One year ago, we made some predictions on legal trends for 2023. Now it is time to look back and see where we have been right (+) and where we have been wrong (-), as well as making some new predictions for 2024.
We’ve got more than a dozen topics to look at, so let’s dive in…
1. Artificial intelligence and copyright
What we predicted (+)
The increasing improvement of artificial intelligence will be a hot topic in legal discussions. One of the major legal subjects will be copyright law. For example, an eleven-year-old has used the AI ChatGPT to create a text adventure in the world of Harry Potter. The art-software DALL-E allows the user to create digital images from natural language descriptions while feeding its algorithm with public datasets.
This will have a particular impact on the design of video game assets in the future, and will raise questions such as who is the owner of AI-generated content and how artists can protect their artworks from being utilized by artificial intelligence.
What happened
Tick. If anything, the topic was even bigger.
AI is already broadly used by game companies for creating IP assets, or at least inspires artists in games companies, especially when it comes to find ready-to-sort stories and screenplays, background and character designs. Accordingly, we haveseen a lot of video games companies (big or small) struggling to establish AI use policies internally in an attempt to limit the risk for unsolicited and uncontrolled landslide use of AI.
We saw some first lawsuits on the protectability of AI output in the US and the UK. The essence so far is that the output of AI is not generated by human beings and therefore does not qualify for copyright protection. On the other hand, the arrangement of various works created by AI may qualify for copyright protection.
AI can also be used as a tool for digging into and scraping onto existing and available works, databases, texts and image sets for generating potentially infringing output. A new court case brought by the New York Times in the US against OpenAI and Microsoft over the alleged infringing use of materials scraped from the newspapers by their AI-based tools has just hit the news. And it sounds like it won’t be the last.
Some data protection authorities (in Italy and Germany, for example) also entered the scene. Italy’s data protection authority was the first, in March 2023, to force Open AI to temporarily suspend its services in Italy due to the lack of proper notices under the GDPR and, primarily, the lack of information on the algorithmic processing of user data (also as an input for training the tool) and the lack of sufficient measures for minors’ protection.
Meanwhile, the German data protection authorities put OpenAI under investigation, sending a list with 44 questions, which is still unanswered. The Spanish Data Protection Authority also opened an investigation.
In December, the EU institutions reached a political agreement on the long and widely-debated AI Act, but the full text has not been published yet. This new regulation is bound to introduce layered obligations according to the risk associated with AI. Games companies are not per se out of scope.
What will happen in 2024
We think that while the discussion has mainly focused on AI-created audio-visual content so far, it may shift to AI-created game code and databases. At the same time, game companies will continue to explore other use cases for AI.
Dan D. Nabel, associate general counsel at Riot Games, confirms:”For 2024, I think AI will continue to be a hot topic for game developers and publishers alike.”
We think that such new use cases may include chat functions (for example,to make NPCs appear more interesting) or level creation, even based on input by players. This could bring the authorities for the protection of minors into play to discuss, for example, how these games should be age rated?
A point to watch: The forthcoming AI Act will be critical about “emotional recognition” and “social scoring.” Such systems can be subject to a ban under the AI Act, meaning they have to be shut down as early as 2024 – more precisely, six months after the AI Act comes into force. However, the specific scope of these bans is still unclear; for example, we will need to wait for the final text to see if some anti-cheat measures could be considered “social scoring.” This will be the focus of discussions in early 2024.
Furthermore, it looks likely, considering the litigation landslide which has already begun in the US and the UK, that continental Europe will see the first Generative AI copyright infringement cases hitting the courts. And it will be interesting to see how judges will deal with those cases also in the light of the potential implications of the text and data mining exception established by the DSM Directive.Rightsholders who don’t want their works to be scraped for AI training should in any event mark their websites accordingly.
2. Online platform regulation
What we predicted (+)
Under the Digital Services Act, it must be carefully examined whether the service is an online platform, as operators of online platforms will have a lot of new obligations – refraining from dark patterns, giving users an explanation on why they have been banned are just two examples. Plus, personalized advertising is strictly regulated – for instance, key parameters must be disclosed, and targeting minors is completely prohibited (i.e. not even allowed with the consent of the users and their parents).
What happened
Games companies have been struggling with the definitions of the DSA. Most games with online functionalities will be affected by the DSA, a few will even be considered online platforms and therefore fall in a bucket with plenty of new obligations. Not all companies seem to be fully compliant yet, but there is still some time until February 17, 2024, when the DSA will fully apply.
