). The difference is that in the case of the latter, the processing
purpose with regard to general personal data only l ies in executing the citizen science project, whereas with regard to
a video game the data is used for different purposes while at the same time (i) providing the video game; and (ii) executing
the citizen science project.
bb. Category 2: Personal data of users collected specifically in
connection with the citizen science project
This category involves personal data of users collected specifically in connection with the citizen science project.
Thus, this category will typically concern personal data that is either directly required for the project (e.g., location data
for a project where a video game player has to report certain observations at different locations), or where the users
themselves are the subject of the project (e.g., a questioning) or that is collected incidentally (e.g., IP addresses or meta
data included in an image or other fi le created and
transferred by the user).
With regard to projects that do not involve a video game but only the use of unused player CPU/GPU resources (like
Folding@Home), this data category might also involve name, email and IP address and other basic data collected in the
course of install ing/registering the client software on the
user’s PC.
cc. Category 3: Personal data of third parties collected
specifically in connection with the citizen science project
This category involves personal data of third parties collected
specifically in connection with the citizen science project. Like the preceding category, this could involve either
personal data directly required for the project (e.g., the name of third parties in a public questioning conducted by the user)
or that is collected incidentally (e.g., bystanders on pictures of public places taken and uploaded by the user in the course
of the citizen science project).
dd. Category 4: Personal data of third parties collected and
provided by the researcher for the citizen science project
This category involves personal data of third parties that has been collected by the researcher (e.g., a university or private
company) prior to the citizen science project and which is
now provided to be analyzed/processed by the citizen scientists. An example would be a university providing
already collected personal data to a video game company to be implemented into a video game and subsequently
analyzed by the players in the course of the citizen science project. Cases where personal data is provided to be
analyzed/processed by unused CPU/GPU power of the player also belong in this category. Examples would be huge
data lists, some forms of genetic data, or pictures of public
places with bystanders.
b. Not all data is personal data (especially proteins)
Of course, not all data provided by the researcher constitutes personal data subject to applicable data protection laws. For
instance, where the players are required to analyze astronomic data involving planets and space phenomena
(see actual example in the introductory section), the respective data will typically not constitute personal data.
Nevertheless, this category often requires closer legal analysis. Some data might constitute personal data under
one data protection regime but not under another.
The approach under the US HIPAA Privacy Rule provides that health information is de-identified if a qualified expert determines that the risk is very
small that the information could be used, alone or in combination with other reasonably
available information, by an anticipated recipient to identify an individual who is a subject of the
information (45 C.F.R § 164.514 (b)(1)(i)).
Under the GDPR "personal data" means information relating to an identified or identifiable
natural person. A person is considered to be identifiable when such person can be identified,
directly or indirectly, in particular by reference to an identifier such as a name, an identification
number, location data, an online identifier, or to one or more factors specific to the physical,
physiological, genetic, mental, economic, cultural or social identity of that natural person
(Art. 4 (1) GDPR). According to EU data protection authorities, in order to determine
whether a person is identifiable, account should be taken of all the means likely reasonably to be
used either by the controller or by any other
person to identify the said person.
The US approach seems less strict compared to the GDPR as: (1) a “very small” risk does not necessarily mean that the
identification cannot be “reasonably expected” from a GDPR perspective; and (2) it only concerns identification by an
“anticipated recipient,” whereas under the GDPR any party
must be considered.
In particular with regard to genetic data or proteins, the
requirement of identifiability will depend on the means likely reasonably to be used by anyone to identify the person. If,
for instance, the researcher sti l l has the technical means to identify the data subject with reasonable effort based on the
genetic data, such data must be considered personal data at least form a GDPR perspective. Moreover, the personal data
in question here would not only constitute “normal” personal data but a special category of personal data that may only be
processed under very strict conditions (Art. 9 GDPR).
A large number of video game citi zen science projects
(including those to fight COVID-19) focus on the analysis of protein patterns and other genetic data. However, a single
Legal Aspects of Citizen Science in Video Games Page 7
protein will typically not constitute personal data from a GDPR perspective as it will be almost impossible to l ink it to
a certain individual. The case might be different where a combination of proteins is analyzed, which is very rare and
can therefore be connected to an individual person. The same applies to DNA. A single DNA sequence typically does
not constitute personal data from a GDPR perspective since this sequence can occur within mill ions of humans. Longer
sequence chains, however, can often be connected to an individual and therefore constitute personal data subject to
the GDPR.
2. Controller or processor? - Assessment of the role of the
parties involved in the citizen science project
Another key question with regard to any citizen science
project is the role the different parties involved in the project take from a data protection law perspective. This question
requires a case-by-case analysis considering the various potentially applicable data protection law regimes and the
fact that every citizen science project involves a different setup and different responsibil ities of the involved parties
with regard to the processed personal data. Under many data protection law regimes, the key differentiation is whether the
relevant party takes the role of a controller or processor (though the term might vary under different data protection
laws). Depending on this classi fication, the legal requirements that must be complied with by each party can
significantly vary. The following section discusses the classification of some of the parties outlined above in the
setup section and charts from a GDPR perspective:
a. The researcher
The role of the researcher will most l ikely become relevant
with regard to personal data categories 2 to 4 (see above 1). Since data category 1 (general player data) is mainly
processed for the mere purpose of operating the video game (e.g., name, IP and e-mail address), the data will typically be
controlled by the video gaming company with the researcher neither having access to such data nor being able to
determine the purposes and the means of the processing (to the extent it does not also fall under category 2). The fact that
data category 1 is automatically needed for the citizen science project (which is integrated into the video game)
does not change anything as it is sti l l the video gaming company that controls this data. An exemption applies of
course where the video game is (also) developed/operated by the researcher itself. With regard to citizen science
projects that do not involve a video game but only provide unused GPU/CPU power, data category 1 is irrelevant (see
above already).
With regard to data categories 2 to 4, the researcher will most l ikely have to be regarded as a controller. "Controller" means
the natural or legal person, public authority, agency or other body that, alone or jointly with others, determines the
purposes and means of the processing of personal data (Art. 4 (7) GDPR). The researcher determines the scientific and/or
economic purpose of the processing in the course of the citizen science project and will naturally also be involved in
the determination of the means of the processing as the latter is key to the success of the project. The fact that a video
game company might collect the data (e.g. data category 2 and 3) and therefore likely has a say in the means of the
processing as well does not change the controller role of the researcher. Where two or more controllers jointly determine
the purposes and means of processing, they shall be joint controllers (Art. 26 sentence 1 GDPR). Whether and to which
extent the researcher itself actually processes the personal
data at first is not relevant for its status as controller, as long as the researcher is also responsible for the decision-making
with regard to the purposes and means of the processing.
b. The service provider
More difficult is the categorization of the service provider
(where applicable), which typically provides :(1) expertise and advice on the implementation of the citizen science
project in the video game; (2) organizational services; and (3) infrastructure, in particular IT services (API, SDK and other
interfaces, cloud platforms and access portals) to both the
researcher and the video gaming company.
Like the researcher, the role of the service provider will most
l ikely only become relevant with regard to personal data categories 2 to 4 (see above). With regard to category 1
(general player data), the data should be controlled only by the video gaming company, with the service provider having
no access to such data (as long as it does not also fall under category 2). Again, an exemption applies if the researcher is
(also) responsible for developing/operating the video game.
Based on practical experience, service providers often prefer
to be regarded as processors, with the argument that they only assist in somebody else’s project. However, for
differentiation between controller and processor, preferences and even the contractual framework and terms and
descriptions therein are not primarily decisive. The classification of the service provider depends instead on a
case-by-case analysis considering the specific setup of the citizen science project and the activities executed by the
service provider.
A "processor" means a natural or legal person, public authority, agency or other body that processes personal data
on behalf of the controller (Art. 4 (8) GDPR). Processors may not use the received data for their own purposes and must
strictly follow the instructions of the controller. The processor is not “lord of the data” but only an “extended arm” of the
controller. A processor has no decision-making authority with regard to the purpose and the means of the data processing.
A processor cannot follow own interests that go beyond the actual services provided with regard to the processed
personal data. Consequently, whoever determines the purposes and means of the processing does not take the
subordinate role of a processor. The same applies if the purpose and means of the processing are determined
together with the controller (joint controllership). A controller retains exclusive control over the purpose for which the data
is processed at any stage of the project. In contrast, the processor typically only has the freedom to take minor
decisions, such as technical decisions (e.g., which operational system is used). Furthermore, processors
typically have no need to retain the personal data after the processing activity has been terminated. Most importantly,
processors do not determine the personal data that is collected and the manner in which the processing will be
carried out.
Having said that, with regard to the provided i nfrastructural
IT services, the service provider will most l ikely have the role of a mere processor. The provision of IT services, such as
software-as-a-service and cloud services without content-related data access, is a typical activity of a processor. Such
activity ends once the service contract is terminated and the
processor does not retain any of the personal data collected.
