Berrak Su Kodal

Legal Intern

Cloud Gaming: A Legal Assessment


Cloud based technologies are ascending in line with developments in big data, 5G and IoT technologies. The rise of cloud systems as a distribution mechanism has become a factor in game production and one of the significant cloud-based technology is cloud gaming. To be begin with, cloud gaming is a type of online gaming that runs games on remote servers and streams them directly to a player's device, or more colloquially, playing a game remotely from a cloud. In other words, cloud gaming allows players to access games anywhere in the world without having to download the game by utilising the principles of cloud computing.

The cloud gaming market is expected to surpass USD 450 Million by 2023 which is up from USD 45 million in 2017, a nine hundred percent increase in online gaming1.

Followingly, cloud-based games have been raising issues in relating various legal subjects.


Cloud gaming platforms operate in a similar manner to remote desktops and video on demand services; games are stored and executed remotely on a service provider's dedicated hardware, and streamed as video to a player's device via gaming company software. The gaming company's software handles the player's inputs, which are sent back to the server and executed in-game.

The involvement of an additional technical service provider may lead to relocation of legal responsibilities in this regard. It would be necessary to provide legal certainty on liability owner in case gaming services fail: the provider of network connection services or the cloud gaming service provider. Players usually blame latency and connectivity of any eventual error or lag while playing, but with cloud gaming other potential errors emerge such as malfunctions in remote hardware that is processing the game. Regarding these cases, the relevant implementation of Directive 2019/770 of the European Parliament and of the Council of 20 May 2019 on certain aspects concerning contracts for the supply of digital content and digital services ("Directive") might be remarkable. This Directive presumes that the trader shall be liable for any breach or failure to supply the digital contents or digital service, whom shall bear the burden of proof.

When making competitive cloud gaming offers available, also the contractual question of the choice of law and the consideration of mandatory provisions of national consumer protection law also arises.


One of the significant aspects of providing gaming in the cloud is about piracy. It enables to more effectively secure intellectual property rights of the game. Mobile applications and web-based downloads are often easy to decompile, reverse engineer or otherwise decipher, thus allowing for rampant piracy in the industry. Greater security game publishers, and also benefits players as well, as they would likely see the ability to cheat decrease substantially due to the unlikelihood of access to the game's code. Game providers should review their agreements with any hosting companies, including service levels, indemnification, and security.

Another legal aspect that would be interesting to comment relates to the type of licenses that should be granted by publishers to offer these "streaming gaming services". It is possible to claim that cloud-based gaming system will make physical games obsolete and the sector would rather focus on digital games selling, whose format prevents game reselling and offers greater guarantees to developers. In this respect, Sony has announced in its 2019 Q1 financials that the sales of its digital games had surpassed the physical copies for the first time.

Currently, players have also the option to buy a license via internet that enables them to download and play a digital version of the game, however, with the expansion and spread of cloud games, licensees wouldn't need to download the digital content to play a game and they will be able to access such content remotely, as it will be installed in the cloud.


Many modern games, particularly in the online and mobile platforms, are built on the collection and exploitation of data. The rapidly increasing use of data in the modern games industry is due to a number of linked factors. New platforms have arisen, including smartphones and modern web browsers, which make it relatively easy to collect data of all kinds, from an email address to how many times a player has clicked on a particular button during a particular period of time. In this scope, developers need data to make most if not all games these days, but to get that data without attracting legal difficulties, they need to have a basic understanding of data privacy laws because it applies directly to their activities as well.

According to the data protection legislation in both Europe (General Data Protection Regulation, "GDPR") and Turkey (Personal Data Protection Law2, "KVKK") the concept of 'personal data' which essentially is data that, taken on its own or in combination with other data, may be used to identify an individual.

Personal data must be processed lawfully and fairly; be obtained only for one or more specified and lawful purposes; be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed; be accurate and, where necessary, kept up to date; not be kept for longer than is necessary for that purpose or those purposes; be processed in accordance with the rights of data subjects; have appropriate technical and organizational measures taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. One of the latest published decision summaries of Personal Data Protection Board3 (Turkish data protection authority, "Board") has pointed the responsibilities of a gaming company that uses cloud-based technologies to serve their games. Board has concluded that the gaming company is faulty for not taking necessary technical measures to protect gamers data and prevent hacker attacks and implemented TRY 1,000,000 administrative fine.

Besides these criteria to be complied with, there is a problematic issue; data transfer. Considering that cloud computing systems may be established in anywhere in the world, it may transfer player's personal data to abroad. This constitutes an critical point considering the strict data transfer policies the KVKK and GDPR implies. In perspective of KVKK, due to lack of a published safe third country list as of today, data controllers, gaming companies, must obtain every player's explicit consent or obtain permission of the Board with an long application process.


Cloud based technologies are expected to be more of a part of our daily life day by day. It's also established in 11th council of Ministry of Transportation, Maritime Affairs and Communication as 2023 goals to raise awareness about cloud computing, to improve information security mechanisms for the development of cloud computing, and to comply with EU regulations.

Considering latest updates such as Personal Data Protection Board's decision on cloud systems4 clarifies that using a cloud systems may cause data transfers to abroad; Presidential Decree regarding the demand for public organisations to use local cloud systems and new legislative documents such as Regulation on Banks' Information Systems and Electronic Banking Services that obligates banks to move their information data bases from abroad to local services, it may be fair to state that with the global rise of cloud based technologies, Turkey will enter a phase of technological evolution regarding cloud systems. And in this process, it is expected to have more regulations on local cloud systems and eventually obligations of cloud service providers and their obligations in terms of liability and data protection laws.



2. Bardopoulos, Anne Michéle. eCommerce and the Effects of Technology on Taxation: Could VAT be the eTax Solution?



2. Personal Data Protection Law numbered 6698 and dated 16.03.2016 has been published in the Official Gazette dated 07.04.2016 and numbered 29677.

3. Personal Data Protection Board Decision Summary dated 16.04.2020 and numbered 2020/286, published on 23.06.2020 on

4. Personal Data Protection Board Decision dated 31.05.2019 and numbered 2019/157 published on 17.07.2019 on

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.