In the meantime, the EU Commission has designated very large online platforms; Amazon and Zalando have challenged this designation and the new obligations which come with them. The EU Commission, in turn, was unhappy and publicly criticized that some online platforms published only very, very approximate user numbers on February 17, 2023, such as “less than 45 million.” Very recently, the Commission opened proceedings against X (formerly Twitter) for alleged breaches of the DSA.
The UK, in turn, has – at long last – adopted the Online Safety Act (formerly known as the Online Safety Bill), Korea is regulating online platforms, and the US attempted to do so (but the act has been suspended by the courts).
What will happen in 2024
Games companies will work against the February 17, 2024 deadline to become DSA compliant, trying to navigate among the multiple layers of obligations and duties that the never-so-complex EU framework is now providing for. Still, in 2024, we expect the EU Commission to first concentrate on the high-risk category of very large online platforms, not necessarily on games. Games companies will not get away unnoticed, but may not be the first being targeted in early 2024.
3. Metaverse
What we predicted (+/-)
While the topic might no longer look as hot as it did a year ago, the big players of the Metaverse game certainly have not given up their vision, so the legal challenges remain – and the DSA will not make things any easier. This is also because the DSA and, more generally, the recently enacted EU legislation for the Internet and the digital world, are pushing for an environment where consumer safety, access and interoperability are absolute prerequisites. The EU clearly has the ambition to regulate the internet – and thus the Metaverse.
What happened
The Metaverse did not seem to be a major issue in 2023, maybe even less than what we had expected. On the other hand, the appetite of the EU (and other lawmakers) to regulate platforms was stronger than ever, with the DSA and other platform regulations we have just mentioned above.
What will happen in 2024
Eventually, the new platform regulations will become a big challenge when the Metaverse resurfaces again. However, we don’t expect 2024 to be a “Metaverse year.”
4. NFTs
What we predicted (+)
Many investors into tokenized gaming will lose a lot of money, but some will get very rich. Tokenized games which become successful must expect regulators to look closer, too: tokens might also be regulated under banking laws (the question is whether they are just “utility tokens”).
Taxation is another challenge. The Italian tax authority affirmed on two occasions during 2022 that staking crypto-assets in a digital wallet cannot be held as a tax-exempt activity and that wallet holders are not exempt from paying taxes on crypto transactions even if the ‘location’ of the wallet is outside the country.
Since NFTs are mostly bought and traded via cryptocurrencies, these issues will become crucial, and there might also be other regulatory restraints and concerns.
What happened
Overall, many investors have lost a lot of money with NFTs. In Germany, a food retailer even offered shopping vouchers to disappointed investors as a trade for their worthless NFTs.
In late 2023, discussions arose about the potential risk of tokenized games for youngsters. The game Gods Unchained received an ‘Adults only’ ESRB rating because of its play-to-earn mechanics.
From a taxation perspective, Italy has provided for low-value proceeds derived from microtransactions involving NFTs or digital assets not to concur as taxable income as long as they are below the overall threshold of €2,000 a year; most in-games transactions aficionados would likely stay well below, therefore benefiting from such an exemption. However, NFTs in games have simply not taken off.
What will happen in 2024
In order to be successful, tokenized games might have to look for an audience other than core gamers are casual free-to-play gamers and reach the play-to-win audience. Tokenized games with loot box mechanics, however, might become a target for gambling authorities. The fact that the prize of a loot box usually cannot be turned into money is one of the strongest arguments to avoid being seen as gambling in many EU jurisdictions.
5. Terms of Use / EULAs
What we predicted (+/-)
We expect more enforcement activity with regard to the existing rules, and the Digital Services Act will impose new requirements for Terms of Use for online platforms (please see below) and, partly also for other intermediary services such as using child-appropriate language for services which are directed at or mainly used by minors, and making unsubscribing from a service as easy as signing up for it.
What happened
Enforcement activity regarding Terms of Use on the EU level was lower than what should have been expected, given the new and tight rules and the EU’s ambition that “consumer protection law got teeth.” These teeth have not yet been really used. On the other hand, companies have been working towards DSA-compliance, but many are not yet there.
What will happen in 2024
If teeth have not been shown in 2023 it might have been only because the new legislation was too fresh, and maybe also too complex to digest easily. We should expect teeth to come out more, as soon as both consumers and the competent agencies in the EU member countries will become more familiar and experienced with the new rules in the daily practice.
6. Loot Boxes
What we predicted (+)
The lootbox discussion will not stop. Not. At. All.
What happened
Sony, Electronic Arts, and Valve are under fire in Austria, where courts have ruled that consumers (which were backed by litigation financiers) are entitled to get a refund for the money they have spent on loot boxes.