However, this does not automatically mean that the service
provider takes the role as a processor with regard to the
Legal Aspects of Citizen Science in Video Games Page 8
provided advisory and organizational services. A processor can at the same time be a controller of the same personal
data if it processes such data for different purposes. Thus, the service provider might process some personal data as a
processor for the controller’s purposes and only upon its instruction, but also process that same personal data for its
own separate purposes. This would in particular be the case if the service provider by organizing, advising and assisting
the project, determines which personal data should be collected for the project, how it will best be collected, where
it is transferred to, how the data will be analyzed and thereby processed, and who has access to the data. Even if the
service provider carries out all these activities to assist the researcher’s science project, the service provider would still
be a (joint) controller from a GDPR perspective. Assigning the technical/professional execution of a project – even partly
– to somebody else is a typical controller activity for the executing part. Thus, where the researcher would assign the
details of the implementation of the citizen science project into the video game (partly) to the service provider and is
only/mainly interested in the produced data to study it later, the service provider would be a controller. This would apply
even more if the service provider obtains a right to retain some of the personal data for its own purposes, such as to
improve its services for future projects.
c. The video game company
The role of the video game company will typically become
relevant for all four personal data categories outlined above (see above 1). With regard to category 1 (general player
data), the video game company is the controller as it determines the purpose and means of how such data is
processed to operate the video game and with it the citizen science project. However, the video game company will likely
also be a controller with regard to the other data categories 1 to 3 even though it might in the end only provide a service
for the researcher by assisting the latter with its citizen science project. The video game company is the operator of
the video game into which the citizen science project is integrated. It has creative control over the integration, which
naturally involves decisions on how the personal data is collected (data category 2 and 3) and/or processed (data
category 4). Again, assigning the technical/professional execution of a project (in this case the creative integration of
the citizen science project into the game) to somebody else is a typical controller activity for the executing party. The
video game company also determines the purposes of the processing as it has an interest in an engaging experience
for its players and therefore also uses the personal data for
its own purposes.
d. Other group entities and service providers
Like all companies, video game companies or researchers often maintain other group entities (parental company,
subsidiaries, affi l iates) and engage service providers for various services (e.g., cloud service providers to host the
game or to process the data analyzed by donated CPU/GPU power). The role of these entities depends on a case-by-case
analysis and cannot be conclusively assessed in this article as every setup will l ikely be different. While service providers
such as cloud services typically constitute only processors or sub-processors, the role of other group entities is more
difficult to determine. However, even in cases where the citizen science project is primarily handled by a
subsidiary/affi liate within the group of companies, the parent company may stil l take the role of a (joint) controller. For
instance, a video game parent company would be a joint controller if it – together with its subsidiary – is responsible
for the creative control and/or the decision-making process on the implementation of the citizen science project into a
video game and consequently on how the relevant data is
collected/processed.
There are, however, cases where the parent company only
provides certain processing services for its subsidiaries. A common example is payroll services for employees of the
subsidiaries. The processing of employee personal data by the parent company for the purposes of payroll is a typical
processing activity that often takes place solely upon the instruction of the subsidiary that remains the employer of the
local employees. For this reason, many subsidiaries enter into processing agreements and international data transfer
agreements with their parent companies. With regard to a citizen science project, however, a similar categorization of
the parent company as a mere processor would require that the parent company have no influence on the
implementation/development of the video game citizen science project but only processes the personal data upon
the instructions of its subsidiary, such as an intermediary that commissioned the cloud services provider where the video
game is operated (which would make the cloud service
provider a sub-processor of the subsidiary).
e. The citizen scientists (players/users)
The role of the citizen scientists (players/users) will only become relevant in case of personal data category 3 and 4
(see above II.1.a.cc. and dd., that is, where the users are either required to collect new personal data in the course of
the citizen science project or to analyze personal data that has been provided by the researcher). If every individual
player would have to comply with all requirements under the GDPR, many citizen science projects would be difficult to
realize. However, according to Art. 2 (2) l it. c, the GDPR does not apply to the processing of personal data by a natural
person in the course of a purely personal or household activity. Personal activities refer to activities that serve the
purpose of self-expression, self-development or the exercise of personal freedoms during one's free time or in one's
private space. While the citizen science project might have a commercial or other interest-driven background that justifies
the application of data protection laws with regard to the companies/researchers behind it, the players of a video
game are sti l l exercising a simple hobby. This applies regardless of whether or not the players are aware that their
activity is part of a citizen science project (the latter in case of a seamless integration of the project into a video game).
Even the willful or idealistically motivated participation in a citizen science project that is integrated in a hobby such as
a video game can arguably be regarded as an activity of self-development or the exercise of personal freedom in one's
free time or private space. The same applies of course to people who donate their unused CPU/GPU power to projects
l ike Folding@Home to fight COVID-19 and other diseases. Thus, based on the so-called household exemption, it can be
argued that players, for instance, do not require a legal basis for the processing of personal data (see next section in this
regard) or have to maintain processing registers. This also applies with regard to data that is transferred from the player
to the video game company (data category 3). Players do not have to meet the GDPR requirements for data transfers if
they only pursue a hobby, similar to users of a social networks who post personal data on their profile (e.g. , a
picture with bystanders), which also results in the transfer of such data. Needless to say, however, the data recipient (e.g.,
the video gaming company and the researcher) must comply with the GDPR with regard to the data transferred to them
and therefore require a legal basis to process such data. This
Legal Aspects of Citizen Science in Video Games Page 9
interpretation is supported by recital 18 sentence 2 and 3,
which state the following:
Personal or household activities could include
correspondence and the holding of addresses, or social networking and online activity
undertaken within the context of such activities. However, this Regulation applies to controllers
or processors which provide the means for processing personal data for such personal or
household activities.
As mentioned above, the fact that players might not have to
comply with the GDPR does not release the other stakeholders involved in the project from their obligation to
do so. Having said that, some of the obligations that apply to the other parties can also extend to the players. This applies
in particular to data category 4, which is transferred to the players in the course of the project to be analyzed/processed
by them. While the player activities might fall under the household exemption, the preceding data transfer of data
category 4 from the video game company and/or the researcher to the players does not. In this scenario, players
likely take the role of a processor, which would require the conclusion of a data processing agreement and the
implementation of certain technical and organizational security measures on the side of the player to protect the
transferred data. Naturally, this might deter a large number of players to participate in the project. The only option to
completely avoid this consequence would be to fully anonymize the transferred data prior to the transfer, which
would render the GDPR inapplicable. However, some projects and data might not allow full anonymization. In this
scenario, the only remaining (realistic) option would be to directly implement the data processing agreement into the
video game and have it accepted by the players, the same way the player must accept the terms of service of the game.
The required technical and organizational security measures to protect the transferred data could be directly implemented
into the video game.
3. Legality of the processing
After having determined the role of the different entities, the legality of the various processing operations should be
assessed. Due to their multi jurisdictional setup, citizen science projects typically require looking at different
applicable data protection regimes. From a GDPR
perspective, the following aspects are relevant:
a. Requirement of a legal basis
From a GDPR perspective, the processing of personal data is generally prohibited unless a legal basis applies. This goes
for both the processing of normal personal data (Art. 6 (1) sentence 1 GDPR) as well as the more sensitive special
categories of personal data (Art. 9 (1) GDRP). Further legal bases can be found in national data protection laws and
sector-specific laws. For the determination of the legal basis, it must be differentiated between the various parties and the
categories of personal data involved in the citizen science
project.
It is important to determine the legal basis before the
commencement of the citizen science project. According to the prevailing opinion amongst EU data protection authorities
“the application of one of these six bases must be established prior to the processing activity and in relation to
a specific purpose” (EDPB Guidelines 05/2020 on consent under regulation 2016/679, p. 25). This can be derived from
the requirement that data subjects must be informed about the applicable legal bases and the purpose for which their
data is processed prior to the processing (Art. 13/14 (1) l it. c GDPR). Consequently, the legal bases cannot be swapped
afterwards. The European Data Protection Board (EDPB) has summarized this requirement with respect to the legal
basis of consent as follows:
It is important to note here that if a controller chooses to rely on consent for any part of the
processing, they must be prepared to respect that choice and stop that part of the processing
if an individual withdraws consent. Sending out the message that data will be processed on the
basis of consent, while actually some other lawful basis is relied on, would be
fundamentally unfair to individuals.
In other words, the controller cannot swap from
consent to other lawful bases. For example, it is not allowed to retrospectively util ise the
legitimate interest basis in order to justify processing, where problems have been
encountered with the validity of consent. Because of the requirement to disclose the
lawful basis which the controller is relying upon at the time of collection of personal data,
controllers must have decided in advance of
collection what the applicable lawful basis is.
(EDPB Guidelines 05/2020 on consent under
regulation 2016/679, p. 25)
Furthermore, it should be noted that each processing activity
requires a legal basis. For instance, the collection of the personal data, its analysis, the data transfer to the other
parties of the citizen science project, and the processing/analysis by these parties, are each different
processing operations, which all require a legal basis to be justified. This also means that where one processing
operation might be justified by a legal basis, another processing operation may not necessarily also be justified.
For example, the collection and analysis of the data might be justified on the basis of the legitimate or public interest
exemption. However, this does not necessarily mean that the data transfer to a third country is also justified by this
exemption. The same applies to consent. Obtaining consent from data subjects to process their data in the course of the
citizen science project does not mean that the data can be transferred to the other parties of the citizen science project,
unless the consent was specifically tailored in this regard.
b. Exemption for processors
An exemption from the requirement of a legal basis applies
to mere processors (Art. 28 GDPR). As an example, the service provider can be named, which takes the role of a
mere processor with regard to the provision of infrastructural software and cloud services that are used by the other
parties of the citizen science project (see the scenarios outlined under I.5). Since a processor processes personal
data only on behalf of the controller and upon the instructions of the controller, the relevant processing operations are no
processing operations of the processor itself but of the controller which alone determines the purposes and means.
Thus, the controller must be able to rely on the legal basis for its processing operation. The processor, on the other hand,
must only comply with processor-specific requirements (e.g., conclusion of a processing agreement and the
Legal Aspects of Citizen Science in Video Games Page 10
implementation of technical and organizational security
measures).
c. The GDPR scientific research privilege
The GDPR includes a so-called scientific research privilege set out in Art. 89 (1) GDPR. While this does not immediately
become evident from the wording of the provision, the basic mechanism is as follows: in exchange for implementing
certain safeguards, scientific researchers enjoy a variety of privileges in the form of reduced or less strict requirements
(for a full l ist, see II.5 below). The scientific research privilege is often the first thing that comes to mind when it is about
determining the legality of processing operations conducted for research purposes. However, the scientific research
privilege does not release the controller from the obligation that the processing must have legal basis. In other words,
even if the data processing is privileged in accordance with Art. 89 GDPR, it must sti l l be legal under the general
principles of Art. 6 and 9 GDPR, which means that the processing must be justified by an applicable legal basis.
