According to a recent mess up, an Epic Games Store user going by the Reddit name of TurboToast3000 requested his personal information from Epic Games, which is something that he can do via the GDPR law. Although Epic took up the user on the notion, things went awry quickly on Epic’s end.
If you are unaware of the current Epic Games debacle this time around, user TurboToast3000 requested (1) his personal info, but Epic Games sent it to a random person.
An Epic Games representative by the name of Arctyczyn confirmed the situation is true with the following response to TurboToast3000:
Arctyczyn also followed up with this response too, claiming that no mailing address, birthday or payment methods are in the report:
Later on, it is said by the user put in the precarious position by Epic Games that he was able to contact the other person:
“I have actually been able to make contact with the other person. He reported it and helped me with some things. So I dont have a lot of stress anymore. But I got really lucky and epics behaviour is still inexcuseble.”
TurboToast3000 continued when questioned about who warned who, and had the following to say:
“I got an email from epic yesterday. After that I went to reddit to let everyone know and after a few hours came a DM from someone who said they recived the email. WITH PROOF he showed that epic games sent him the email and he reported it because of that I was notified. So epic did oopsie kind sir reported it and at last I knew about it.”
According to website nichegamer.com, the GDPR (General Data Protection Regulation) is a part of EU law, and since the user is in The Netherlands — a country tied to EU law — punishment for such a breach is applicable. But since the Epic representative says no personal info was leaked, the following is said not to apply in this case — but it’s not official yet:
“Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements e.g. not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors – meaning ‘clouds’ are not exempt from GDPR enforcement.”
This piece will be updated when Epic Games or TurboToast3000 come forth with additional information on the situation.