Weaponizing The GDPR: Gamers Want To Use It To Flood Blizzard With Requests As Protest Over China Appeasement
from the what-exciting-times dept
We live in such fascinating times. We've had some posts concerning people getting (rightly) angry about Blizzard banning a top player who supported the protests in Hong Kong. In order to make the company feel more heat, apparently some pissed off players have been plotting to weaponize the GDPR and flood the company with data requests. This started with a Reddit post directly telling users that if they're upset about Blizzard's decisions regarding Hong Kong, to hit back with a GDPR request:
I know a lot of people, myself included, are upset by Blizzard/Activisions spineless decision to ban Blitxchung. After personally uninstalling all of my Blizzard games, I thought, "what else can I do?". The answer, is GDPR requests. Let me explain.
Under EU law, you're allowed to request all information a company has on you, along with the purpose of this information collection. What most people don't know, is that these requests are VERY hard to comply with, and can often take a companies legal group 2-7 days to complete PER REQUEST. If a company doesn't get you the information back in 30 days, they face fines and additional issues. In extreme cases, a company can request an additional 2 months to complete the requests if there is a large volume, but suffice to say, if a company gets a significant amount of requests, it can be incredibly expensive to deal with, as inevitably they will have to hire outside firms/lawyers to help out. So, if you want to submit a GDPR request, and live in the EU, you can use the following form letter....
I've actually been in the middle of investigating a different story about a possible weaponizing of the GDPR, but the details there have been a bit murkier, so it's fascinating to see things laid out so clearly here. To be clear, there does appear to be some cleverness here, though, it's true that such requests are a pain in the ass to comply with and can be costly and resource intensive. And while it may be fun and cathartic to use that power against a company like Blizzard as a way to punish it for its ridiculous stance, be clear that these kinds of weaponized GDPR requests are likely to be used against many others as well, including companies you might actually like.
This is yet one more reason why, even if you support the overall goals of the GDPR, you should be very, very concerned with how the law is actually implemented.
Filed Under: appeasement, china, costs, data requests, gdpr, protest, weaponizing
Companies: blizzard
What most people don't know, is that these requests are VERY hard to comply with, and can often take a companies legal group 2-7 days to complete PER REQUEST.
Is this an accurate description of the process? How can a smaller company comply with such a request - that kind of legal work isn't cheap.
Re:
Yes, it's an accurate description of the process. Ain't the GDPR grand?
I do expect that a company that has its administration in order can comply with standard GDPR requests in a few minutes of actual work. It should not be too hard to make a database printout. The first requests might take more time to find out in which databases to search and to get decent formatting.
For companies that collect more data than they should, a selective database dump might result in filling several CD-writeables.
Re:
For an online games company, keeping session logs, they should probably not let you have more than the screen names of anybody you played with/against, less they accidentally dox someone. Complying with that request now becomes somewhat more complicated.
Re:
"I do expect that a company that has its administration in order can comply with standard GDPR requests in a few minutes of actual work."
This is absolutely wrong. It's a ton of work because you have to comb through every single system used within a company to identify, and extract the data requested by a person. Every request is a huge pain the ass and ties up resources from the IT, Legal, and HR departments. Maybe each individual doing a small part is only spending a few minutes, but cumulatively it's a major project. Every. Fucking. Time.
The worst part about weaponizing these requests? You're not fucking the company over. You're fucking over a bunch of low level employees who end up doing the work. The CEO gives zero fucks about your request. Meanwhile a contractor making $12-$15 an hour is wasting their day working on tedious shit because some fuckhead wants to circle-jerk about how terribly Blizzard handled the situation. It costs these "protestors" nothing, and they ruin someone else's day. Someone whose only involvement was taking a job at a company these fuck heads are pissed at, over some shit which has zero impact on the lives of these fuck heads.
Fuck everyone who weaponizes GDPR requests.
Re: Re:
These employees are being paid to do this work. How, exactly, is this fucking them over?
Re: Re: Re:
Taking that thought a step further, the collection activity being paid for won't do anything positive for the bottom line, thereby having a negative impact on the CEO's potential bonus.
Re: Re: Re:
Because there's likely more interesting work they used to do before the GDPR, then this got dumped on them. Not all work is equal. Even at drone level some tasks are better quality than others.
Re: Re:
I work in this area, for some firms, a GDPR request is fairly easy to respond to as they only store customer contact information for shipping and purchase history. Think a small business selling products.
At the other end of the business spectrim is a conglomerate like Bank of New York Mellon. 21 distinct business entities covering everything from bank accounts to investments to call centers. A single request could impact over 100 people, has subjective rules, and even legal limits to what data can be provided. The CEO may not care, but the C-Suite cares a heck of a lot when call center employees are going into overtime, work loads spike, and new software is needed to manage the request since you have so many moving parts no human could walk this through a firm of this size easily.
Never mind internal politics and firewalls that prevent communication also need to be breached or the entire firm is on the hook for huge fines.
I do suspect a judge would be not as crazy as to tell a firm getting hit by 100k requests in a single week that up to then was getting perhaps 10 to 20 requests that they should be fined for not clearing the backlog fast enough when the entire business is shut down more or less just to respond to requests.
Yes the GDPR is that bad for large firms.
This would be fun, IF..
They created tons of data on each individual person..including WHO they sold your data to..
But could be as simple as your name, address, CC#....
My old doctors have a stack of Paper 2" high on all the procedures done. But if you ever goto read it, its paper that says Simple things.. THEY dont give a blow by blow, of what they did.. WE did this surgery(insert name) and thats about it.. NOT even followup info..
A data base extract is just a long list of games you have signed up to own. GDPR, what info can you demand????
Saying all of it, is to restrictive, as YOU dont know what they have, or have done with your data..
NOW if you went to an advert agency, you might get a list of the adverts sent to you.
Why doesn’t this fall afoul of the “manifestly unfounded” provision?
Hrm
I would have thought this article was about reporting blizzard for not allowing you to delete your account w/o seeing a/an photo ID.
which would make sense (if that runs afowl of the gdpr)
Two Birds, One Stone
Mass abuse of the GDPR is a sure way to get it amended. Using it to punish a company that deserves it is just icing on the cake. Is there any way to go after the NBA as well?
in other news...
Blizzard has requested all news articles regarding its banning of a Hearthstone player be removed from the EU under a RTBF request after seeing that their company actions had real world consequences.
I can see it now.