Furthermore, the scientific research privilege does not apply to research that only follows commercial purposes, such as
improving the exclusive market, sales and competitive position. While the scientific research privilege generally also
applies to private companies, the term "research for scientific purposes" only refers to scientific research that primarily
serves the purpose of acquiring knowledge for the general public. This will in many cases apply to universities and
science institutions but not, for instance, pharma companies that develop new drugs to improve their market position. The
scientific research privilege will be addressed further below (under II.5) and is only referenced in this section where it has
implications.
d. Assessment of available legal bases
For the determination of the legal basis, one must again
differentiate between the various parties and the categories of personal data involved in the citizen science project. The
following legal bases are most relevant to discuss in terms of
citizen science projects:
aa. Regular personal data
(1) Consent (Art. 6 (1) sentence 1 lit. a GDPR)
With regard to classic scientific research involving personal data, consent is one of the most important legal bases.
Nevertheless, it should be noted in advance that the controller, and in particular the video game company, should
only rely on consent if no other legal basis is available as consent has several disadvantages, such as the possibility
to withdraw consent and its lack of flexibility. Controllers often consider consent to be the easiest way to get a project done,
especially if that means avoiding the implementation of technical and organizational security measures such as data
anonymization and pseudonymization. However, that is a false impression as the requirements for consent under the
GDPR are very strict and can easily result in an invalidly obtained consent or reduced immersion of the video game
(e.g., consent pop-up window during gameplay). Thus, if possible, the controller should always try to rely on other
legal bases and not consider avoiding the implementation of technical and organizational measures as the better option.
It’s not.
Nevertheless, depending on the project, there will be cases
where consent is the only remaining option. Where the controller relies on consent, all conditions for valid consent
under the GDPR must be met. Consent is defined as “any freely given, specific, informed and unambiguous indication
of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies
agreement to the processing of personal data relating to him or her” (Art. 4 (11) GDPR). Depending on the different parties
involved in a video game citizen science project, several of
these conditions require a closer look.
(a) Freely given
The "freely given" condition might, in particular, play a role with regard to the video gaming company and personal data
of its players. However, the researcher should also carefully
assess this requirement.
(a) The issue of bundled and conditional consent
Pursuant to Art. 7 (4) GDPR, when assessing whether consent is freely given, “utmost account shall be taken of
whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the
processing of personal data that is not necessary for the performance of that contract.” According to the EDPB,
bundling consent with acceptance of terms or conditions, or tying the provision of a contract or a service to a request for
consent to process personal data that are not necessary for the performance of that contract or service is considered
“highly undesirable” (EDPB Guidelines 05/2020 on consent under regulation 2016/679, p. 10). Moreover, if consent is
(generally) bundled up as a non-negotiable part of the terms and conditions, it is presumed not to have been freely given
(EDPB Guidelines 05/2020 on consent under regulation 2016/679, p. 7, also see recital 43 sentence 2 part 2 GDPR).
Thus, the video game company should generally not ask players to consent to the terms of service of the video game
and at the same time to the processing of any personal data if that means that the player can otherwise not receive the
service. This would likely render the consent invalid.
The same standards apply to cases where the data subject is required to provide consent for processing purposes,
which are not necessary for the provision of a specific service and go beyond the delivery of the core service (EDPB
Guidelines 05/2020 on consent under regulation 2016/679, p. 8). “Consent is presumed not to be freely given if it does
not allow separate consent to be given to different personal data processing operations despite it being appropriate in the
individual case” (recital 43 sentence 2 part 1 GDPR). Thus, even by separately obtained consent, the video game
company should not try to obtain player consent for the processing of personal data for the purpose of the provision
of the video game (data category 1) and at the same time for the processing of that same data for the additional purposes
of the citizen science project. The same applies to obtaining bundled consent for the processing of personal data required
for the purpose of the provision of the video game (data category 1) and at the same time for the processing of
additional personal data that is only required for the purposes of the citizen science project (data category 2). Lastly, this
also applies to simultaneously obtaining consent for the transfer of any personal data to the other parties of the citizen
science project and the subsequent processing of the transferred data by them if these parties also process the
data for other purposes.
Legal Aspects of Citizen Science in Video Games Page 11
(b) Other outcome where the citizen science project is
seamlessly implemented into the game?
An interesting question results from the fact that at least in
cases where the citizen science project is fully integrated into the video game, it becomes a seamless part of the
experience (see Project Discovery scenario in the introductory section above). Thus, the data that is processed
for the citizen science project is technically also processed for the purpose of providing the video game service. This
applies to both: (i) player data that is requi red for the provision of the video game but which is now also processed
for the citizen science project (data category 1); and (i i) additional player data that is only required for the citizen
science project (data category 2). In the case of the latter, data category 2 in a way “transforms” to data category 1
through the seamless integration of the citizen science project into the video game, as such data is now technically
also required for the provision of the video game. It could therefore be argued that the processing only follows one
purpose and that consent obtained for the processing of data category 1 and 2 for a video game citizen science project
does not constitute a bundled/conditional and therefore potentially ineffective consent. However, given the often
over-careful stance many data protection authorities take, there is a risk that some data protection authorities would still
argue that the same processing activity follows two different
purposes in this case and each must be justified separately.
Either way, it is not recommended to rely on consent for the processing of personal player data for purposes of the
provision of the video game (leaving the integrated citizen science part of it aside). The processing of personal data for
providing the game (not necessarily the citizen science part of it) can already be justified on the basis of other legal
justifications, namely the performance of a contract exemption (Art. 6 (1) sentence 1 lit. b GDPR) or legitimate
interests (Art. 6 (2) sentence 2 li t. f GDPR). Consent, on the other hand, should (if at all) only be obtained for any
processing activity that goes beyond the delivery of the core service (i.e., for the citizen science part of the game, unless
of course one follows the approach discussed above that the video game and the citizen science part of it “merge” to one
processing purpose). However, if consent is used, it should only be obtained separately and not via the game’s terms of
service (see above).
(c) Specifics with regard to the researcher
For the researcher, the situation is slightly different. Where
the researcher obtains consent to process the personal data for a specific scientific purpose and the citizen science
project is only one part of the science project, consent for the processing of the citizen science project should be obtained
separately (e.g., by two different signatures or other affirmative actions). However, where the researcher collects
personal data only for the purpose of the citizen science project carried out by several parties, a one-size-fits-all
solution in the sense of “consent to citizen science project” (which of course needs to meet all other requirements)
should be acceptable. Since all processing activities are connected and serve the purpose of carrying out the citizen
science project, obtaining separate consent for each processing operation would not make sense as the entire
citizen science project would not be realizable without the data subject consenting to all required processing operations.
This is in l ine with Recital 43 sentence 2 part 1 GDPR, which states that “consent is presumed not to be freely given if it
does not allow separate consent to be given to different personal data processing operations despite it being
appropriate in the individual case .” An exemption applies, however, where one of the parties intends to process the
data also for other purposes than for the citizen science project. An example could be the intention of the service
provider (see scenarios outlined above) to process the data to improve its services for future projects. For this purpose,
separate consent must be obtained (unless of course the processing operation can be based on a different legal basis
such as legitimate interests, which should be assessed
separately).
(b) Specific
Consent of the data subject must be given in relation to “one or more specific” purposes (Art. 6 (1) sentence 1 lit. a GDPR).
The need for specific consent in combination with the notion of purpose limitation in Article 5 (1) l it. b GDPR works as a
safeguard against the gradual widening or blurring of purposes for which data is processed, after a data subject
has agreed to the initial collection of the data (EDPB Guidelines 05/2020 on consent under regulation 2016/679,
p. 14). Thus, if data is processed on the basis of consent that was obtained for a specific processing purpose, the data
cannot be later processed for another purpose. Again, an example would be the intention of the service provider (see
scenarios outlined above) to process the data to improve its services for future projects. This purpose is not covered by
consent to process data for the purpose of the citizen science project. Thus, this purpose requires a separate consent
(again, unless of course the processing operation can be based on a different legal basis, such as legitimate interests,
which should be assessed separately).
An exemption to the requirement of specific consent (i.e.,
purpose limitation) applies for consent that is obtained for the processing of personal data for scientific research purposes.
Recital 33 GDPR states the following:
It is often not possible to fully identify the purpose of personal data processing for
scientific research purposes at the time of data collection. Therefore, data subjects should be
allowed to give their consent to certain areas of scientific research when in keeping with
recognised ethical standards for scientific research. Data subjects should have the
opportunity to give their consent only to certain areas of research or parts of research projects
to the extent allowed by the intended purpose.
This so called “broad consent” exemption allows the
controller to obtain consent for certain “areas of research or parts of research projects” instead of for specific purposes
and without the necessity to obtain a new consent for each data use for other scientific research purposes. In other
words, on the basis of “broad consent,” the collected personal data can be used beyond the specific purposes of
the current research project.
“Broad consent” is a manifestation of the scientific research privilege implemented into the GDPR (see above already).
However, this again means that the controller can only rely on “broad consent” where the processing serves scientific
research purposes within the meaning of the GDPR, which requires research in the general public interest. While this
does not exclude private companies from the privilege, it excludes research purposes for purely commercial purposes
(see above). However, where the researcher is a public institution such as a university or similar organization, the
chances are good that it can leverage the exemption of
Legal Aspects of Citizen Science in Video Games Page 12
“broad consent.” It should also be kept in mind that profiting from the GDPR scientific research privilege also requires
implementing certain “appropriate safeguards” (Art. 89 (1) sentence 1 GDPR). Though it could be argued that this does
not apply to the “broad consent” exemption as the latter is only mentioned in the recitals of the GDPR but not the
legislative text, the understanding of “scientific research” under the GDPR is uniform and is based on the idea that the
controller can benefit from certain privileges in exchange for
implementing “appropriate safeguards.”
(c) Informed
The consent needs to be informed. According to the Article 29 Working Group, at least the following information is
required for obtaining valid informed consent (EDPB Guidelines 05/2020 on consent under regulation 2016/679,
p. 15):
the controller’s identity,
the purpose of each of the processing operations for which consent is sought,
what (type of) data will be collected and used,
the existence of the right to withdraw consent,
[…]
on the possible risks of data transfers due to absence
of an adequacy decision and of appropriate
safeguards as described in Article 46.
