by Nancy Wolff, DMLA Counsel
You may have noticed an increase in urgent messages from companies updating their privacy policies in anticipation of the upcoming deadline to become GDPR compliant. “GDPR” refers to a new European Union law – the General Data Protection Regulation that goes into effect on May 25, 2018. This regulation strengthens the privacy rights of individuals living in the European Union (not only E.U. citizens) and applies to anyone who does business with those persons, even if that simply means collecting data for marketing purposes.
Privacy is becoming more and more of a global issue, and the E.U. is leading the way in attempting to protect personal data. The policies behind the GDPR aim to increase transparency, in terms of both what personal data is collected and how it may be used, and the accountability of those who maintain and use that personal data. The regulation is complex and extensive and includes steep penalties for those who are not compliant – up to €20,000,000 or 4% of global revenue from the previous year, whichever is greater.
But before you think the solution is to simply exclude all European residents from your client base, or have a panic attack, it is important to recognize that the E.U. “privacy police” are unlikely to expect immediate full compliance or have the operational capacity to scrutinize every business transacting with E.U. residents. Your goal should be to reevaluate your privacy practices to be as compliant as possible given your type of business and your use of personal data.
At its highest level, the GDPR requires any company who collect personal data to maintain it securely, and to provide transparency in what ways it may use the personal data. The definition of “personal data” is quite broad and includes anyinformationthat relates to an identifiable person. See GDPR, Art. 4, Sec. 1. The individuals whose data is collected are called “data subjects.” See GDPR, Art. 4, Sec. 1. Those who collect data are called “controllers.” See GDPR, Art. 4, Sec. 7. Those who process data for controllers are referred to as “processers.” See GDPR, Art. 4, Sec. 8. Any content library with contributors, distributors, customers and model releases, is a controller and needs to keep its records that contain personal data secure.
The privacy notice should address the following to sufficiently inform the data subject:
- Who is collecting the data?
- What data is being collected?
- What is the legal basis for processing the data?
- Will the data be shared with any third parties?
- How will the information be used?
- How long will the data be stored for?
- What rights does the data subject have?
- How can the data subject raise a complaint?
Further, if someone from the E.U. requests information about the personal data you collect, you have an obligation to respond to requests within 1 month and may not charge the data subject for responding. You also need to give the E.U. resident the ability to update that information and the ability to remove the information if there is no legitimate reason to maintain that personal data.Additionally,any data breach of personal information must be reported within 72 hours.
Individuals subject to the GDPR can enforce these new rules, as it provides for a private right of action, but there must be some material damage.
In terms of marketing to customers or potential customers in the E.U., the consent rule under the GDPR is an “opt-in” instead of “opt-out” rule. Consent must be very clear and cannot be buried in terms and conditions. There should be a separate check box for marketing and promotions and for accepting terms and conditions.
It is too soon to know how these new regulations will impact the image licensing industry. To some extent all photographs of recognizable people contain personal data. Some have asked whether the new “right to be forgotten” will affect the industry and whether models or subjects could request that images be erased or consent withdrawn. While these regulations have not been officially interpreted yet, this kind of overly broad interpretation would be contrary to the purpose of the regulations – which is to address privacy issues with data collection.
The regulations do acknowledge that there are legitimate business reasons to retain certain personal information. The licensing of editorial as well as commercial images by image libraries serves an important business and newsgathering function and model releases are required to be retained for many business and legal purposes, and are necessary to produce in the event of a claim. Further, the “right to be forgotten” is not absolute and the regulations acknowledge that other rights, such as the right to freedom of expression and information, including processing for journalistic purposes and the purposes of academic, artistic or literary expression must be reconciled with this right. These exceptions should insulate the licensing of images and restrict persons from demanding that images be removed.
This article is intended to be a broad overview of this new regulation and not a complete description of the GDPR or any company’s obligations. You are encouraged to seek further advice and there are many websites offering insights. Importantly, the regulations have not been interpreted and we will continue to monitor this topic. The GDPR will be included in the DMLA legal panel at the DMLA Annual meeting in October.