The Convoluted Case of Data Privacy and Esports Industry in India: Challenges and Way Forward

Introduction

With the growth and intervention of technology over the past few years, we are living in a metaverse. The impact of it can be witnessed in almost every aspect of our lives, especially after the COVID-19 Pandemic. The gaming industry in India seems to have taken a massive leap by formulating virtual manifestation of traditional sports known as “electronic sports” or “esports”. A word to the wise — esports should not be confused with gaming. While the latter is recreational fun, esports is a game of skill that is played online by particular teams and individuals in tournaments, intending to win the championship, league, or title like in physical sports.¹ According to the latest reports by the Federation of Electronic Sports Associations India (FEAI), esports is a booming industry.² Recently, an Indian contingent of esports players representing the country at the 2022 Commonwealth Esports Championship has won bronze in the multiplayer online role-playing game, Dota 2.³

Any new development involving the rights of individuals attract legal and policy questions. With the withdrawal of the Personal Data Protection Bill, 2019, data privacy and cyber security are issues that lie at the heart of esports regulation in India. Broad challenges that seem relevant in this regard are — (1) collection, use and storage of data; (2) effect and process of withdrawal of data; (3) in case of minor children, parental consent; (4) limitations on service provider; (5) liability in case of data breach; and (6) jurisdiction and enforcement mechanisms. The Information Technology Act, 2000 and 2008 and the related rules, along with the recent Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (Intermediary Guidelines, 2021)⁴, may prove of some assistance in meeting the aforementioned challenges. However, it is immutable that both esports and data protection demand a comprehensive framework for themselves.

Examining challenges to esports activities vis-à-vis data protection under Indian laws

Information Technology Act, 2000

As per Section 2(1)(w), intermediary, with respect to any particular electronic record, means, any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web hosting service providers, search engines, online payment sites, online auction sites, online-market places and cyber cafes.⁵ The platform hosts of esports may also be considered under an elaborate interpretation of this definition, if services were to include facilitation and regulation of online sports activities like tournaments, etc. Section 66-E of the Act provides for punishment for violation of privacy. The language of the provision is specific to capturing, publishing, and transmission of an image without consent. With the advent of esports, the provision should be reconsidered to address challenges brought in by esports such as cyberattacks through “ransomware”, use of malware to steal multiple account credentials (social media, credit accounts and others), sale of accounts hampering the reputation of legitimate players,“distributed denial-of-service (DDoS) attack” leading to compromised resources and performance issues, supply chain attacks and hidden hardware hacks. Further, Section 72-A of the Act provides for punishment for disclosure of information in breach of a lawful contract. This section should be utilised to measure and fix third-party liability in esports activities. To understand third-party role in esports activities, let us take an example — like in the food industry, a restaurant may be very good at providing quality food but may lack delivery and logistics. Similarly, an esports company may be exceptional at graphics, etc. but may struggle with building a community of players around the game, broadcasting, netcode, etc. In such a case, the role of a third party comes into the picture. Keeping in view the principles of privity of contract and the aforementioned Section 72-A of the IT Act, breach of data by a third party in any esports activity is an issue which demands legislative clarification.

The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (Intermediary Guidelines, 2021)

The Intermediary Guidelines, 2021, was notified by the Ministry of Electronics and Information Technology (MeitY) to ensure a safe, trusted, and accountable internet for all internet users. “Social media intermediary”, under the Act, means a social media which primarily or solely enables online interaction between two or more users and allows them to create, upload, share, disseminate, modify or access information using its services.⁶ Online sports involve interaction between multiple users. It also allows the distribution of information to some extent. In such a scenario, the duties and responsibilities of intermediaries may be equated with those of the esports platforms as well as broadcasting channels — Section 3(1), Part II provides for “due diligence” of an intermediary.⁷ The question that may find relevance in this regard is enforcement of punishment/dispute resolution with regards to an intermediary situated outside India or placed virtually only. For instance, if a data breach or malware attack takes place on a host server, leading to data theft/misuse of player information, what would be the correct forum for redressal and how would the enforcement of such an award/judgment be ensured? With the absence of a regulatory framework specifically dedicated to the esports industry, overlapping of data privacy and information security laws is inevitable.