(aa) Identity of the controller
The most l ikely parties to the video game citizen science project that will be responsible for obtaining consent are the
researcher (for data category 4 as described above) and the video game company (for data category 2 and 3 as described
above). These parties need to inform about their identity in any case. If the consent sought is to be relied upon by
multiple (joint) controllers or if the data is to be transferred to or processed by other controllers who wish to rely on the
original consent, these organizations should all be named (EDPB Guidelines 05/2020 on consent under regulation
2016/679, p. 16). Thus, with regard to informing about the controller’s identity for consent for a video game citizen
science project, which of the other participating parties also constitute controllers now becomes relevant. At least in the
scenarios primarily assessed in this article, this applies to most of the participating parties that should all be named in the consent form. Processors do not need to be named.
However, it should be noted that in order to comply with Art. 13 and 14 GDPR (transparency requirements typically
implemented into a privacy policy) the category of recipients should at least be named, which also involves the categories
of processors.
(bb) Purpose
The informing controller must carefully differentiate between
the different processing purposes the various parties of the citizen science project might process the data for. Again, the
best example might be the service provider (see scenarios above), which could also have an interest in processing the
data to improve its services for future projects. This is a different purpose than the processing for the execution of the
citizen science project and therefore needs to be named
separately along with all other additional purposes one of the parties might process the data for. Having said that, the
option of “broad consent” for scientific research purposes in the general public interest should be mentioned here again,
which allows some flexibility with respect to the purpose, provided the requirements of the scientific research privilege
are met (see above and below for more details).
(cc) Personal data
All (types of) personal data that are processed for the citizen
science project need to be named. This includes data that is also processed, for instance, for the provision of the video
game (data category 1 as described above).
(dd) Risks of third country data transfers
This requirement applies only if the controller relies on
consent for international data transfers to third countries. It will therefore be addressed in the data transfer section below
(see II.4).
(ee) Timing of obtaining consent
Consent must be obtained prior to the commencement of the
processing activity. With regard to video game citizen science projects that are fully integrated into an AAA video
game, the question of whether obtaining consent when the video game is installed is sufficient or if consent must be
obtained when the player’s progress in the game reaches the fully integrated citizen science part (e.g., a certain side quest)
can be raised. The clear disadvantage with obtaining consent when the player arrives at the citizen science part of the video
game would be that a consent window that pops up during gameplay will harm the player’s immersion into the video
game. In a way this defeats the intention of seamlessly integrating citizen science in a video game without the
players even noticing that they participate in a science project. While the answer to this question will in the end
depend on the video game and the specific project, general principles under the GDPR imply that consent will often have
to be obtained when the player arrives at the citizen science part of the game. This applies in particular to video-games-
as-a-service, which provide an endless experience and where it can take hundreds of hours ti l l a player reaches the
citizen science project. In these cases, the player will not be able to identify when exactly the processing of their personal
data for the purposes of the video game commences. Moreover, players might have forgotten that they gave
consent for this purpose months or years ago. It therefore seems likely that an EU data protection authority would
consider this a breach of the “informed” requirement as well as the requirement that personal data shall be processed
“fairly and in a transparent manner” (Art. 5 (1) l it. a GDPR). This example shows again that consent should only be the
last resort for the controller to legitimize the processing of personal data in a video game citizen science project.
Implementing technical and organizational measures or “adequate safeguards” in order to be able to rely on other
legal bases such as legitimate interests should in any case
be preferred where possible.
(ff) Unambiguous indication of wishes
Consent requires a statement from the data subject or a clear affirmative act, which means that it must always be given
through an active motion or declaration. The use of pre -ticked opt-in boxes, such as when the video game is installed,
is invalid under the GDPR. Silence or inactivity on the part of the data subject, as well as merely proceeding with a service,
Legal Aspects of Citizen Science in Video Games Page 13
cannot be regarded as an active indication of choice (EDPB Guidelines 05/2020 on consent under regulation 2016/679,
p. 18).
Obtaining consent via terms and conditions is also not an option even if actively accepted by the data subject. The
EDPB provides the following explanation in this regard:
A controller must also beware that consent
cannot be obtained through the same motion as agreeing to a contract or accepting general
terms and conditions of a service. Blanket acceptance of general terms and conditions
cannot be seen as a clear affirmative action to consent to the use of personal data. The GDPR
does not allow controllers to offer pre-ticked boxes or opt-out constructions that require an
intervention from the data subject to prevent
agreement (for example ‘opt-out boxes’)
(2) Performance of a contract exemption (Art. 6 (1) sentence 1
lit. b GDPR)
At least with regard to the video game company and cases
where the citizen science project is seamlessly integrated into the video game, the performance of a contract
exemption can also be considered with regard to data category 1 and 2. This approach is based on the argument
that where the citizen science project becomes a seamless part of the video game or even constitutes the entire game,
the processing of data categories 1 and 2 (as described above) for the purpose of executing the citizen science
project automatically becomes a processing activity for the provision of the video game (which is the citizen science
project). See the explanations above under the headline “Other outcome where the citizen science project is
seamlessly implemented into the game?” which apply
accordingly (sec. II.3.d.aa.(1)(a)(bb)).
(3) Public interest (Art. 6 (1) sentence 1 lit. e GDPR)
In case the controller is a public body (e.g., a university), it is worth investigating whether the data processing for the
citizen science project can be based on the exemption of Art. 6 (1) sentence 1 lit. e GPDR, which allows the processing of
personal data if it is “necessary for the performance of a task carried out in the public interest or in the exercise of official
authority vested in the controller.” Art. 6 sentence 1 lit. e GDPR by itself is not an independent legal basis for the
processing (Recital 45 GDPR). Instead, the processing additionally requires a specific legal basis laid down by the
EU or the EU member state law to which the controller is subject. The relevant legal basis must meet the requirements
of Art. 6 (3) GDPR. Whether such a legal basis exists must be assessed on a case-by-case basis and depends on the
applicable EU member state law. In Germany, for instance, several university laws on the state level include general
provisions that research is one of the primary tasks of universities. Several processing operations that are
conducted for research purposes can be based on these laws in conjunction with the GDPR public interest exemption.
An exemption might, however, apply in cases of particular severe and invasive processing operations that pose greater
risks (e.g., processing operations that would also require a data privacy impact assessment). Such processing
operations might require a legal basis that is more specific and risk-adequate (e.g., consent tailored to the particular
purpose).
(4) Legitimate interest (Art. 6 (1) sentence 1 lit. f GDPR)
The legitimate interest exemption is typically the most practically relevant legal basis. It allows the processing
where it “is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except
where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which
require protection of personal data, in particular where the data subject is a child.” Because the legitimate interest
exemption requires weighing of interests, its applicability naturally depends on the individual case and requires taking
into account all relevant factors of the citizen science project, such as the categories and amount of personal data involved,
the importance of the research, the implemented technical and organizational security measures, the data subjects
involved, etc.
The legitimate interest exemption’s main advantage is its
flexibility as the controller has the chance to shift the outcome of the process of weighing of interest in its favor by
implementing additional technical and organizational security measures such as anonymization, pseudonymization, strict
need-to-know requirements, strong IT protection measures, and several other measures depending on the specific case.
However, the applicability of the legitimate interest exemption to one party of the citizen science project does not
necessarily mean that it automatically applies to the processing activities of the other parties as well. For instance,
where the researcher implements certain technical and organizational measures to be able to rely on legitimate
interests to justify its processing activi ties, the same legal basis might not apply for the processing of the data by one
of the other parties which did not implement the same or similar measures. The same applies for the processing for
different purposes. Where one of the parties processes the data for multiple purposes, each processing activity for the
individual purposes must independently be justified. For instance, the service provider might be able to rely on
legitimate interests with regard to its processing activities to conduct organizational and advice services for the other
parties in order to carry out the citizen science project. However, this does not automatically mean that the
legitimate interest exemption also justifies the processing of the same data for the purpose of improving the service
provider’s services for future projects. Thus, the applicability of the legitimate interest exemption needs to be closely
analyzed for each party and each individual purpose.
In cases where the citizen science project meets the requirements of the GDPR scientific research privilege (i.e.,
the research is considered as scientific research within the meaning of the GDPR and the controller has implemented
the measures required by Art. 89 GDPR; see below for details), it is often argued that the requirements of the
legitimate interest exemption willy typically also be met and related data processing operations are therefore justified.
This provides another incentive for the controller to
implement the measures required by Art. 89 GDPR.
bb. Special categories of personal data
If the citizen science project involves special categories of personal data, the requirements for the processing to be
justified are significantly higher. Special categories of personal data are defined by the GDPR as: racial or ethnic
origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the
purpose of uniquely identifying a natural person, data
Legal Aspects of Citizen Science in Video Games Page 14
concerning health, or data concerning a natural person’s sex
l i fe or sexual orientation.
In practice, citizen science projects involving special
categories of personal data will in almost all cases have to be built on consent by the data subject. Next in l ine would be
the scientific research exemption (Art. 9 (2) l it. j GDPR) which, however, requires that the additional conditions of the GDPR
scientific research privilege are met, that is, that the citizen science project is carried out primarily to acquire knowledge
for the general public and excludes commercial purposes. Nevertheless, many citizen science projects in the video
games landscape concern the fight against diseases (with COVID-19 only being the most prominent example). This
makes it worthwhile to also look at other legal bases, such as the substantial public interest and the public interest in the
area of public health exemption.
(1) Explicit Consent (Art. 9 (2) l it. a GDPR)
For the processing of special categories of personal data,
regular consent is not sufficient. Instead, explicit consent must be obtained. Explicit consent first requires that all
conditions of a regular consent as outlined above are met. In addition, the consent given by the data subject must be
“explicit.” Since regular consent already requires a “statement or clear affirmative action ,” explicit consent
requires an even higher standard. The term explicit refers to the way consent is expressed by the data subject. It means
that the data subject must give an express statement of consent (EDPB Guidelines 05/2020 on consent under
regulation 2016/679, p. 20).