[Editor’s note: For a more in-depth analysis on the regulations for loot boxes in various markets, read Leon Y. Xiao’s report here]
What will happen in 2024
Riot’s Dan D. Nabel told us:”‘Dark patterns’ investigations will increase, as will scrutiny of monetization methods, including loot boxes.”
We think that it will be interesting to see if the Austrian rulings will be upheld. In this case, claimants – again, backed by litigation financiers – will try the same in other jurisdictions.
However, we expect more outright loot box bans (like in Belgium and as announced in the Netherlands) and more sanctions for game operators (as happened lately in Austria). We also expect a stricter approach against these practices – in particular in case of NFTs or other cash-out options – especially now that the competent agencies will have more and more opportunities to enforce the EU Consumer Package and the new DSA obligations.
7. Unfinished products, product description, onscreen texts, and right of withdrawal
What we predicted (+/-)
Quite frankly, Fortnite may be one of the most popular games of our time but a lot of mechanisms the FTC disliked can be found in plenty of other games. The way being paved by the FTC decision, other games companies will face scrutiny from FTC or other regulators as well. Even though the rules are different, we should certainly expect increased attention and similar action by enforcement authorities across the EU.
What happened
Another important lawsuit was filed in the US on behalf of a 13-year-old child, accusing major game companies to implement addictive practices and predatory monetization in-game.
In Europe, not a lot happened.
A prime example for false promises and an unfinished product was the game The Day Before, which was one of the most-expected game titles on Steam. The promises made in the trailers did not match reality. Shortly after its failed release, the developers announced that the business operations would be discontinued.
What will happen in 2024
We still think these are relevant issues, but the attention for them seems to have gone away quicker than what we had thought. Maybe they’ll stay under the radar for a while.
8. Free-to-play and paying with data
What we predicted (+)
Sooner rather than later, there will be increased enforcement activity regarding ‘paying with data’ but for all companies who have done their homework it should not be a major issue for 2023 anymore.
What happened
Free-to-play and paying with data was not a major issue for games companies.
In other sectors, however, enforcement actions by data protection authorities begin to show impact on the market. Meta introduced an alternative payment type: paying with real money or “Subscription for No Ads,” as Meta calls it.
Meanwhile, Google is slowly moving ahead with the Privacy Sandbox initiative. From January 2024, the support for third-party cookies is to be gradually phased out (this time for real?).
What will happen in 2024
We don’t expect a big change in 2024 from the legislative and enforcement side.
However, it will be more interesting to see to what extent the adaptations to the business model of Meta and Google will have an impact on the games market, especially how the changing business models of the big players will affect the games industry.
Smaller game companies and developers of instant or mobile games could be more affected by this than by enforcement actions of public authorities.
9. Clones and other IP disputes
What we predicted (+)
We expect IP disputes to remain a top trend. Especially in the app stores, copycats of successful games seem to be the rule rather than the exception, and the creators of the original games will continue to enforce their IP rights.
What happened
We think we can make a tick here as well. 2022 ended with Riot Games suing Netease, alleging that Netease’s game HyperFront was an illegal copy of Riot’s Valorant.
2023 ended with a victory for Riot Games in another copyright case: On 18 December, Suga Pte was ordered to pay Riot Games $1 million for copyright infringement. ().
Another interesting decision was the Ninth Circuit’s November ruling on the appeal brought by the choreographer Kyle Hanagami vs Epic Games. The court held that that the dance moves ideated by the plaintiff for the choreography used in a pop song’s video published on YouTube were eligible for copyright protection.
The case appears to be significant, by the way, in the context of the growing cross-media trend, that is bringing video games to dialogue more and more with external IP assets, traditional media and forms of expression. And this is a trend which during 2023 has also brought video games to bring their own IP to the world of television and movies more than ever before (see the record-breaking success of HBO’s The Last of Us series and The Super Mario Bros Movie).
What will happen in 2024
Clones and IP disputes will continue to be a major issue. They might actually be booming due to the use of AI.
Game content created with the help of generative AI will not make disputes any easier; as AI output may not be protected under copyright law, it will be crucial to demonstrate that the essential elements of the game are not AI-generated. As a last resort, unfair competition law or passing off might help the creators of the original to a certain extent.
In addition, the cross-media trend, i.e.more ‘transient’ content from one medium to the other, will likely give infringers more occasions for profit and more loopholes to exploit.
10. Market dominance and platforms
What we predicted (+)
The Digital Markets Act seeks to limit the market power of gatekeepers (such as Google, Apple, and Facebook) to help companies that depend on them – which may include game developers.
