You are a startup and have a fantastic tech team, ably supported by a creative content team and publicized by a fantastic squad of new age social media whizkids. What can go wrong? As you launch your first game, it is a hit with millions of downloads and hundreds of thousands of active users per day. You are looking for Series A funding, the sky is blue and the grass green.
Now starts the process of due diligence, where apart from the financials and tech, legal issues come centerstage. Here, hard questions are to be answered. Are you ready for them?
And if this is not enough, brace for GDPR and PDPR (India, in the near future) compliance, taxation (including GST) and miscellaneous other laws including the Prize Money Act, the Gambling Act, FEMA and the like.
But wait, the intention for telling you all this is not to scare you, but to make you aware of the larger regulatory and legal frameworks which operate in your line of business. This article introduces you to some of the legal aspects of the gaming business and helps you traverse the maze. We pick up some important issues and try to create a roadmap which can help simplify the seemingly complex legal configuration.
SKILL VS CHANCE
The differential treatment accorded to games of skill and games of chance, with the former permitted and the latter prohibited, has been a historic feature of Indian law.
Chance is defined as the act of risking something of value for a chance to win a prize. Chance, mutual consideration and prize are essential for an activity to be considered gambling. The absence of any one of these elements may mean that the activity is not of a gambling nature.
Whereas, a “game of skill” is one where success depends principally upon the superior knowledge, training, attention, experience, adroitness, personal attributes and capabilities of the player. It is a game in which, while the element of chance cannot be entirely ruled out, it is the element of skill on the part of the participants that plays a dominant role in determining the outcome of the game.
With the entire world adopting data protection regulation and introduction of GDPR, the concept of data protection by design and by default has been signed into law. ‘Privacy by design’ is a value sensitive design approach that focuses specifically on privacy. This approach provides for high-level guidelines in the form of principles for designing privacy-preserving systems. These principles have at their core that data protection needs to be viewed in proactive rather than reactive terms, thus making privacy by design preventive and simply remedial. It is essential for entities to adopt the Seven Foundational Principles of Privacy by Design while developing an application or product:
1. Proactive not reactive; preventative not remedial
2. Privacy as the default setting
3. Privacy embedded into design
4. Full functionality – positive-sum, not zero-sum
5. End-to-end security – full lifecycle protection
6. Visibility and transparency – keep it open
7. Respect for user privacy – keep it user-centric
WHAT RULES GOVERN ADVERTISING ON THE INTERNET?
Under the Indian legal regime, the Cable Television Networks (Regulation) Act, 1955 (“Act”), the Press Council of India Act, 1978 (“PCIA”), and Cable Television Networks (Amendment) Rules, 2006 (“Rules”), among others, are the principal legislations which control the content of advertisements to ensure that they should not offend morality, decency and religious susceptibilities of the consumers. The Cable Television Rules, 1994 prohibits the advertisement of gambling activities, however, exempts the advertisement of games of skill such as horse racing, rummy and bridge.
USING THIRD-PARTY AND OPEN-SOURCE PRODUCTS
One should carefully read the licence that comes with the open-source or third-party software or component intended to be used. The terms of licensing will clearly define what can or can’t be done in a commercial context or what one is required to do.
If you don‘t understand the terms of the licence, consult a lawyer who can simplify and explain, and also help you protect your interests and IP at the stage of commercialization.
Primarily, there are some common sense approaches one needs to bear in mind while making commercial use of open-source software. Do not plagiarise, be ethical and moral in your conduct, and the rest will be fine.
1. If your ‘new’ software is simply modifications and changes to existing open-source code, it may count as a “derived work”. Here what can be done will vary a lot by particular licence (GPL/MIT), etc. You need to check the licence conditions about derived works. Usually you cannot make it closed source and it’s not permissible to try to release your software under a different licence from the original one.
2. If it is intended to use an open-source component as a library, in compiled form (.dll or .so), it is incumbent to mention in the ‘about box’ and in the LICENSES.txt for the software you’re using. You are also supposed to include a copy of its original licence in description.
3. If a static compiled-in library is used, it is a slightly grey area, but generally it’s permissible, as long as you clearly mention what you’re using and include a copy of its original unmodified licence.
GAME CONTENT REGULATION – PEGI/ESRB
As of today there is no video game content rating regime or regulation in India. However, if one intends to make a game for the international audience, one needs to be familiar with game content rating systems used in different geographies worldwide.
The international video game industry has seen attempts ranging from credible self-regulation to governmental attempts at the effective regulation of content in the games. The International Age Rating Coalition (IARC) 2013 is an initiative aimed at streamlining acquisition of content ratings for video games, from authorities of different countries. The Entertainment Software Rating Board (ESRB), established in 1994, is an American self-regulatory organization that assigns age and content ratings to consumer video games. The Australian Classification Board (ACB or CB), established in 1970, is an Australian government statutory body responsible for the classification and censorship of films, video games and publications for exhibition, sale or hire in Australia. The Game Rating and Administration Committee (Geimmul Gwalli-Wiwonhoe; GRAC) is the South Korean video game content rating board. A governmental organization, the GRAC rates video games to inform customers of the nature of the game contents. These regulatory attempts have brought much needed sanity to the video game space. But in the absence of regulations, the arena remains open to wide interpretation in India.
For securing companies from cyber attacks and avoiding punishments, fines and penalties under data protection norms and reasonable cybersecurity requirements, it is prudent for companies to demonstrate that they have a lawful basis for processing, that they are following data processing principles, and implementing appropriate technical and organisational measures to keep personal data protected.
Recently, Tel Aviv-based threat intelligence firm Kela decided to investigate the top 25 gaming companies. It was discovered that 500,000 breached employee credentials and a million compromised internal accounts were available on the dark web. It is thus advisable that gaming companies invest in ongoing monitoring of their digital assets across the dark web, as well as enhanced staff training on things like password management and the deployment of multi-factor authentication and set processes for handling post-breach scenarios, keeping in mind the requirement as per the jurisdictional law and regulations.
The gaming industry, especially mobile gaming, is geared up for a boom in India. With unique advantages in terms of tech as well as creative aspects, it presents a multi-billion dollar opportunity for startups and veterans alike.
When any business creates value, there is an increased possibility of litigation due to different interpretations and understandings of the rights and obligations involved. Legal risk can be very severe as it can bring unprecedented costs and delay the company’s progress. A prudent approach is to navigate and chart this maze carefully to secure one’s intellectual property, without infringing on others’, understand nuances from content regulation to taxation and export earnings, and privacy compliances to data breach procedures. It is said, a stitch in time saves nine; here, it can save millions.
Brijesh Singh, IPS, is an author and IG Maharashtra. Khushbu Jain is an advocate practising before the Supreme Court and a founding partner of law firm Ark Legal. The views expressed are personal.