Obtaining explicit consent is not bound to formal
requirements. Thus, theoretically explicit consent can also be obtained orally. However, as with regular consent, this is not
recommended due to the controller’s obligation to be able to
demonstrate that the data subject gave consent.
The EDPB discusses the following options to obtain explicit
consent:
written statement, ideally signed by the data subject
fi l l ing in an electronic form
an email sent by the data subject (clearly stating “I consent” or a similar unambiguous declaration)
an upload of a scanned document carrying the signature of the data subject
electronic signature
telephone conversation, provided that the information about the choice is fair, intell igible and clear, and it asks for a specific confirmation from the data subject
(e.g., pressing a button or providing oral confirmation)
explicit consent screen on a website that contains "Yes" and "No" check boxes, provided that the text
clearly indicates the consent, for instance, “I hereby consent to the processing of my data.”
two-stage verification by, for example, sending an email to the data subject to which the data subject must
respond with “I agree”; afterwards, the data subject receives a verification link that must be clicked or an
SMS message with a verification code.
(2) Substantial public interest (Art. 9 (2) l it. g GDPR)
In particular, where the controller is a public body (e.g., a university), the data processing for the citizen science project
can also be based on the exemption of Art. 9 (2) l it. g GDPR, which allows the processing of special categories of personal
data if it is “necessary for reasons of substantial public interest, on the basis of Union or Member State law which
shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for
suitable and specific measures to safeguard the fundamental
rights and the interests of the data subject.”
Unlike the regular public interest exemption provided in Art. 6 (1) sentence 1 lit. e GDPR (see above), Art. 9 (2) l it. g
GDPR requires a substantial public interest. Once again, Art. 9 (2) l it. g GDPR is not a legal basis by itself but instead
serves as an opening clause that allows relevant EU member states and EU laws to be passed. The processing can
subsequently be based on these laws. Whether such a legal basis exists must be analyzed on a case-by-case basis and
depends on the relevant applicable EU member state law, the personal data that is processed, and the purposes for
which it is processed. Germany, for instance, has passed Sec. 22 (1) No. 1 lit. d Federal Data Protection Act (FDPA)
on the basis of Art. 9 (2) l it. g GDPR, which allows the processing of special categories of personal data if the
processing is urgently necessary for reasons of substantial public interests and as far as the interests of the controller in
the data processing outweigh the interests of the data subject. In addition, certain technical and organizational security
measures must be implemented, which are simi lar or identical to those that must be implemented in order to
benefit from the GDPR scientific research privilege (see list
with examples below under II.5.b).
The legislative materials of the German provision explicitly
mention that the fight against pandemics falls under this exemption. Projects l ike Folding@Home to fight COVID-19
(see introductory section) would therefore have a good chance to be based on the substantial public interest
exemption, given the severe consequences of the global
pandemic with regard to both human life and the economy.
(3) Public interest in the area of public health (Art. 9 (2) l it. i
GDPR)
Art. 9 (2) l it. i GDPR allows the processing if it is “necessary
for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health
or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the
basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and
freedoms of the data subject, in particular professional
secrecy.”
Once again, Art. 9 (2) l it. i GDPR itself is not a legal basis but instead allows the adoption of EU or EU member state law
on which basis the processing can subsequently take place. Whether such a legal basis exists depends on the individual
case and the applicable EU member state law. In Germany, for instance, the provision has been implemented into
national law with identical requirements (Sec. 22 (1) No. 1 lit. c FDPA). While the requirements that must be met are very
high, COVID-19 and similar diseases typically constitute a “serious cross-border threat to health.” Thus, any serious
effort to combat such diseases has a good chance of being able to rely on the exemption. However, in order to comply
with the requirement that the implementing law must provide
Legal Aspects of Citizen Science in Video Games Page 15
“specific measures to safeguard the rights and freedoms of the data subject,” the German provision also requires the
implementation of certain technical and organizational security measures. These are largely identical to those
measures that must be implemented to benefit from the
GDPR scientific research privilege (see the list below, II.5.b.).
In addition, the exemption explicitly mentions “in particular
professional secrecy” as a required security measure that must be implemented by the relevant national law provision.
The German provision therefore references sector-specific professional and criminal law secrecy obligations. Since
video game companies wi ll typically not be subject to professional secrecy (such as medical practitioners), this
might render the provision inapplicable for them. However, the wording is not clear with regard to the question of whether
the data cannot be transferred to other parties that are not subject to professional secrecy. Stil l, relying on the provision
if the controller is not subject to any professional secrecy obligations is a risk-based approach. To mitigate the risk,
contractual secrecy obligations should be implemented.
(4) Scientific or historical research purposes (Art. 9 (2) l it. j
GDPR)
After consent, the exemption for scientific or historical research purpose seems to be the most practical relevant
legal basis with regard to special categories of personal data processed in the course of citizen science projects in video
games. It allows the processing of special categories of personal data if it is “necessary for archiving purposes in the
public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) GDPR
based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the
right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the
interests of the data subject.”
Again, Art. 9 (2) l it. j GDPR itself is not a legal basis but
instead allows the adoption of EU or EU member state law on which basis the processing can subsequently take place.
Whether such a legal basis exists must be analyzed on a case-by-case basis and depends on the relevant applicable
EU member state law, the personal data that is processed,
and the purposes for which it is processed.
Art. 9 (2) l it. j GDPR is another manifestation of the scientific
research privilege under the GDPR (see above already under II.3.c and below under II.5). Relying on the exemption
therefore requires in exchange the implementation of further safeguards in accordance with Art. 89 (1) GDPR (see a list
with examples below, II.5.b). Furthermore, the scientific research privilege applies only to research that is carried out
to acquire knowledge in the general public interest. Commercial interests are not covered by the privilege to a
large extent (see below II.5.a.). Nevertheless, where the researcher is an EU university or similar research
organization, the research can typically be considered as being carried out to acquire knowledge in the general public
interest. Thus, in this case at least, the researcher might be able to rely on the exemption even if the other parties
involved in the citizen science project (i.e., the service provider and the video game company) might not and must
instead rely on other legal bases. That being said, private organizations are not generally excluded from relying on Art.
9 (2) l it. j GDPR in connection with the relevant EU or EU member state law, provided their activities constitute
scientific research within the meaning of the GDPR (i.e., serve the purposes of acquiring knowledge in the general
public interest) and where they have implemented the
additional requirements of Art. 89 (1) GDPR.
Germany is one of the countries that has already adopted several laws on the basis of Art. 9 (2) l it. j GDPR. Most
notably, Sec. 27 (1) FDPA allows the processing of special categories of personal data “without consent for scientific or
historical research purposes or statistical purposes, if such processing is necessary for these purposes and the interests
of the controller in processing substantially outweigh those of the data subject in not processing the data.” Sec. 22 (2)
FDPA lists a number of safeguards that must be implemented by the controller in accordance with
requirement to implement “appropriate safeguards” under Art. 89 (1) GDPR. Further legal bases implemented by the
German legislator are Sec. 75 (3) Social Act X (“SGB X”) for scientific research in the social sector and Sec. 14 (2a)
Transplantation Act (“TPG”) for organ and tissue transfers.
4. Data transfers within multi-party video game citizen science projects
Since video game citizen science projects are typically multi-party projects, they will naturally require the transfer of personal data from one of the involved parties to another. Furthermore, in many cases, the different parties will not be located in the same country but in
different countries. In this case, the requirements for international data transfers under applicable data protection law must be met and should be closely examined. From a GDPR perspective, it must be differentiated between data transfers to other EU/EEA member states
(respectively, countries that are deemed to provide for an adequate level of data protection by the EU Commission) and third countries. Furthermore, it must be differentiated between controller-to-controller (“C2C”) and controller-to-processor (“C2B”) transfers. The
underlying data transfers in a multi -party scenario can, for instance, be illustrated as follows:
Legal Aspects of Citizen Science in Video Games Page 16
a. Data transfers within the EU/EEA
aa. Controller-to-controller
A data transfer constitutes a processing activity l ike any other (e.g., collection, storing, analysis). Thus, any data transfer
from one party involved in the citizen science project to another must be justified by one of the legal bases set out in
Art. 6 and 9 GDPR. The explanations on appl icable legal bases for the processing of personal data within a video
game citizen science project can therefore be referenced at this point (see above, 3.). Aside from the requirement that the
data transfer must have legal basis, international data transfers within the EU/EEA do not face additional
requirements compared to other processing activities due to the fact that the GDPR establishes a uniform level of
protection within the EU/EEA.
It should be kept in mind, however, that the applicability of
the legal bases also depends on the purpose for which the data is processed. This applies to data transfers as well. For
instance, where the processing for the citizen science project is supposed to be based on legitimate interest, such legal
basis might be applicable for this specific purpose, including data transfers necessary for this purpose. If personal data,
however, is also transferred for another purpose, the legitimate interest exemption might no longer be applicable
or require the implementation of additional safeguards in order to shift the outcome of the process of weighing of
interests in favor of the controller (e.g., pseudonymization). As an example for such a different purpose, once again the
processing of the personal data by the service provider for
purposes of improving its services for future projects can be
named.
bb. Controller-to-processor
The transfer of personal data to a processor and the
processing by the processor can be based on the same legal basis on which the processing by the controller is based. No
additional legal basis is required for the transfer to the processor because the processing activity remains an
activity under the control of the relevant controller and is therefore deemed to be a processing operation by said
controller (e.g., the researcher and/or the video gaming company). Hence, only the controller and not the processor
is required to rely on a legal basis. This becomes relevant, for instance, with regard to the service provider who acts as
processor in terms of the provision of IT services for the implementation and analysis of the video game citizen
science project (see above, II.2.b). However, the processor has to enter into a processing agreement with the controller
(Art. 28 (3) GDPR) and must meet the other requirements applicable to processors (e.g., implementation of technical
and organizational security measures, Art. 28 (1), 32 GDPR). Where one party acts as both processor and controller (l ike
the service provider), it must enter into a processing agreement with regard to its processing activities and must
in addition be able to rely on a legal basis with regard to its
other activities conducted as a controller.
