At noon today, the official World of Warcraft Weibo account and the official public account of Warcraft Logs (WCL), a combat log analysis website for World of Warcraft, jointly released an announcement stating that WCL would temporarily suspend the in-game display of dungeon score rankings. According to the announcement, this adjustment is intended to further optimize players’ gaming experience and to protect user data privacy.
As a powerful combat log analysis platform, WCL allows players to upload their own combat logs and conduct detailed data analysis, thereby improving individual gameplay skills and team coordination. The widespread adoption of WCL has not only promoted communication and competition among players, but has also contributed to the healthy development of the World of Warcraft game ecosystem. However, with the rapid growth of the classic servers, the dungeon score feature of the WCL add-on has triggered a series of controversies and discussions.
WCL Function Adjustment
Recently, the dungeon score feature of the WCL add-on has sparked widespread controversy. On the one hand, this feature provides players with an intuitive evaluation standard, helping them understand their performance within a team. On the other hand, some players believe that this feature may lead to data abuse and privacy leakage, and may even become a standard for judging whether other players are “qualified,” thereby undermining fairness and inclusiveness within the game.
In response to these concerns, WCL, after careful consideration, decided to temporarily suspend the in-game dungeon score viewing function. At the same time, WCL also stated that it would cooperate with the official game operator in the future to provide more comprehensive technical support, ensuring the security and privacy of player data.
Data Compliance Issues Worth Noting in the WCL Incident
Prior to the adjustment of the WCL add-on functionality, two issues had already caused heated discussions online. First, WCL scores became a screening criterion for forming teams, exacerbating competitive pressure within the game and leading to resistance from players on the mainland China servers. Second, there were online allegations that WCL was “complained against for stealing user information and uploading it to overseas websites,” thereby violating legal requirements on cross-border data transfers. Below, we discuss the legal requirements underlying these two issues.
Before addressing these issues, it is necessary to first clarify a basic concept: what constitutes personal information? In order to achieve data statistics functions, game plug-ins typically need to collect the following types of data:
(1) Identity-related data: account information, nicknames, avatars, friend lists, etc.;
(2) Game log information: login logs, item logs, operation logs, match data, game videos, etc.;
(3) Game progress and achievements: user levels, scores, rankings, completed tasks and achievements, etc.
According to the Information Security Technology – Personal Information Security Specification, where information collected by a game plug-in can, either independently or in combination with other information, identify a specific natural person or reflect the activities of a specific natural person, such information constitutes personal information.
(I) Does Uploading Other Players’ Data Without Consent Constitute an Infringement of Personal Information?
In World of Warcraft, many players have questioned why other players are able to upload data containing their game information to WCL without their consent. In the United States, one player even sued Blizzard after allegedly suffering a divorce as a result of privacy leakage caused by the “Armory” feature. This raises the question: does uploading other players’ data without consent constitute an infringement of personal information?
Pursuant to Article 13 of the Personal Information Protection Law of the People’s Republic of China, personal information processors are generally required to obtain the individual’s consent when processing personal information. Therefore, when players upload game data that contains the personal information of other players, they should first obtain the consent of those other players; otherwise, such conduct constitutes an infringement of personal information.
In addition, for game platforms, where the platform provides mechanisms that facilitate players uploading data through game plug-ins, it should carefully review whether the relevant data contains other users’ personal information. If such data does include personal information of other players, the platform should clearly inform users in its Privacy Policy and obtain their consent, and where necessary, obtain separate consent. For example, in games that provide match recording and video sharing features, players are often required to notify other participants and obtain their consent before recording and sharing videos.
For game plug-in developers, prior to obtaining player data, they should clearly specify in their privacy policies the types of personal information collected and their purposes, and obtain user consent. Moreover, plug-in developers should specifically include clauses addressing the uploading of third-party personal information, such as: “The information you publish may contain the personal information of others. You must obtain lawful authorization from such individuals and avoid the illegal disclosure of others’ personal information.”
(II) Does Sharing Game Plug-in Data with Overseas Websites Constitute a Cross-Border Data Transfer?
In the WCL add-on adjustment incident, another issue worthy of attention is the online allegation that WCL was “complained against for stealing user information and uploading it to overseas websites.” This raises the question: what constitutes cross-border data transfer, and what conditions must be met?
1. What Constitutes Data Export?
According to the Guidelines for the Application of Data Export Security Assessment (First Edition) issued by the Cyberspace Administration of China, the following circumstances constitute data export:
(1) Data collected and generated by data processors during domestic operations being transmitted or stored outside the territory;
(2) Data collected and generated by data processors being stored domestically, but accessible, retrievable, downloadable, or exportable by overseas institutions, organizations, or individuals;
(3) Other data export scenarios as prescribed by the Cyberspace Administration of China.
2. What Are the Compliance Requirements for Data Export?
At present, there are three primary compliance mechanisms for data export: entering into a standard contract for the cross-border transfer of personal information, obtaining personal information protection certification, and passing a data export security assessment. Each of these mechanisms has its own applicable scope and characteristics.
3. Are There Any “Exempted Scenarios” for Data Export?
According to the Provisions on Promoting and Regulating Cross-Border Data Flows issued on March 22, 2024, the following data export scenarios are exempt from applying for a data export security assessment, entering into a standard contract for cross-border personal information transfer, or obtaining personal information protection certification:
(1) Data collected and generated in activities such as international trade, cross-border transportation, academic cooperation, cross-border manufacturing, and marketing that is provided overseas and does not contain personal information or important data;
(2) Personal information collected and generated overseas that is transmitted to China for processing and then provided overseas again, where no domestic personal information or important data is introduced during processing;
(3) Personal information that must be provided overseas for the conclusion or performance of contracts to which individuals are parties, such as cross-border shopping, logistics, remittances, payments, account opening, flight and hotel bookings, visa applications, and examination services;
(4) Personal information of employees that must be provided overseas for cross-border human resources management in accordance with legally formulated labor rules and legally concluded collective contracts;
(5) Personal information that must be provided overseas in emergency situations to protect the life, health, or property safety of natural persons;
(6) Where data processors other than critical information infrastructure operators cumulatively provide the personal information of fewer than 100,000 individuals overseas since January 1 of the relevant year (excluding sensitive personal information);
(7) Data provided overseas by data processors within free trade pilot zones that falls outside the negative list.
In summary, allegations that WCL “stole user information and uploaded it to overseas websites” still require verification through specific investigations. If WCL is found to have transferred user data overseas, whether such conduct violates cross-border data transfer requirements must be assessed on a case-by-case basis.
Conclusion
After examining the issues of game data privacy protection and cross-border data transfer underlying the WCL function adjustment, it is necessary to reiterate that game developers, platform operators, and third-party plug-in developers all bear significant responsibility for protecting user data security. This is not only a legal obligation, but also a matter of respecting and maintaining user trust.
For players, enhancing awareness of personal information protection is equally important. While enjoying the entertainment value of games, players should also learn to identify and carefully handle operations involving personal information.
Looking ahead, with continuous technological advancement and the gradual improvement of legal and regulatory frameworks, there is reason to believe that issues related to game data privacy protection and cross-border data transfers will be addressed more appropriately. On the premise of safeguarding user data security, the game industry is expected to achieve healthier and more sustainable development.
