Part I of the act states:
1 Basic interpretative provisionsDoes this begin to make sense?
(1) In this Act, unless the context otherwise requires—
"data" means information which—
(a) is being processed by means of equipment operating automatically
in response to instructions given for that purpose,
(b) is recorded with the intention that it should be processed by means
of such equipment,
(c) is recorded as part of a relevant filing system or with the intention
that it should form part of a relevant filing system, or
(d) does not fall within paragraph (a), (b) or (c) but forms part of an
accessible record as defined by section 68;
"data controller" means, subject to subsection (4), a person who (either
alone or jointly or in common with other persons) determines the purposes
for which and the manner in which any personal data are, or are to be,
"data processor", in relation to personal data, means any person (other than
an employee of the data controller) who processes the data on behalf of the
"data subject" means an individual who is the subject of personal data;
"personal data" means data which relate to a living individual who can be
(a) from those data, or
(b) from those data and other information which is in the possession of, or
is likely to come into the possession of, the data controller,
and includes any expression of opinion about the individual and any
indication of the intentions of the data controller or any other person in
respect of the individual;
"processing", in relation to information or data, means obtaining, recording
or holding the information or data or carrying out any operation or set of
operations on the information or data, including—
(a) organisation, adaptation or alteration of the information or data,
(b) retrieval, consultation or use of the information or data,
(c) disclosure of the information or data by transmission, dissemination
or otherwise making available, or
(d) alignment, combination, blocking, erasure or destruction of the
information or data;
"relevant filing system" means any set of information relating to individuals
to the extent that, although the information is not processed by means of
equipment operating automatically in response to instructions given for
that purpose, the set is structured, either by reference to individuals or by
reference to criteria relating to individuals, in such a way that specific
information relating to a particular individual is readily accessible.
There's a .pdf guide to data protection that the UK government offers; it has tips that are of course pursuant to English law, and as a legal guide it's rather needlessly overstated and cumbersome, but for the curious, it's well worth a read-through.
For our purposes, I'm going to quote a small bit found in section B, on page 42:
This is the first data protection principle. In practice, it meansWhat would this mean for Blizzard RealID provisions when dealing with British citizens? I would interpret it thusly:
that you must:
• have legitimate grounds for collecting and using the personal data;
• not use the data in ways that have unjustified adverse effects on the
• be transparent about how you intend to use the data, and give individuals
appropriate privacy notices when collecting their personal data;
• handle people’s personal data only in ways they would reasonably
• make sure you do not do anything unlawful with the data.
- Blizzard needs to first ensure that they have legitimate grounds for collecting the personal data of each of their subscriptors;
- Blizzard needs to then ensure that they do not use the data in ways that have unjustified adverse effects on the individuals thus identified. Like, for instance, releasing this collected data to the public at large;
- Blizzard needs to then ensure such personal data is kept securely and safely (which I would take to mean, "not release it to the viewing public at large"), and use it only in ways subscriptors would reasonably expect, such as to tie individuals to their individual account. (I believe Blizzard, btw, already does this; it's called "setting up Blizzard accounts");
- Blizzard finally needs to do nothing unlawful with the personal data; like, oh, say, release it wideband to the viewing public.
Does any English player of WoW who might be reading along want to call up the relevant portions and say whether I'm on the right track or not? Because if so, I think every single British citizen who's playing anything that Blizzard currently has out, has full legal grounds to refuse the RealID system, with full expectations of being allowed to use the service completely--which would mean no restriction from posting on the forums.
This could be interesting. Do any other countries which have citizens using the WoW subscription service, or other current gaming services that Blizzard offers, have similar laws?
I'd look, were I you.
Unfortunately, I'm fairly sure America has no such legislation. People can--and do--demand Social Security numbers to be used to tie people to telephone services, cable, furniture rental and medical treatment here, for instance, even though such is stated to be illegal and completely within our rights as citizens to refuse.
Linden Labs even demanded Social Security numbers for age verification. Even though legally, Social Security numbers cannot by law be used as any form of ID.
But for everyone living in saner lands--look up your laws. Think of the class-action suit you could put together, internationally, if even a quarter of all active players signed on. 250,000 voices of complaint, legally backed--think that might make a difference?
[Update: Blizzard's backing down for now. Guess something finally sunk in that this was an insanely unsafe idea. Let's hope it stays that way.]