It should also be noted that where the processor engages a sub-processor (e.g., the video gaming company with regard
to potential group affil iates or service providers as il lustrated
Researcher
(e.g., university /
pharma cooperation)
Service provider (provides expertise,
organization and IT services)
C2C and C2P transfer of research data (data
category 4)
Video game
company (entity responsible
for project)
C2
C a
nd
/or C
2P
on
wa
rd tra
nsfe
r of
rese
arc
h d
ata
(da
ta
ca
teg
ory
4)
Other group entities (e.g.
parental company)
Service providers (e.g., cloud
service provider)
Players / citizen
scientists
C2
C a
nd
C2
P tra
nsfe
r
of p
laye
r an
d th
ird p
arty
d
ata
(da
ta c
ate
go
ry 3
an
d/o
r 4)
Legal Aspects of Citizen Science in Video Games Page 17
above), the concluded processing agreement will typically require the processor to establish the same level of data
protection at the sub-processor (Art. 28 (4) GDPR). This can, for instance, require the conclusion of a sub-processing
agreement.
b. Data transfers outside the EU/EEA
International data transfers to non-EU/EEA countries require
compliance with a two-step test.
aa. Step 1
Step 1 is identical to the requirements of data transfers within
the EU/EEA. Any data transfer is a separate processing activity and therefore requires a legal basis under the GDPR.
This applies to third country transfers as well. Thus, the controller must be able to rely on one of the legal bases set
out in Art. 6 and/or 9 GDPR. However, again no additional legal basis is required for data transfers to processors
located in a third country. Still, the requirement to conclude a processing agreement applies accordingly. The same
applies to the requirement that the processor must ensure the same level of data protection at potential sub-processors,
such as by concluding a sub-processing agreement.
bb. Step 2
A controller or processor who transfers data to a controller or
processor located in a third country must ensure that the level of protection of natural persons guaranteed by the
GDPR is not undermined (Art. 44 sentence 2 GDPR). The requirements in this regard are set out in Art. 44 et seq.
GDPR and are described in the following:
(1) Adequacy decision
The easiest way to ensure an adequate level of data
protection is a data transfer based on an adequacy decision by the European Commission (Art. 45 GDPR). Such a
transfer shall not require any specific authorization (Art. 45 (1) sentence 2 GDPR). The European Commission has so
far recognized Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man,
Japan, Jersey, New Zealand, Switzerland and Uruguay as
providing adequate protection.
(2) Appropriate safeguards
If no adequacy decision exists, the most common way to transfer personal data to a third country is based on
appropriate safeguards (Art. 46 GDPR). Art. 46 GDPR provides several options to implement appropriate
safeguards (Art. 46 (2) GDPR) with the by far most practicably relevant tool being standard data protection
clauses adopted by the EU Commission (Art 46 (2) l it. c GDPR - also called EU model clauses), followed by binding
corporate rules (Art. 46 (2) l it. b, Art. 47 GDPR).
Standard data protection clauses exist for C2C and C2P data transfers to third countries. Establishing an adequate level of
data protection through standard data protection clauses essentially means that the data importer contractually
accepts certain data protection standards, including the implementation of technical and organizational security
measures.
With regard to C2P transfers, the C2P model clauses are
typically supplemented by a couple of clauses to also meet
the requirements of a processing agreement under the
GDPR (Art. 28 (3) GDPR) and/or applicable local law.
Multinational companies often implement C2C and C2P
clauses by means of an all -in-one data transfer agreement that comprises all or several of the entities belonging to the
group of companies. In this case the C2C and C2P model clauses are integrated into one intragroup data transfer
agreement. Deviations to comply with applicable local data protection laws are implemented through a specific local law
amendments section. This section can also include countries that are not subject to the GDPR to implement a global data
protection setup through a single compliance vehicle.
Parties to the video game citizen science project that already
have implemented intragroup C2C and/or C2P model clauses need to consider that these agreements might have
to be amended to reflect additional personal data and processing purposes under the citizen science projects. In
some cases, however, the conclusion of a new data transfer agreement to cover the citizen science project may be the
more practical solution.
(3) Derogations for specific situations, in particular consent
In the absence of an adequacy decision or of appropriate
safeguards, international data transfers to third countries can also take place on one of the conditions set out in Art. 49
GDPR. With regard to a citizen science project, the most practically relevant exemption seems to be consent (Art. 49
(1) sentence 1 lit. a GDPR). Other exemptions (e.g., important reasons of public interest) will most l ikely only
apply in exceptional cases, with the fight against COVID-19 of course being something that could be considered. In
relation to the processing of player data by the video game company for the purposes of the citizen science project (data
categories 1 and 2), the performance of a contract exemption can also be considered, provided the citizen science project
is seemingly integrated into the video game or constitutes the entire game (see the explanations in this regard under
II.3.d.aa.(1)(a)(bb)).
In terms of consent, all requirements for regular consent must be met (see in detail above II.3.d.aa.(1)). This includes
prior information on the data controller’s identity, the purpose of the transfer, the type of data, the existence of the right to
withdraw consent, and the identity or the categories of recipients (EDPB Guidelines 02/2018 on derogations of
Article 49 under Regulation 2016/679, p. 7). In addition, the information provided to the data subjects should also specify
all data recipients or categories of recipients, all countries to which the personal data are being transferred to, that the
consent is the legal basis for the transfer, and that the third country to which the data will be transferred does not provide
for an adequate level of data protection based on a European Commission decision (EDPB Guidelines 02/2018 on
derogations of Article 49 under Regulation 2016/679, p. 8).
Since consent must be specific, it is sometimes impossible
to obtain the data subject’s prior consent for a future transfer at the time of the collection of the data, such as if the
occurrence and specific circumstances of a transfer are not known at the time consent is requested, the impact on the
data subject cannot be assessed (EDPB Guidelines 02/2018 on derogations of Article 49 under Regulation 2016/679, p.
7). The Working Party 29 provides the following example:
Legal Aspects of Citizen Science in Video Games Page 18
To cite an example, a company, when obtaining i ts customers’ data for a specific purpose,
cannot ask them to give their prior consent to the transfer of their data to a third country if that
transfer is not envisaged at the time of the
collection.
Furthermore, the consent exemption for international data
transfers requires explicit consent. Thus, the same conditions with regard to consent for the processing of
special categories of data must be met (see above II.3.d.bb.(1)). Additionally, consent for the legitimization of
international data transfers to third countries requires information of the possible risks of such transfers for the data
subject due to the absence of an adequacy decision and appropriate safeguards. Such notice, which could be
standardized, should include, for example, information that in the third country there might not be a supervisory authority
and/or data processing principles, and/or data subject rights might not be provided for in the third country (EDPB
Guidelines 02/2018 on derogations of Article 49 under
Regulation 2016/679, p. 8).
As outlined above, consent should be the last option to legitimize the processing activities of the citizen science
project. This also applies to data transfers to third countries. The Article 29 Working Party has indicated that consent for
data transfers that occur periodically or on an ongoing basis is inappropriate (Working Paper 114, p. 11). Thus, even in
situations where consent might be used to legitimize the processing for the citizen science project (step 1), it should
only be used to legitimize the third country data transfer (step 2) in exceptional cases and where no other option is
available. However, with regard to data category 4, consent is l ikely the preferable option to legitimize the international
data transfer as otherwise players of the video game would have to agree to EU model clauses, which is not a realistic
option as it might deter too many potential participants.
cc. Examples
Scenario 1: The researcher is located in Switzerland,
the service provider is located in Switzerland, and the video game company is located in the EU/EEA, with
sub-processors in the EU/EEA and the USA. Players are located all over the world. All referenced data
categories (1-4) refer to the categories as described
above (II.1).
High level analysis:
o Data transfers from the researcher to the service provider (data category 4) will l ikely fall under
Swiss data protection law and must meet the relevant requirements (in practice this would
need to be analyzed more closely).
o Data transfers from the researcher to the video game company (data category 4) will l ikely fall
under Swiss data protection law and must meet the relevant requirements (in practice this would
need to be analyzed more closely).
o Data transfers from the video game company to the researcher (data category 1 to 3) constitute
a C2C international data transfer to a (non-EU/EEA) third country and must therefore meet
the two-step test. Thus, the transfer requires a legal basis under the GDPR (step 1) and must
meet the additional requirements for
international transfers to third countries (step 2). Step 1 could be based on legitimate interest or
consent (in case of the latter only provided the information requirements were met when the
consent was obtained). Step 2 is not an issue in this case as Switzerland is subject to an
adequacy decision of the EU Commission.
o Data transfers from the video game company to the service provider (data category 1 to 3) might
constitute both: (i) a C2C international data transfer to a (non-EU/EEA) third country (with
regard to advice and organization provided by the service provider); and (ii) a C2P international
data transfer to a (non-EU/EEA) third country (with regard to the provision of IT services by the
service prover). Both transfers must also meet the two-step test. The explanations outlined in
the last bullet point apply accordingly. However, the transfer additionally requires the conclusion
of a processing agreement with regard to the C2P transfer.
o Data transfers from the video game company to
sub-processors within the EU/EEA require a legal basis. However, the transfer can be based
on the same basis the processing for the citizen science project is based on, such as legitimate
interest or consent (provided information requirements were met). Additionally, the
conclusion of a processing agreement is required. Step 2 is not required as the GDPR
provides a uniform standard of protection within the EU/EEA.
o Data transfers from the video game company to
sub-processors in the USA constitute a C2P international data transfer to a third country and
must therefore meet the two-step test. Step 1 could be based on legitimate interest or consent
(provided information requirements were met). Step 2 could be solved through the US sub-
processor entering into C2P model clauses. Also, a processing agreement complying with the
requirements of Art. 28 (3) GDPR is required, which can be solved with supplements to the
C2P model clauses. The model clauses can be added to the processing agreement.
o Data transfers from the video game company to
the players (data category 4) constitute a C2P international data transfer to a third country and
must therefore also meet the two-step test. Step 1 could be based on legitimate interests or
consent (provided information requirements were met). Step 2 could theoretically also be
solved through the player entering into C2P model clauses, which could be integrated into
the video game. However, given that this will l ikely result in too many participants being
deterred, full anonymization of the data would be preferable to render the GDPR inapplicable as a
whole. Otherwise, consent obtained when data category 4 is collected is l ikely the best option to
meet the requirements of Step 2.
