Lately, mailboxes have been bombarded with emails informing about subscription settings and options following the new General Data Protection Regulation (“GDPR”) that came into effect on May 25th, 2018. It requires EU citizens’ concessions whenever their personal data is used. The underlying GDPR’s objective is to prohibit the uncontrolled collection and handling thereof. “Personal data” has a broad scope describing any content that makes an individual identifiable (either directly or indirectly). The text of the Regulation provides for a non-exhaustive list of what may constitute personal data, including a person’s name, location, ID-number, and video footage. Such information may only be gathered, processed, and used when a business proves legally permissible grounds in doing so.
Yes, GDPR is now binding and yes, it is directly applicable to all European Union member states in order to effectively harmonize legal guidelines. Further, obligations and responsibilities laid out in the Regulation also apply to third-country (outside the EU-regardless of their location) companies when offering services or goods, or using personal data of living European individuals.
- Data consent: Websites and contact forms must ask individuals for consent to use their data. This is why we witnessed a flood of re-subscription notifications to newsletters within the past weeks. Responsible handling of data is key, demanding for secure, transparent data use which is also limited to a detailed ‘purpose of legitimate interest’. When a business collects an audience’s/viewer’s data it is allowed to do so only if it has a legitimate interest in processing. In context with audio-visual content, Europeans will need to first sign waivers or consent forms that unambiguously inform which data is collected and processed. Generally, no business may argue that consent is implied for a bundle of personal data use.
- Right to access and right to know when personal data has been hacked: Individuals must be informed about how their data was obtained, how it will be used/processed, as well as when serious data breaches occur.
- Right to be forgotten: As owners of their personal data, natural persons may enforce the right to be forgotten by requiring companies to delete the information. This gives norm addressees control over data that might be stored.
- Right to data portability: EU citizens have the right to data portability, meaning transmission of personal data between service providers (for instance, this allows individuals to take data from one social network to another or prohibiting automated data processing)
- Sanction: Non-compliance is massively sanctioned with up to 4% of a business entity’s worldwide annual turnover or €20 Million (whichever is greater). As of May 25, 2018, GDPR is fully enforceable, there is no grace period!
- Accountability principle: the regulation applies to both controllers and processors with the consequence that data in “clouds” won’t be exempt from GDPR enforcement.
On a practical level compliance with the obligations and responsibilities will be much more complicated that one might hope. Since each member state is required to enact (if it hasn’t already done so!) national norms and implement an enforcement authority, details of enforcement are up to the EU member states.
Now, how does the general tenet of creating digital democracy along with greater data protection play into matters in the entertainment/media field, specifically the audiovisual sector? Entertainment/media businesses (“E&M” companies) are heavily impacted as most of the players in the industry are monitoring customers’ behaviors (behavioral targeting, profiling) in order to monetize on the statistical analyses by providing tailored and new services. Moreover, all data in connection with film crews, talent, and other parties involved in a film or TV project, like payment or tax information are subject to the new rules. Further, cinema chains will likely be considered “controllers” and are responsible to adhere to the GDPR policies too.
“ Article 85 states that “member states shall by law reconcile the right to the protection of personal data pursuant to this Regulation with the right to freedom of expression and information, including processing for journalistic purposes and the purposes of academic, artistic or literary expression.”
It further says that national legislation may provide for certain exemptions and derogations to safeguard the different scopes of the right to freedom of expression and information.
Additionally, pursuant to recital 153, reconciliation of “(…)rules governing rules governing freedom of expression and information, including journalistic, academic, artistic and/or literary expression, with the right to the protection of personal data, this should apply in particular to the processing of personal data in the audiovisual field and in news archives and press libraries.”
Consequently, balancing out fundamental rights ultimately lies with each member state.
Essential conclusions for audiovisual content
- Lawful management of filming and photographing requires concrete(!) consent of concerned persons (e.g.: registration forms with information including the signed consent of whoever appears on . This also applies to the use of such videos/photos on a website- specific consent is necessary.
- Tandem measures are prohibited, meaning a certain service (for instance the participation in an event) must not be coupled to a consent-obligation for data use. This plays an important role at events where a sign at the entrance says that all attendees must be aware that they might be filmed and photographed. Such informational signs will not constitute implied consent!
- Any company using audiovisual media content must show “legitimate interest” to continued use of data even if the individual withdraws consent (for example when a company has built its marketing and branding strategy around content in which a person appears and now withdraws consent)
- Application information or collection of data for the fulfillment of the purpose of an employment contract (with a casting agency for instance) must be deleted after the end of the statutory period unless the concerned individual has explicitly agreed to data retention.
Summarizing, entities should take preventive measures by conducting a data protection audit, educating employees internally, and redesigning existing operating models in order to accurately the international framework. Automatically embedded “opt-in” consent is not allowed anymore. Companies have to obtain specific and express consent, as well as offer user-friendly options to withdraw consent. Obviously, there is a lot of work to be done in order to comply with the GDPR, but on the flipside, businesses may choose to improve the brand’s relationship with customers by showing how they will benefit from the strategic application of marketing databases for instance. Hopefully, not too many businesses will block EU visitors from websites.
Resources to better understand GDPR and its impact:
- EU’s official GDPR homepage
- Regulation (2016/679) of the European Parliament and the Council of April 27, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC
- Communication from the Commission to the European Parliament and the Council
- New York Times – Opinion: Europe’s Data Protection Law is a big, confusing mess
- Datenschutz in der Film- und Medienwirtschaft–Österreich