Analysis on Valve's Privacy Policy Agreement; Directive 95/46/EC

From the very beginning of this disastrous event, there were only several valid arguments regarding how critical this issue is. Unfortunately those arguments were written by users with IT background. It can be noticed that I wrote unfortunately. It was written because the IT field is debatable over the internet since almost everyone consider themselves fully IT initiated by turning on their PC. However, there were no arguments from the legal point of view, or at least none of what I’m aware of. Therefore, below, is an analysis regarding Valve’s Privacy Policy Agreement and Directive 95/46/EC of the European Parliament and of the Council.

Valve’s Privacy Policy Agreement

1. The first paragraph contains the following information: “Valve recognizes the importance of protecting information collected from user”. Therefore, you have to understand that your information is valuable.
2. The paragraph entitled “Personally Identifiable Information” defines what kind of information represents personally identifiable information: “such as name, address or credit card number”. Your phone number is categorized under “address” but the important part, regarding European users, is the 95/46/EC Directive mentioned by Valve, which will be analyzed separately.
3. Further, the paragraph entitled “Storage and Security of Personally Identifiable Information” contains several important terms, such as: controlled, collected, processed, and stored. The phrases containing such terms are the following: “Personally identifiable information provided to Valve by customers in the EU is controlled by Valve S.a.r.l, with place of business set out below. Personally identifiable information provided to Valve will be collected, processed and stored by Valve Corporation in the United States.”. The mentioned terms are important in defining Valve’s position of: controller and processor. Additionally Valve mentions in the same paragraph that “has taken reasonable steps to protect” the user’s information, “including, but not limited to, setup of processes, equipment and software to avoid unauthorized access or disclosure of this information”.

Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data

According to Article 2, “personal data”, “processing of personal data”, “controller”, “processor” have the following meaning:
“(a) “personal data” shall mean any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;
(b) “processing of personal data” (“processing”) shall mean any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;
(d) “controller” shall mean the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or Community laws or regulations, the controller or the specific criteria for his nomination may be designated by national or Community law;
(e) “processor” shall mean a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;
(h) “the data subject's consent” shall mean any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.”

There are two important points which have to be understood:

1. data subject ≠ controller; processor;
2. controller determines the purposes and means of the processing, while the processor processes personal data on behalf of the controller.

The importance of highlighting the obvious boundaries is given by the fact that some companies out there like to think about you as the controller and not as a data subject, while them being only a processor. Regarding Directive 95/46/EC, it can be noticed that the lawmaker didn’t felt the need to define the “data subject” because of the obvious and uninterpretable meaning of the term in the Directive.

Article 3 defines the scope of the Directive 95/46/EC, “[t]his Directive shall apply to the processing of personal data wholly or partly by automatic means, and to the processing otherwise than by automatic means of personal data which form part of a filing system or are intended to form part of a filing system.”.

Article 17 states that “the controller must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.”. Furthermore, “the controller must, where processing is carried out on his behalf, choose a processor providing sufficient guarantees in respect of the technical security measures”.
I already mentioned earlier, when analyzing Valve’s Privacy Policy Agreement, that Valve acts as a controller and a processor.

Article 23 clarifies that “any person who has suffered damage as a result of an unlawful processing operation or of any act incompatible with the national provisions adopted pursuant to this Directive is entitled to receive compensation from the controller for the damage suffered.”. Furthermore, the “controller may be exempted from this liability, in whole or in part, if he proves that he is not responsible for the event giving rise to the damage.”.
Regarding liability, force majeure and casus fortuitus are out of discussion since the event was: predictable, and preventable.

As a side note, the Directive, on a general scale, has the following characteristics:

1. requires EU countries to achieve a certain result but leaves them free to choose how to do so;
2. provisions of the directive are unconditional and sufficiently clear and precise;
3. provisions of the directive give rights to individuals.

Documents regarding the analyzed information can be found on the following addresses:

1. Valve’s Privacy Policy Agreement
   http://store.steampowered.com/privacy_agreement
2. Directive 95/46/EC (available in Bulgarian, Spanish, Czech, Danish, German, Estonian, Greek, English, French, Croatian, Italian, Latvian, Lithuanian, Hungarian, Maltese, Dutch, Polish, Portuguese, Romanian, Slovak, Slovenian, Finnish, Swedish)
   http://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1451591278626&uri=CELEX:31995L0046

All in all, Merry Christmas and a Happy New Year!

TL;DR

1. Valve had to implement appropriate technical and organizational measures to protect personal data against: accidental, unlawful destruction, accidental loss, alteration, unauthorized disclosure or access, and against all other unlawful forms of processing;
2. any person who has suffered damage is entitled to receive compensation from Valve for the damage suffered.

Update #1

The term "indirect" has to be understood, when referring to a judicial discussion, as a process in which takes place deduction, to be more precise, a process based on an inference. Therefore, in this case, an individual is identifiable indirectly by internet specific factors, such as: e-mail, username and other elements which were exposed.

For more information regarding the term "indirect", refer to:
https://www.nycourts.gov/judges/cji/1-General/CJI2d.Circumstantial_Evidence.pdf

Regarding the Directive, the act operates under the Community Law.