Scenario 2: The researcher is located in the EU/EEA, the service provider is located in Switzerland, the video game company who is primarily organizing the citizen
science project is located in Canada, with a parent
Legal Aspects of Citizen Science in Video Games Page 19
company in the USA. Players are located all over the world. All referenced data categories (1-4) refer to the
categories as described above (II.1).
High level analysis:
o Data transfers from the researcher to the service
provider (data category 4) might constitute both: (i) a C2C international data transfer to a (non-
EU/EEA) third country (with regard to advice and organization provided by the service provider);
and (ii) a C2P international data transfer to a (non-EU/EEA) third country (with regard to the
provision of IT services by the service provider). Both transfers must meet the two-step test. Thus,
the transfer requires a legal basis under the GDPR (step 1) and must meet the additional
requirements for international transfers to third countries (step 2). Step 1 could be based on
legitimate interest or consent (provided information requirements were met). Step 2 is
not an issue as Switzerland is subject to an adequacy decision of the EU Commission.
However, the transfer additionally requires the conclusion of a processing agreement with
regard to the C2P transfer.
o Data transfers from the researcher to the video game company (data category 4) constitute a
C2C international data transfer to a third country and must meet the two-step test. Step 1 could
be based on legitimate interest or consent (provided information requirements were met).
Step 2 is not an issue as Canada is also subject to an adequacy decision of the EU Commission.
o Despite the video game company not being
located in the EU/EAA, data transfers from the video game company to the researcher (data
category 1 to 3) are subject to the GDPR, provided player data from players within the
EU/EEA region are involved (Art. 3 (2) l it. a GDPR). The transfer constitutes a C2C data
transfer to the EU/EEA region. As such, it requires a legal basis under the GDPR. However,
the transfer can be based on the same basis the processing for the citizen science project is
based on, such as legitimate interest or consent (provided information requirements were met).
Step 2 is not required as the data is transferred to the EU/EEA area that provides a uniform
standard of data protection.
o Data transfers from the video game company to the service provider (data category 1 to 3) are
also subject to the GDPR, provided player data from players within the EU/EEA region are
involved (Art. 3 (2) l it. a GDPR). The transfer might constitute both: (i) a C2C international
data transfer to a (non-EU/EEA) third country (with regard to advice and organization provided
by the service provider); and (ii) a C2P international data transfer to a (non-EU/EEA)
third country (with regard to the provision of IT services by the service prover). Both transfers
must meet the two-step test. Step 1 could be based on legitimate interest or consent (in case
of the latter only provided the information requirements were met when the consent was
obtained). Step 2 is not an issue in this case as
Switzerland is subject to an adequacy decision of the EU Commission. However, the transfer
additionally requires the conclusion of a processing agreement with regard to the C2P
transfer.
o Data transfers from the video game company to its parent company within the USA are more
difficult to assess as they will strongly depend on the individual case. Depending on the scenario
and the data category, data could (from a GDPR perspective) be transferred by the US parent
company to the Canadian affiliate or vice versa. Player data (data category 1 and 2) from
persons located in the EU that is collected by the US entity and then transferred to the Canadian
affi l iate sti ll requires a legal basis (step 1) from a GDPR perspective due to the market place
principle set out in Art. 3 (2) l it. a GDPR. However, the transfer can likely be based on the
same legal basis on which the data was originally collected. Step 2 is not an issue as
Canada is subject to an EU Commission adequacy decision. Additionally, the data
transfer must be assessed from a US data
protection law perspective.
With regard to the Canadian entity it must be
closely assessed whether a data transfer to the US entity takes place at all and – if yes – whether
the GDPR applies in this case. For instance, it is unlikely that the Canadian affi l iate transfers
player data (data category 1 and 2) to the US parent company. The parent company will l ikely
collect and process such data by itself. With regard to data provided by the researcher (data
category 4) the data could – from a mere legal perspective – constitute a transfer from the
Canadian entity to the US entity as the Canadian entity is the primary organizer of the citizen
science project. However, with regard to this transfer the GDPR might not apply as the market
place principle set out in Art. 3 (2) l it. a GDPR does not apply since the processing activity is
not related to the offering of goods or services (this only applies to the provision of the video
game). Because Canada is subject to an EU Commission adequacy decision and data can be
transferred without further safeguards, GDPR requirements with regard to onward transfers will
also not result from other sources such as EU model clauses, which typically require that the
same level of data protection be established in case of any onward transfers. The outcome
might of course be different if the affi liate was located in a country that is not subject to an EU
Commission adequacy decision. In this case, an onward transfer agreement might have to be
concluded.
o As regards the players, see last example.
5. Requirements and benefits of the GDPR scientific research
privilege
As briefly outlined above, the GDPR includes a scientific research privilege that allows derogating from several GDPR
data protection rules, provided that: (i) the research constitutes scientific research within the meaning of the
GDPR; and (ii) the requirements of Art. 89 (1) GDPR are met,
Legal Aspects of Citizen Science in Video Games Page 20
which means the implementation of “appropriate safeguards.” Art. 89 (1) GDPR follows the purpose to balance the
fundamental right to freedom of research with the fundamental right to data protection. It does so by stipulating
that in the exchange for the implementation of certain “appropriate safeguards,” the researcher may enjoy different
privileges/derogations from applicable data protection rules (although this might not become apparent immediately from
reading the wording of Art. 89 (1) GDPR). Where the requirements of Art. 89 (1) GDPR are not met (i.e., adequate
safeguards are not implemented) the standard rules under the GDPR apply. Thus, conducting the research project is
sti l l possible without relying on the GDPR scientific research privilege. The only consequence is that the processing for the
purpose of the project does not benefit from the scientific
research privilege.
a. Scientific research within the meaning of the GDPR
To constitute scientific research within the meaning of the GDPR, research must serve general public interests. This
includes in particular that the research is independent and not subject to instructions. The interest in knowledge must be
the primary driver. This does not exclude privately financed research (see Recital 159 sentence 2 GDPR). However,
external influence on the knowledge process through instructions is excluded, so are mere economic or other
interests. Thus, scientific research that only serves the purpose to develop new products is excluded from the
scientific research privilege. As outlined above, this does not mean that the research project cannot take place at all. It only
means that the scientific research privilege is not applicable and the processing must be evaluated in l ight of the standard
rules under the GDPR.
However, the research project is not necessarily excluded from the GDPR scientific research privilege if it is privately
financed by a third party that has an interest in the research and sets out the parameters for the subject that shall be
researched, provided of course that the requirements of scientific research under the GDPR are met, that is, the then
conducted research takes place independently and without
influence on the outcome.
An example could be a corporation financing a research project of a university and setting out certain parameters that
it would like to have investigated (e.g., the temperature, location, study group). As long as the subsequent research
takes place independently and is in the general public interest, the GDPR scientific research privilege can still be
used even if the financing corporation later plans to use the findings of the (independent) study for the development of
new products. The purpose of the independency and public interest requirement is only to prevent interest-driven
research from benefitting from the GDPR research privilege (e.g., research that is supposed to show that smoking does
not cause health issues).
b. Appropriate safeguards
To benefit from the scientific research privilege under the
GDPR, the researcher must implement “appropriate safeguards” for the rights and freedoms of the data subject
(Art. 89 (1) sentence 1 GDPR). Those safeguards shall ensure that technical and organizational measures are in
place in order to ensure respect for the principle of data minimization (Art. 89 (1) sentence 2 GDPR). The measures
may include pseudonymization, provided the purpose can be fulfi l led in that manner (Art. 89 (1) sentence 3). As the term
“appropriate safeguards” implies, the requirement
establishes a flexible standard. Thus, the level and standard of the implemented safeguards must be determined in light
of the risks of the data processing. Aside from pseudonymization, other measures that could be
implemented are as follows:
data encryption (Art. 32 (1) l it. a GDPR)
the ability to ensure the ongoing confidentiality,
integrity, availability and resil ience of processing systems and services (Art. 32 (1) l it. b GDPR)
the ability to restore the availability and access to personal data in a timely manner in the event of a
physical or technical incident (Art. 32 (1) l it. c GDPR)
a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of
the processing (Art. 32 (1) l it. d GDPR)
organizational measures, for instance restrictions on access to personal data within the controller and by
processors
measures to ensure that it is subsequently possible to verify and establish whether and by whom personal data were input, altered or removed
measures to increase awareness of staff involved in processing operations
designation and inclusion of a data protection officer
specific rules of procedure to ensure compliance with applicable data protection law in the event of transfer
or processing for other purposes
c. Benefits of the scientific research privilege
Provided appropriate safeguards as outlined above have
been implemented based on the risk of the processing, the GDPR scientific research privilege allows for a number of
derogations from applicable data protection rules. However, some of the privileges require additional measures to be
implemented (aside from the general “appropriate safeguard” requirement) in order to benefit from them, or they stipulate
that certain measures are mandatory.
aa. Exemption from the principle of purpose limitation for further
processing
All personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner
that is incompatible with those purposes (principle of purpose limitation, Art. 5 (1) l it. a part 1 GDPR). A subsequent change
of the purpose is only allowed under the strict requirements of Art. 6 (4) GDPR (which also applies to special categories
of personal data, cf. Art. 6 (4) l it. c GDPR). However, with regard to archiving purposes in the public interest, scientific
or historical research purposes, or statistical purposes, the further processing shall not be considered to be incompatible
with the initial purpose (Art. 5 (1) l it. a part 2 GDPR). Thus, under the GDPR scientific research privilege, it is assumed
that the further processing for scientific purposes with regard to personal data that was initially collected for other purposes
is generally in l ine with the initial purpose.