However, the Microsoft/Activision Blizzard case might have an even bigger impact. We will learn more on how cartel offices define the relevant markets in the games sector. This will shape how antitrust law is applied on the games industry for years to come.
The relevance of the market definition, however, goes far beyond the Microsoft deal. Dominant companies must not abuse their position and will find it hard to make acquisitions which further strengthen their position. Before being able to determine whether a company is dominant, though, the relevant market must be clear: if the authorities conclude that relevant market is comprised (only) of current-gen consoles excluding Nintendo Switch, for instance, the answer to the ‘dominance’ question will not be the same as if they assume that the relevant market includes all consoles (including Nintendo Switch) as well as PCs.
What happened
A lot!
The Microsoft/Activision Blizzard merger finally got approved by the authorities, a court ruled in favor of Epic in the case against Google, and the European Commission designated the ‘gatekeepers’ under the Digital Markets Act (DMA); namely Alphabet, Amazon, Apple, ByteDance, Meta, and Microsoft with regard to their core platform services.
Late in the year, Sony was also the target, in the UK, of a class-action for an alleged abuse of dominant position that would have led to unfair prices for customers.
What will happen in 2024
We will likely see even more of the above now we have the precedents.
There is just one thing: The precedents are as high-profile as precedents get, but one might argue that at first sight, they look more surprising than convincing. The Microsoft/ABK merger took so long to get through as authorities were concerned that Microsoft might become dominant in the gaming space because of one title, Call of Duty… and they saw cloud gaming as a major point of concern, even though it represents only about 1% of the worldwide gaming market… really?
Let’s put it like this: few people we have talked to in the gaming space would have expected that the Sony could convince the authorities of these arguments.
Similarly, Epic scored a much greater victory against Google than against Apple – many will say that antitrust law still lacks predictability (but obviously, it was two different trials at different courts and with different evidence).
Arguably, the most interesting issue with regard to platform dominance, though, is how the gatekeepers under the Digital Markets Act will react. The DMA is clearly designed to break the power of their core platform services – the most relevant core platform services for games companies are arguable Android, iOS, Windows and Facebook, Apple’s App Store and Google’s Play Store, along with the advertising services of Google, Amazon and Meta. So if the DMA does its job as intended by the EU, it will shift the power from the gatekeepers to app developers, for example.
As the obligations under the DMA are strict and designed to be game changers, it is hard to imagine that the gatekeepers will not do their utmost to fight against it.
Accordingly, one general counsel told us that he expects “fights over DMA implementation in Europe with far reaching consequences to the industry and revisiting regulation over advertising in interactive entertainment” to be the hot topics for 2024.
11. Youth protection beyond blood and violence
What we predicted (+)
Online games and free-to-play games companies in particular will have to watch the new developments very closely. These games rely on mechanics which keep users engaged (also financially), and it is just these mechanics that are under examination.
What happened
The topic has been high on the agenda internationally, as expected. The Online Safety Act (formerly known as the Online Safety Bill) has been passed, the German Age Rating body USK has fine-tuned how they deal with interaction risks (i.e. in which cases they have an impact on the age rating and in which cases those risks are only dealt with in descriptors).
What will happen in 2024
The regime will get ever tighter. Notably the EU Regulation to Prevent and Combat Child Sexual Abuse which is coming up on the horizon is set to bring new obligations for communication features.
Additionally, one European general counsel told us that he was concerned about a “risk of a potentially emerging fragmented regulation of parental control tools for connected devices in the EU that may affect the games industry.”
He added: “If several EU Member States adopt national requirements on the same subject, which may contradict each other, the Single Market and the free movement of goods within the EU could be at risk.”
12. Data protection (+)
What we predicted
Games companies will have to keep up their efforts, even if data transfer from the EU to the US might, becomes a little easier with a bit of luck.
What happened
The EU-US Data Privacy Framework was adopted – and made, as we predicted, data transfer to the US easier, as far as the US company receiving the data is certified under this agreement.
In early December, the European Court of Justice has emphasized that the automated credit scoring (concerning the probability of being a reliable debtor) is considered as “automated individual decision-making” within the meaning of Art. 22 GDPR. This ruling may have important consequences that go beyond the individual case (for example, for the automated banning of players).
Oh, and in 2021, we predicted that 2022 will be the year when we see the first large GDPR case against a games company. When our 2023 article was published in January 2023, we thought that our prediction had been wrong. In fact, it was correct. The French Data Protection Authority had imposed a fine on Voodoo in 2022, but this only was made public in early 2023, after our article had already been published.
