Cloud computing services and technologies are growing and evolving rapidly. However, cloud computing also presents legal risks regarding data security and the processing of personal data. This has prompted several significant regulatory initiatives in the EU.

Cloud computing refers to the evolution where information technology resources are separated from the underlying infrastructure, and dynamically scalable virtualised resources are provided “as a service” over the Internet (“the cloud”). Instead of the traditional computing model based on buying and maintaining private computer systems and software, cloud computing focuses on centralized services. According to prominent security experts and programmers, apart from the term, the technologies to which cloud computing refers are nothing really new. What has been happening over the past few years, however, is that new computing services and technologies, rebranded under the more generic name of “cloud computing”, have been fuelling the drive towards it.

As with any other type of services, games may be offered via cloud-based technologies as well, allowing the gamer to access the gaming offering through smart phone, tablet, personal computer or even a television. The only thing needed by a gamer is a sufficient Internet connection. Cloud-based gaming offers particular advantages, e.g. allowing access to games from whatever place on whatever device, and allowing a user to pick up a game wherever it was left regardless of the console used. It also allows the business to innovate, for example, by allowing players to compete with each other regardless of the platform used. The importance of gaming services offered on social network sites, which are also cloud-based, shows the importance of this computing model in the gaming industry.

But the advantages and benefits offered by cloud computing are accompanied by particular legal risks as well. Data security and the location and processing of personal data are among the major concerns mentioned when contracting cloud-based services. Other particular risks exist as well, but may be of lesser importance in a gaming context, such as data portability and interoperability between cloud service providers.

Particularly in relation to the processing of personal data, it is likely that the gaming provider will process some forms of personal data of the gamer, including the latter’s name and other identification data, but also individual information relating to the gamer’s device such as an IP address or a telephone number. General EU data protection laws (as implemented at a national level) are likely to apply in this scenario. This would, for example, mean that the gamer should be well-informed about which data is collected and maintained, for which purposes these data are used and which categories of recipients may come into contact with the data. Also, and this is particularly relevant in a cloud computing context given its cross-border nature, the question arises as to whether personal data are transferred solely within the European Economic Area (“EEA”). Processing outside of the EEA is only allowed in exceptional circumstances, as prescribed by law. These and other concerns make it clear that, certainly from a data protection point of view, “go cloud” – decisions should be well-planned on the legal, commercial and strategic level. 

However, regulators have not stood still during the exponential growth of the cloud offering for all industry sectors as well as for the public sector.. Several administrative authorities in the EU Member States, and in particular data protection authorities (DPAs), have issued recommendations or guidelines in relation to the offering or uptake of cloud computing services. 

Next to regulatory initiatives on the local level, the European institutions have turned out to be a driving force for the further development of cloud computing. Along with this development, emphasis has been put on the regulatory framework surrounding cloud computing, including a particular focus on data protection issues. As an example, the Working Party 29, the European data protection advisory body, has issued a lengthy opinion on the use of cloud computing and its impact on data privacy. Next, the European Commission has issued a strategic plan in which it sets out its strategy to boost cloud computing offerings and use throughout the Internal Market. This strategic plan contains a number of action points, several of which directly relate to issues of processing of personal data. One of these is the drafting of a data protection Code of Conduct for cloud service providers. For each of the action points undertaken by the European Commission, specific expert groups, containing representatives of the industry and various other stakeholders, have been established. DLA Piper, as an expert cloud law firm, is strongly involved in a number of these policy initiatives.

As a result of the Commission’s action plan, new regulatory initiatives may be issued in the coming months or years on a voluntary basis. It will be interesting to follow up on how these could further impact the use of cloud-related technologies in the gaming industry.