A site like that would mean that any person who owned the site would be also legally responsible for any breaches of GDPR and International Privacy Laws if any player names were indeed shared by anyone but the player themselves and accusations made. [...] Which is why this is all done behind the closed doors of Support as we will never discuss another players actions with another player.
[...] even your lovely Usernames are protected under GDPR [...]
Well, this is becoming quite interesting, although just for the record, I am non-competitive by nature and thus have no personal interest in the operation of 'push accounts' in any online game - and on an additional and more practical note, I've yet to encounter any online game where
nobody (especially competitive players) operates such 'alt' accounts, assuming that the game's structure allows it.
My interest lies in the way in which the GDPR is (it seems) being interpreted here. There's a tendency to assume (a) that the GDPR is highly innovative, when in fact it differs only slightly from many pre-existing Data Protection laws, and (b) that the GDPR in some way negates normal freedom of expression
by individuals of either facts or opinions about any other individual whose personal data is covered by the regulations, which is also not true. And perhaps most importantly, the GDPR does not provide an excuse for anyone to take (or fail to take) any action so as to contravene
other legal principles, such as Freedom of Speech, Freedom of Information (where such legislation exists), and/or internationally agreed Human Rights laws - whether in the public domain or 'behind closed doors', since the law applies everywhere in equal measure (well, outside of very unusual examples, e.g. court cases or documents maintained
in camera due to National Sercurity concerns, or in other specific [and very rare] legal situations to which the GDPR may apply).
The main reasons (this is an over-simplification, but I doubt that anyone wants to read a [more?] huge essay on the subject!) why the GDPR legislation was created were because the EU was attempting (amongst other, lesser aims) to provide data protection to EU citizens whose nation states had inadequate legislation in place; to harmonise the differing Data Protection laws which already applied within its member states (and often still do apply; EU law doesn't necessarily override national law in any given situation); and to address the concerns of many people regarding their data privacy due to the rise of the Internet in general and Anti-Social Meeja in particular, with the consequent power of governments and corporations to access the personal data of many individuals without, in some cases, being legally obliged to protect said data from
misuse - which does not, of course, mean 'any usage whatsoever'. There is also a distinction to be made between what actually constitutes 'personal' as opposed to 'public' data; it is not the case that
all known facts about
all persons are even considered to be 'personal'.
What the GDPR does (another simplification, but it's sufficient for the purposes of general discussion) is to provide individuals with the following rights with respect to personal data held by corporations, governments, and any other entities which the legislation encompasses:
"... the right to be informed [of what data is being held], the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object and also rights around automated decision making and profiling."
~ Source :
https://www.wired.co.uk/article/what-is-gdpr-uk-eu-legislation-compliance-summary-fines-2018
What the GDPR does
not do, and nor should it, of course, is to prevent anyone from making legitimate statements about the real-world public sphere (or private sphere, in cases which affect others' legal rights) actions, behaviours, opinions, etc. of any individual, provided that such statements are demonstrably true. (NB: most countries' laws on libel and slander pre-GDPR were already, and typically still remain, quite adequate when it comes to any instances of genuine defamation - which is
not the stating of true facts about any person, but rather the originating or repeating of falsehoods which may
materially damage that person's reputation [simply being 'upsetting' or 'offensive' is usually not adequate grounds for defamation to be proven; real, quantifiable loss must result for defamation to have occurred]. In fact, defamation really has little to do with Data Protection
per se).
The general impression I gather from the discussion here is that the GDPR is argued to be in some way capable of preventing anyone from stating true facts about anyone else - whether that person is referenced by their real name or by any assumed name (Internet username, nickname, etc.) which they might adopt. This is not true, and if it were, then the GDPR would be the gravest breach of fundamental Freedom of Speech which any legislation had ever attempted. I know of no Free World legislation which considers any person's name (again, including any publicly used assumed nickname such as an Internet ID) to be, of itself, 'private data' which no other person may publish or discuss, and no person's genuine, real-world actions, likewise, are considered to be 'private data' which other people are not allowed to know or enquire about.
Imagine a world where that were the case - nobody would be allowed to say, write, or do anything at all relating to actions taken or statements made on the Internet by any person using an assumed ID, for a start, without that person's express permission. Not only would this be impossible to enforce, but it would be entirely contrary - as already mentioned - to the principles of Free Speech, as well as signalling the end of Freedom of the Press... and there would be so many more highly undesirable effects as well, of course. By way of extreme example, this would prohibit anyone from being prosecuted for any crime committed under an assumed Internet ID without their own permission first being sought not only to associate that username with their real name and person, but also to attribute to that person/ID any aspect of the crime concerned - which is evidently ridiculous.
If any individual does not wish any other individual to know their name and/or their Internet ID, and/or to associate their public actions with their real and/or assumed name(s) - and general legal principles dictate that 'public actions' would include observable behaviour such as operating 'push accounts' in a publicly available online game under an[other] assumed Internet name - then their sole recourse would be to apply for a court injunction protecting those pieces of information, although this would probably be very hard to achieve, since such data is usually regarded, by most Free World law courts, as being in the public domain (and, again, so it should be, if the public is to be protected from malfeasance by, amongst others, elected officials, corporate bodies, and indeed other individuals, too). This does not, of course, affect the legal obligations placed upon InnoGames or any other data-holding entity (by GDPR or other legislation) to protect the private data of individuals from being illegally accessed or disseminated, but nor does GDPR indicate that any entity which holds personal data on any given individual has the right to restrict the legitimate usage by
other private individuals of that individual's public-sphere data - which, again, includes any assumed Internet ID.
Defamation of character lawsuits are a very common thing these days.
InnoGames may set such rules as it pleases concerning its proprietary webspace. However, such rules cannot affect other locales, so I cannot see how any of rights granted by the GDPR regarding how a person's data is handled would prevent any
other person (website, newspaper, etc.) from publishing
elsewhere the real names, the assumed Internet IDs, and/or the real and genuine observed public sphere actions (including any public behaviour within any online video game, or indeed anywhere else) of any given individual, including their operation of 'push accounts'. It is, after all, not possible to 'defame' anyone by observing or publishing their real actions - and there is quite some leeway when it comes to merely 'alleged' actions, too, which is why the Press always uses that very word ('alleged') when describing the charges laid against anyone who is accused of any given crime, before their trial has taken place and their innocence or guilt of said crime is thereby established.
It could also be seen that any creating this were doing so as also a direct breach of Elvenar's Game Rules and InnoGames Terms and Conditions of which there could also be legal consequences.
If I am understanding this statement correctly (?), the concept that anything contained within Elvenar's Game Rules and/or InnoGames' Terms and Conditions would be capable of binding, dictating, or otherwise affecting any individual's behaviour
beyond their usage of InnoGames properties (e.g. software, webspaces, etc.), such as on external, non-InnoGames websites, for example, then I cannot imagine which part of the GDPR InnoGames may interpret as giving them control of their players' actions which are
outside of InnoGames' properties, and I can only assume that if they really do believe that they have such powers (which I doubt), they would find themselves disappointed if they were to test this belief in almost any court of law.