What will happen in 2024
Mr Schrems, the Austrian gentlemen who made the European Court of Justice cancel the existing instruments for data transfer to the US (i.e. Safe Harbor and Privacy Shield) will certainly not give up his fight and tackle the EU-US Privacy Framework. Groundhog day!
13. Esports
What we predicted (+/-)
Key issues will include visa and late working hours of (partly underage) esports athletes, tournament rules (especially in the light of consumer protection law) and privacy law (when commercially marketing the tournament), match-fixing scandals, and inappropriate behavior by (semi-)professional esports athletes and stakeholders.
At least some of these will surface and be more widely discussed in 2023.
What happened
Not as much as we expected.
However, the Esports Integrity Commission (ESIC) had to impose disciplinary actions on a number of esports professionals including lifetime bans for severe violations of the ESIC Code of Conduct and Anti-Corruption Code. Additionally, there were quite a few bans against cheating esports athletes.
Riot Games has introduced salary caps that shall apply for future seasons of LEC and LCK to support the long-term financial stability and the competitive balance. Furthermore, Riot Games amended its Esports Code of Conduct, setting strict regulations on the use of substances. The Code of Conduct contains regulations to ensure integrity in esports by preventing conflicts of interest and providing a safe environment for every individual involved.
What will happen in 2024
Match-fixing and cheating will remain one of the most important matters when it comes to the integrity of esports. Alongside, we predict that there will be discussions on the principal legal admissibility of esports betting and, as every year, on the non-profit status of esports organizations in Germany. At this point, we would like to bet that little will happen in this regard either.
What we did not foresee
1. Unity
Unity managed to upset almost their entire customer base overnight when announcing a new payment model: the runtime fee. Developers were in a rage, asking questions on whether this radical change was in compliance with legal standards, especially on Terms and Conditions. It was also debated whether Unity’s unliateral change was the abuse of a dominant position (keeping in mind that developers cannot easily switch to another engine), and how it was possible to reliably track the user numbers while respecting privacy law. Before those legal issues could have been discussed in depth, Unity stepped back, but the reputational damage is done (and the CEO is gone).
2. Labour law
The search for talent is still not easy, and games companies are taking great efforts to hire key personnel, and often let them work from wherever they want – despite the HR and Labour Law issues that creates. At the same time, in 2023, there were mass dismissals at many games companies who, after a boom during the pandemic, have adjusted to “normal” growth rates again. Also, an amazing number of top execs left or had to leave.
3. Leaks and cyber attacks
Publishers had a lot of issues with leaks and cyber-attacks in 2023. Not all leaks occur upon criminal intent. Sometimes, there are human mistakes as it was the case with Microsoft’s data leak during court proceedings. However, cyber-attacks remain to be a major concern of game studios.
Enforcement is not always easy. However, if there is sufficient intel, it can be worth chasing down the infringers.
New Trends
Clash of regulations
It seems like whenever something potentially unwanted draws public and political attention, we get new regulations. In the EU, in recent years, we already got GDPR (on the protection of personal data), the geoblocking regulation, the consumer law package (Omnibus Directive, Digital Content and Services Directive), the Digital Markets Act (aiming to tame the gatekeepers), and the Digital Services Act (aiming to tackle online harms of various kinds).
We’ll get the Data Act (with a focus on sharing personal and non-personal data, which can be a friend and a foe for games companies, forces to share data and facilitates switching between cloud service providers), the AI Act (as the name says, to regulate artificial intelligence), the Cyber Resilience Act, and theChild Sexual Abuse Regulation, to name but a few.
Not only is it difficult for anyone living outside the Brussels EU bubble to keep track of what is going on, and for anyone (including Brussels EU insiders) to correctly understand the often badly-drafted laws, but there often is an inherent clash between the aims pursued.
For example, to best protect children (or any other player) from online harm, companies might be tempted to survey in-game communication – which is not exactly what GDPR wants (but can be done, to a certain extent, if done properly). Similarly, for youth protection and age gating there can also be a conflict with GDPR.
Finally, the Data Act wants to foster data sharing in the market (also among companies) – but GDPR often restricts just that. Still, companies offering connected products and related services might have to disclose data, and other companies might benefit from it.
Now, these were just the clashes between different EU legal acts. However, other jurisdictions regulate similar issues in a similar, but not identical way – this makes it very difficult for companies to comply with all regulations.
To give just one example: until very recently, for COPPA compliance, the FTC had suggested to ask the users for their birthdate; in contrast, EU data protection authorities question the necessity (and thus legality) to ask the users for their full birthdate.