As I’m sure you are aware, on October 7, the European Court of Justice invalidated the long standing “Safe Harbor” agreement between the US and the European Union.  The agreement provided a framework that allowed US companies to access and store data from EU citizens and vice versa, based on pledges from both sides to treat the data properly and adhere to commonly accepted principles.

As yet another surprising consequence of the exposure of the NSA’s massive surveillance by Edward Snowden, the ECJ revoked the US’s Safe Harbor status because unwarranted interception and search of data violates the principles of the agreement.

Technically, since the Safe Harbor status was declared invalid, any data from EU users that is currently stored on US servers is illegal, although it is doubtful that there would be any action taken, at least until February of 2016. The Article 29 Working Party (an independent EC agency charged with data protection) gave the US and EU until January 31 to solve this rift or face enforcement actions.  

So what does this mean for game publishers? It’s hard to say with precision what the outcome of all this will be. The worst case would be that no replacement agreement can be made, forcing publishers to create separate data centers for US and EU customer data and ensure that they never co-mingle.  That would be expensive and inefficient.

The burden of dealing with this mostly falls on US-based companies. EU-based publishers who capture data from US users presumably do so under the EU data privacy directive rules and are therefore in compliance. Other US-based companies that store international data such as Google and Facebook are working very diligently to try to find a solution to the Safe Harbor problem because they will bear the largest impact to their operations if a new agreement cannot be struck.

While it would seem clear cut whether your company is based in the EU or US, the architecture of modern games muddies the water significantly. For example, if an EU-based company includes a crash reporting service from a US company in its game, and if the crash reporting service captures and stores data, a case could be made that the game is in violation without the protection of Safe Harbor because some data from EU users will end up stored on US servers.

When you consider all the third party add-in components that make up a modern game such as push notifications, leaderboards, multiple ad networks, analytics, live chat, social interfaces, and the fact that most of these components are developed by US companies,  very few games in the app stores are completely free of US data storage.

I do not think it will come to the point where publishers have to rewrite their games to store data in certain places. This would go against the general inertia of the tech world in general and the game market specifically, where games are being designed to operate across many different device platforms, languages, and regulatory environments.

For now, I think we are in a ‘wait and see’ mode. Despite its $20B size, the mobile game market is just a tiny speck of the enterprises that need to have a positive outcome to the Safe Harbor problem.  I think the Googles and Facebooks of the world will lead the way to an acceptable solution on Safe Harbor and ‘data armageddon’ will be averted by January 31, 2016.  But if I’m wrong, it is probably a good exercise for EU publishers to consider how many US based components populate their apps, and for US publishers to consider how they might have to re-architect their games to store EU data only on EU compliant servers.

Next time,  I’ll give a detailed update on what’s been happening with COPPA, and the new version of the EU Data Privacy Directive which adds a COPPA-like protection for children, but defines children as being under 18.

If you'd like to educate yourself on COPPA, here's a page of history and links AgeCheq has created for game developers. To learn more about COPPA directly from The Federal Trade Commission, check out this list of answers to frequently asked questions: http://business.ftc.gov/documents/Complying-with-COPPA-Frequently-Asked-Questions .  Because there are numerous “incomplete” versions on the web, I encourage you to always view the final, official text of the COPPA law, which can be found here:

http://www.ecfr.gov/cgi-bin/text-idx?tpl=/ecfrbrowse/Title16/16cfr312_main_02.tpl