Legal Aspects of Citizen Science in Video Games Page 21
bb. Exemption from the principle of storage limitation
All personal data shall be kept in a form that permits identification of data subjects for no longer than is necessary
for the purposes for which the personal data is processed (principle of storage limitation, Art. 5 (1) l it. e part 1 GDPR).
However, personal data may be stored for longer periods insofar as the personal data will be processed solely for
archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in
accordance with Article 89 (1) GDPR, subject to implementation of the appropriate technical and
organizational measures in order to safeguard the rights and
freedoms of the data subject (Art. 5 (1) l it. e part 2 GDPR).
cc. Exemption from Art. 14 GDPR information obligations
Art. 14 (1) GDPR stipulates that where personal data have not been obtained from the data subject, the controller shall
provide the data subject with certain information. However, Art. 14 (5) l it. b sentence 1 GDPR includes an exemption in
case “the provision of such information proves impossible or would involve a disproportionate effort.” With regard to
scientific research purposes, it is assumed that the requirements of the exemption are met (Art. 14 (5) l it. b
sentence 1 part 2 GDPR). This exemption becomes relevant in particular where third parties collect personal data only
incidentally, such as where the player is asked to take photos in certain locations that might include bystanders or l icense
plates (see data category 3 as described above). However, the controller shall take appropriate measures to protect the
data subject’s rights and freedoms and legitimate interests, including making the information publicly available (Art. 14 (5)
l it. b sentence 2 GDPR). Thus, the controller is sti l l entitled to provide the information pursuant to Art. 14 (1) GDPR but
could, for instance, do so by adding the information to the
website of the video game.
dd. Exemption from the right to erasure (Art. 17 GDPR)
Pursuant to Art. 17 (1) GDPR, the data subject shall have the right to obtain from the controller the erasure of personal data
concerning him or her without undue delay, and the controller shall have the obligation to erase personal data without
undue delay where certain criteria apply. However, Art. 17 (3) l it. d GDPR provides an exemption for archiving purposes in
the public interest, scientific or historical research purposes, or statistical purposes in so far as the right to erasure is l ikely
to render impossible or seriously impair the achievement of
the objectives of that processing.
ee. Exemption from the right to object (Art. 21 GDPR)
According to Art. 21 (1) GDPR, the data subject generally has the right to object, on grounds relating to his or her
particular situation, at any time to processing of personal data concerning him or her that is based either on public
interests (Art. 6 (1) sentence 1 lit. e GDPR) or legitimate interests (Art. 6 (1) sentence 1 lit. f GDPR). However, with
regard to data processing for scientific or historical research purposes or statistical purposes, the right to object is not
included in the general rule of Art. 21 (1) GDPR but in Art. 21 (6) GDPR, which stipulates that the data subject, on grounds
relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or
her, unless the processing is necessary for the performance of a task carried out for reasons of public interest. While the
specific right to object with regard to scientific or historical research purposes or statistical purposes requires the
controller to demonstrate that “the processing is necessary
for the performance of a task carried out for reasons of public interest,” it does not require to showcase that “compelling
legitimate grounds for the processing which override the interests, rights and freedoms of the data subject” exist, as it
is required by the general rule under Art. 21 (1) sentence 2 GDPR. Demonstrating that “the processing is necessary for
the performance of a task carried out for reasons of public interest” only requires a prima facie evidence because the
processing for scientific research is a privileged purpose under the GDPR. Thus, it can generally (but not necessarily
in any case) be assumed that the processing serves public purposes. However, this does not release the controller from
the obligation of being able to substantially demonstrate that
the processing takes place for scientific research.
Note that the GDPR includes another exemption from the
right to object on the basis of EU member state law. Such exemption goes beyond what is included in Art. 21 (6) GDPR
(see next section).
ff. Exemption from the right to access, rectifi cation, restriction
and object, pursuant to Art. 15, 16, 18 and 21 GDPR on the
basis of EU member state law
Art. 89 (2) GDPR provides that where personal data is
processed for scientific or historical research purposes or statistical purposes, EU or EU member state law may provide
for derogations from the right to access, rectification, restriction and object pursuant to Art. 15, 16, 18 and 21
GDPR. Thus, unlike other privileges granted under the GDPR scientific research privilege (e.g., exemption from the
right to erasure, see above), an exemption from the data subject rights included in Art. 15, 16, 18 and 21 GDPR does
not only require that: (i) the research constitutes scientific research within the meaning of the GDPR; and (i i)
appropriate safeguards are in place, but additionally that (iii) the relevant EU member state has made use of the
exemption provided in Art. 89 (2) GDPR and implemented a derogation from Art. 15, 16, 18 and 21 GDPR; and (iv) the
requirements of such national law exemption are met. Whether this is the case depends on the relevant EU
member state.
Germany, for instance, has made use of the Art. 89 (2)
exemption with Sec. 27 (2) FDPA, which provides that the rights of data subjects provided in Art. 15, 16, 18 and 21
GDPR shall be limited to the extent that these rights are likely to render impossible or seriously impair the achievement of
the research or statistical purposes, and such limits are necessary for the fulfi lment of the research or statistical
purposes. Further, the right of access according to Art. 15 GDPR shall not apply if the data are necessary for purposes
of scientific research and the provision of information would
involve disproportionate effort.
gg. Exemption for special categories of personal data
Art. 9 (2) l it. j GDPR provides that the prohibition to process special categories of personal data does not apply if the
processing is necessary for archiving purposes in the public interest, scientific or historical research purposes, or
statistical purposes in accordance with Article 89(1) GDPR based on EU or EU member state law, which shall be
proportionate to the aim pursued, respect the essence of the right to data protection, and provide for suitable and specific
measures to safeguard the fundamental rights and the interests of the data subject. Thus, similar to the exemption
from the data subject rights included in Art. 15, 16, 18 and 21 GDPR (see above), the exemption for the processing of
special categories of personal data does not only require that:
Legal Aspects of Citizen Science in Video Games Page 22
(i) the research constitutes scientific research within the meaning of the GDPR; and (i i) appropriate safeguards are in
place but additionally that (i i i) the processing must be “necessary” to achieve the relevant purpose ; (iv) the relevant
EU member state has made use of the exemption provided in Art. 9 l it. j (2) GDPR and implemented a legal basis for the
processing of special categories of personal data for scientific research (and other in-scope) purposes; and (v) the
requirements of such national law exemption are met.
Again, Germany is an example of an EU member state that has made use of the Art. 9 (2) lit. j GDPR exemption with Sec.
27 (1) FDPA, which provides that the processing of special categories of personal data shall be permitted without
consent, for scientific or historical research purposes or statistical purposes, if such processing is necessary for these
purposes and the interests of the controller in processing substantially outweigh those of the data subject in not
processing the data. Furthermore, the controller shall take appropriate and specific measures to safeguard the interests
of the data subject. Thus, the German law repeats most of the requirements that are already set out under the GDPR.
The only additional requirement is that “the interests of the controller in processing substantially outweigh those of the
data subject in not processing the data.”
hh. Broad consent
Although only mentioned in the recitals (33), the “broad
consent” exemption can be considered as another exemption under the GDPR scientific research privilege. "Broad
consent" allows the controller to obtain consent for certain “areas of research or parts of research projects” instead of
for specific purposes and without the necessity to obtain a new consent for each data use for other sci entific research
purposes. Thus, “broad consent” constitutes a derogation from the requirement that consent must be given for “one or
more specific purposes.” The “broad consent” exemption was already discussed in the consent section above (under
II.3.d.aa.(1)(b)).
ii. Application of legitimate interest exemption is more likely
The fact that the GDPR scientific research privilege applies
does not automatically mean that all processing activities conducted in l ine with the research project are justified. The
processing stil l requires a legal basis pursuant to Art. 6 and/or 9 GDPR. However, with regard to the legal basis of
legitimate interest (Art. 6 (1) sentence 1 lit. f GDPR), the implementation of appropriate safeguards together with the
fact that scientific research in the general public interest is privileged under the GDPR provides a strong argument that
the processing can be based on such exemption.
III. Copyright law (high-lev el comments)
Questions related to copyright law arise in particular where citizen
scientists are asked to execute some form of creative activity. An example could be citizen scientists taking pictures with a mobile
camera all around the world with the picture subsequently being
used by the researcher or the video game company for the project.
With regard to copyright law, it must be differentiated between whether the work created by the citizen scientist will : (i) only be
used internally (e.g., to improve the video game companies’ AR mechanism); (i i) be commercially exploited by one of the parties to
the citizen science project; or (i i i) be made available for use by the general public (e.g., if the research carried out is conducted in the
general public interest, such as for the creation of a free publicly
accessible database for scientific purposes).
In the case of (i) and (ii), the relevant party that intends to use or exploit the work created by the citizen scientists should ensure that
it acquires sufficient rights from the citizen scientists to use/exploit the created works in all required ways and territories. In many
scenarios, it might be sufficient to add the required language to the terms and conditions of the video game. However, in some
jurisdictions (e.g., Germany) certain clauses can be considered as unenforceable in case they are regarded as being surprising for the
consumer. Whether this is the case depends on the individual circumstance. Stil l, a reasonable gamer might not expect that a
picture he or she takes within the course of a normal video game might later be commercially exploited. In such case, a more
prominent message might be required.
With regard to (i i i), the use of Creative Commons (CC) l icenses provides an adequate solution to obtain rights in order to enable
the general public the use of all created works. Using CC licenses is often referred to as bringing a work “into the public domain.”
However, this is legally not always correct as in some jurisdictions (e.g., Germany, France and Austria), copyright owners cannot
waive their copyright. In these jurisdictions, CC licenses typically have the copyright owner grant a far-reaching license (to the extent
allowed by local law). Different levels of CC licenses and for different jurisdictions exist. Which license is appropriate for the
relevant project should be analyzed depending on the individual
case and the involved territories.
Theatinerstrasse 23 Munich 80333 Germany
Sebastian Schwiddessen Senior Associate EMEA Key Contact Video Games [email protected] +49 89 5 52 38 119