Esports v. Online Gaming: Muddy Waters

The Government of India recently introduced the Online Gaming (Regulation) Bill, 2022 in the Lok Sabha on 1-4-2022.⁸ According to the Bill, India has around 420 million active online gamers with a valuation of $1 billion, and the industry is estimated to grow to $5 billion by 2025.⁹ The Bill defines “online gaming” as games played on any electronics device including personal computers, mobile phones, tablets and other devices.¹⁰ Since there is no distinction between “game of skill” and “game of chance”, it is apparent that the Bill aims to regulate all kinds of games played on such electronic devices. The Online Gaming (Regulation) Bill, 2022 mandated the constitution of a regulatory commission¹¹ and a licence for online gaming server/website¹² as granted by the Commission. However, this Bill is lacking as it does not touch upon the subject of data protection. The million-dollar question is whether esports is covered within the ambit of the definition of online gaming? And if it is covered, then will not it be detrimental to include esports within the purview of online gaming when esports has a separate realm of its own.

While the Online Gaming (Regulation) Bill, 2022 is envisaged to be a Central legislation, the Government of Rajasthan has recently introduced the draft Rajasthan Virtual Online Sports (Regulation) Bill, 2022. In a bizarre twist of events, the Rajasthan Government has tried to bring esports under its purview along with fantasy gaming which has caused quite some sparks within the gaming community. Though the efforts of the Government of Rajasthan must be lauded, however, the same is misguided. Any codified law applicable to only a particular State will add more chaos to the mix. Thus, it is reiterated that a regulatory framework is required to govern only esports without it being clubbed with fantasy gaming or online gaming.

Position of esports in other jurisdictions

[Position in South Korea and South Africa are referred with regards to the esports framework and recognition and the General Data Protection Regulation, EU is referred for inferring data privacy framework that may find relevance in governing esports in India].

South Korea

With some of the top teams in the world, South Korea consistently performs well in esports competitions. Hacking and cheating to undermine the integrity of the game are frequent issues in such a competitive atmosphere. The Government has implemented severe measures, including the imposition of fines and jail terms, to stop this. The following are the instances providing an overview of the same:

(i) Under the Game Industry Promotion Act of 2017, boosting for profit (when a player logs into another player’s account to play a rated game to enhance their ranking) is punishable by up to two years in prison and a KRW 20 million ($18,000) fine.¹³

(ii) In accordance with the Game Industry Promotion Act of 2017, users who participate in esports can log in using their registered social security identity number (SSIN). This enables the authorities to identify and punish gamers who have engaged in detrimental in-game behaviour in accordance with the Act.

(iii) In December 2016, the South Korean Parliament passed an amendment to the Game Industry Promotion Act, 2006, making it illegal to produce and distribute software that violates the terms of service and publisher policy. This was done in response to the rise in hacking activities in online gaming. Aimbots, hacking software, scripters, and cheaters fall under the amendment, and the punishment for hacking is a fine of up to $43,000 or five years in jail.¹⁴

South Africa

Esports have not been officially recognised as a sport in South Africa. Instead, it is classified as a “mind sport” in the same category/discipline as chess and is administered by Mind Sports South Africa (MSSA).

MSSA is a national governing body for all mind sports, including esports, and has been officially recognised by an Act of Parliament in South Africa.¹⁵

General Data Protection Regulation (GDPR), EU

GDPR is an EU law with mandatory rules for how organisations and companies must use personal data in an integrity friendly way. Personal data means any information which directly or indirectly could identify a living person—name, phone number, and address are examples of personal data. Interests, information about past purchases, health, and online behaviour may also be considered as personal data as it helps to identify a person.¹⁶

The seven principles that are recognised under the GDPR in relation to the data acquired by intermediaries are: lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability.

Significant provisions of the GDPR that ensure comprehensive data protection include Articles 6(1)(a) to 6(1)(f) that provides for lawfulness of processing which allows data processing only after obtaining consent of the data subject or when it is necessary for the performance of a contract or for compliance with a legal obligation or where it is necessary for the performance of a task carried out in the public interest.¹⁷ It further mentions special categories of data under Article 9 and conditions applicable to children’s consent under Rule 8. This might be relevant in respect of esports, as a large proportion of the players involved in esports activities are of a young age. The GDPR also provides for a right of erasure under Article 17, similar to that which the proposed PDP Bill, 2019, provides for a right to be forgotten. Article 21 right to object (against data marketing/profiling) and Article 22 right against automated processing, which is likely to produce legal effects, are other significant features that may be taken into consideration while devising a framework in India.

Way forward for India

In the absence of any framework, either on esports or on data privacy, the following are the recommendations that may be considered while regulating esports in India:

(i) Amendments to the Information Technology Act and Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, may be made to address the challenges of extra-territorial disputes — foreign/remote platforms/servers storing personal and sensitive information of the players in India. This should be done in addition to a comprehensive data protection law, which should also address issues of minor consent (in respect to esports).

(ii) A transitionary framework may be passed, keeping in sight the growth of the esports industry.