Cannes: movie stars, auteurs, glamour, the French Riviera, and… data privacy?
Before the cameras start rolling, a film production company will need to agree service contracts for cast and crew. In honour of the Cannes Film Festival happening this week, let’s consider how data protection issues need to be addressed for an actor’s contract.
A standard Actor’s agreement will cover payment, travel and residence allowances, box office bonuses, and of course, intellectual property. But if the production company intends to process a significant amount of personal data about the Actor – such as dates and locations of filming, and details of travel arrangements and accommodation – the agreement should also contain a data protection clause. Remember that “processing” is widely defined, and covers any activity involving personal data, including storing, sharing, or reading.
“The Actor agrees and hereby give her consent to the holding and processing of personal data relating to the Actor in any form, whether obtained or held in writing, electronically or otherwise, by the Producer.”
The above clause may be acceptable under the UK Data Protection Act 1998, but is problematic under the incoming General Data Protection Regulation (GDPR).
Consent. As worded above, the Actor is providing the Producer with blanket consent to process her personal data. Under the GDPR, consent means “freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her” (Art. 4(11)).
Given that this is a contract between a prospective employee and her boss, there is an imbalance of power between the parties. Accordingly, the Actor’s consent statement is unlikely to be considered “freely given” as is required under the GDPR. Furthermore, personal data processing should neither be disguised nor bundled with the provision of a contract (Art 7(4)).
Even in other contexts, it would be unwise to rely on the Actor’s consent for processing, as this can cause difficulties if consent is withdrawn at a later date. It is therefore advisable to rely on another lawful basis.
Another lawful basis? “Lawful basis” is just another way of saying “reason to do something.” Consent is just one of the six lawful bases permitted (Art. 6 GDPR). As the conditions for consent are very strict and unlikely to be met in this scenario, the Producers should consider their other options:
- Contract: Processing is necessary for a contract with the person. Employment contracts are certainly applicable in this instance: for example, the Producers must process the Actor’s bank details to pay her.
- Legal obligation: Processing is necessary for the Producers to comply with the law. This could include their tax obligations for HMRC, or complying with money laundering regulations.
- Legitimate interests: The Producers must process the data for their legitimate interests. This could include business purposes such as sending out publicity emails with the Actor’s name and contact details, posting her image on social media, and so on. This is the most flexible basis to rely upon, but requires the Producers to demonstrate (inter alia) that their objectives are not unreasonable, and do not harm the Actor’s human rights (Recital 47).
- The other lawful bases of protecting vital interests and carrying out a public task are not applicable in our scenario, but worth noting for completeness.
To be GDPR compliant, the clause could be amended to something like:
The Producers will collect and process the Actor‘s personal data in accordance with the Privacy Notice annexed to this Agreement. The Actor will sign and date the Privacy Notice and return it to the Executive Producer within 10 days of signing this Agreement.
The purpose of the Policy Notice is to provide the ActorActor with the information she is entitled to receive as a data subject (Articles 13 and 14). The Privacy Notice, likely to take the form of a letter, will explain how the Producer obtains, uses, and retains the Actor’s personal data. It will also set out the relevant lawful bases for each type of processing, and explain how the Actor can exercise her rights (Articles 15 through 22 inclusive).
Of course, the work doesn’t end once the agreement is signed. The Producers will need to make sure anyone who handles personal data within their organisation understands the new requirements under the GDPR. Having clear policies is only part of the story: those policies will need to be followed.
It’s a common misconception that the GDPR is just about IT security and marketing emails filling up your inbox. In reality, the legislation will provide enhanced rights for data subjects, and it’s important to remember that employees are data subjects too.