Loyal readers may remember that a May Bits & Bobs issue linked to an article on the elegant bridge physics found in The Legend of Zelda: Tears of the Kingdom (TotK). As I mentioned at the time:

[TotK is] a breathtaking open world … and the development of the game, particularly its physics engine is so good that it gives players many different ways to play the game. Rather than forcing users into discovering the single solution to a puzzle or quest, TotK is extremely open-ended -- meaning that two players might solve a puzzle in very different and surprising ways.

David and I have been playing TotK almost daily since we got it, and there’s always new delights, thoughtful puzzles, and unique challenges that we discover in-game. That said, I never expected to see a data protection-related puzzle in TotK.

Heads up: There are mild spoilers in this post so if you’re spoiler-averse, you might want to skip this until after you have fully updated your Purah Pad.

The Purah Pad is Like Google Maps With Way More Features

In TotK (as with all Zelda games) you play Link, hero of the realm of Hyrule, protector of Princess Zelda, and solver of an inordinate number of puzzles and quests. Since TotK is massive and split across three levels (air, land, underground), you definitely need a map. The game map is presented to you and Link via a device called a Purah Pad, which is unlocked early in the game. Unsurprisingly, it looks an awful lot like a much more blingy Nintendo Switch.

In addition to general map functionality, the Purah Pad is useful for a number of important in-game tasks (like the adventure log). As you and Link progress through the game and complete the main quest line, new features become available in the Purah Pad, such as the ability to fast travel to specific locations, view profile details of NPC’s Link has interacted with, and a compendium of objects Link discovers and photographs in the world. Upgrades to the Pad are done by an NPC named Robbie, who works for Purah, the director of the Hateno Ancient Tech lab, and inventor of the titular Purah Pad.

One of the upgrades Link receives is something called ‘Hero’s Path Mode’. Hero’s Path Mode allows you/Link to trace his steps throughout the game, somewhat like a Google Maps timeline. But unlike Google Maps, Hero’s Path Mode also shows all the times Link has died along the way.1 In addition to deaths, the Purah Pad also presumably tracks other vital information like Link’s body temperature, overall health, and stamina, though this information is only shared on the HUD and not in the Purah Pad itself.

When Link first receives the Hero’s Path upgrade Robbie casually drops the fact that the Purah Pad has been spying on you/Link the whole damn time.

Did Robbie Violate the (H)GDPR?

There’s a parallel here to the real world, of course: Like so many apps we install on our smartphones that track our every movement and rarely come clean about it, Robbie mentions almost in passing that the Purah Pad has been recording Link’s location since he began his quest to save Zelda, all without Link’s knowledge or consent.

For fun, let’s pretend that Hyrule has its own version of the EU General Data Protection Regulation -- we’ll call it the Hyrule General Data Protection Regulation (HGDPR). And because we’re talking video-game logic here and this post isn’t very serious, let’s pretend that the HGDPR mirrors the EU GDPR 1:1.

We’ll start with Articles 12 and 13 of the HGDPR. Robbie (or likely his employer, Purah), as the presumed data controller must “in a concise, transparent, intelligible and easily accessible form, using clear and plain language,” provide information to Link about how Link’s data is being processed. Now, Robbie can do this orally, which he sort of did here, but he failed to give all the details required under the HGDPR (which are spelled out in Article 13). This would be pretty easy to do, if Robbie had only shared the Purah Pad’s privacy notice, but I doubt he or Purah bothered drafting one. If they had, the notice should have included:

• What information is being collected, stored, shared or otherwise processed about Link. Obviously we know that the Purah Pad is collecting Link’s location & vital/health information - dying is in some sense, health data after all, as well as his number of hearts, stamina levels, and body temperature, but it’s possible that the Purah Pad is collecting even more information than what we know.

• The purposes for collecting, storing, sharing, or otherwise processing Link’s data, including the legal reasons (or lawful basis) for doing so. Here, I would suspect that Robbie/Purah is falling back either on some sort of implied contract with Link (Article 6(1)(b)) or on his own legitimate interests as a controller (Article 6(1)(f)) for processing Link’s precise geolocation information. If it’s the latter, he’ll need to honor objection requests made by Link and stop collecting all that data. That said, I’m not entirely sure that Robbie even has a lawful basis for collecting Link’s vital information under Article 9 HGDPR, as none of the bases really apply here. Curious if folks in the comments have thoughts on that one.

• Details on who receives Link’s personal data. Is Link’s location and vital information self-contained in the Purah Pad, or is this information being shared with other NPCs or stored somewhere else? Are those recipients located outside of the Kingdom? If so, does a valid mechanism exist (e.g., adequacy with other Kingdoms, or Hyrule Data Protection Authority-approved contracts) to transfer Link’s data?

• Information about who Link can complain to. How can Link contact Robbie/Purah and the Hyrule Data Protection Authority (or its equivalent)?

• How Link can exercise his rights. Under Articles 15-22 of the HGDPR, Link has certain rights, including the right to request access to, erase, and correct his data, the right to object and/or restrict processing by Robbie/Purah or others, and whether any of his data is being used to make decisions on him in an automated way.2

Now, there is one additional element under the HGDPR that Robbie did mention — that Link’s data would be retained for “up to 256 hours”, or 32 days total. This is presumably 256 hours of (human) play time as opposed to in-game time, but it’s a bit ambiguous. That seems quite reasonable to me.

Should Link ever complain, or the Hyrule DPA catch wind of these HGDPR violations, Robbie or Purah might face various sanctions under the HGDPR, including administrative fines and penalties of up to 20,000,000 rupees (the in-game currency), or 4% of Robbie/Purah’s worldwide turnover. Or like Meta, they may be forced to stop processing Link’s location information entirely. Though given the state of the Hateno Ancient Tech Lab there, I’m not entirely sure any of those outcomes are likely.

Obviously, this isn’t a serious post, and there’s plenty of additional data protection questions that could be explored (for example, are Bokoblins and Lizalfos data subjects? Could they object to being photographed for the Compendium? What about data portability rights?) Still, I hope this amusing little analysis encourages folks to play TotK, and to think about data protection a bit more broadly than we normally do.