Now you’re just somebody that I used to know

Now you’re just somebody that I used to know

The GDPR has been in force for less than two weeks, but Europeans have already started to contact companies left, right and centre to exercise their newly enshrined statutory “right to be forgotten.”

However, this right is not absolute, and only applies in certain circumstances. Let’s look at the balancing act between a data subject’s right to have their data erased on the one hand, and an organisation’s need to maintain data for legitimate purposes, on the other.

Organisations (data controllers and processors) are obliged to only collect and use personal data in a lawful manner, as set out in Article 6. There are several types of “lawful processing,” including in instances where an individual grants his or her explicit and informed consent. But lawful processing also covers the use of data for a controller’s legitimate interests, the performance of a contract, or legal obligations, such as fraud prevention. For more on lawful processing, check out my earlier post – Lights, camera, data protection?

With this in mind, it’s important to note that only in certain scenarios does an individual have the right to be forgotten. Under Article 17(1), their data must be either:

  1. no longer necessary for the original purpose
  2. processed based on consent, which is now withdrawn
  3. processed based on the organisation’s legitimate interests, which the individual objects to;
  4. processed for direct marketing purposes, which the individual objects to;
  5. processed unlawfully (in contravention of Article 6);
    or
  6. erased to comply with a legal obligation.

But before an organisation hits “delete” it must see if any purposes for retention apply. In pre-GDPR days gone by, data subjects had to prove they had the right for their data to be erased. The burden now lies with the controller to prove that they have a legal basis for retaining the data. If so, the organisation has a lawful reason to refuse the erasure request. In fact, deleting data when an exemption does apply could be a breach of the law!

The purposes for retention under Article 17(3) are:

  1. the right of freedom of expression and information;
  2. complying with a legal obligation, or for performing a task in the public interest;
  3. for reasons of public health;
  4. for archiving in the public interest, including scientific or statistical research; or
  5. for the establishment, exercise or defence of legal claims.

Additionally, “manifestly unfounded” or “excessive” requests may be refused outright.

From what I’ve seen in practice over the last few days, most erasure requests are made because an individual no longer wants to receive marketing emails. Fair enough: in shifting responsibility onto corporate controllers, the right to be forgotten strengthens individual control. It also signifies public disapproval of entities which process – and, in some instances abuse – enormous quantities of personal information without the explicit consent or knowledge of the individuals concerned.

For those of us interested in the societal and human rights implications (I’m telling you – data protection isn’t just for the techies amongst us!) it’s worthwhile to consider how journalism fits into the picture.

As Oxford’s International Data Privacy Law summarises rather eloquently: The nebulous boundaries and susceptibility to misuse of the right to be forgotten make it a blunt instrument for data protection with the potential to inhibit free speech and information flow on the Internet.

As early as 2012, Reporters Without Borders (formally, Reporters Sans Frontières) criticized the right to be forgotten – then in early draft stages – as a generalised right that individuals can invoke when digital content no longer suits their needs. This runs the risk of trumping the public interest in the information’s availability. RSF also contends that the demand for complete erasure of online content, or the “right to oblivion”, could place impossible obligations on content editors and hosting companies.

EU Commissioner Viviane Reding responded to the criticism from RSF by explaining that the [GDPR] provides for very broad exemptions to ensure that freedom of expression can be fully taken into account.

Note – this post covers the statutory Right to Erasure under Article 17 of the GDPR. Although related, it is distinguished from the recent high-profile cases against Google, in which the English Supreme Court held that a defendant convicted of a crime was entitled to the right to be forgotten, and therefore delisted from Google search results. A more serious offence, with fewer mitigating circumstances, did not attract the same right.

photo © Cassidy Kelley

Lights, camera, data protection.

Lights, camera, data protection.

Cannes: movie stars, auteurs, glamour, the French Riviera, and… data privacy?

Before the cameras start rolling, a film production company will need to agree service contracts for cast and crew.  In honour of the Cannes Film Festival happening this week, let’s consider how data protection issues need to be addressed for an actor’s contract.

A standard Actor’s agreement will cover payment, travel and residence allowances, box office bonuses, and of course, intellectual property.  But if the production company intends to process a significant amount of personal data about the Actor – such as dates and locations of filming, and details of travel arrangements and accommodation –  the agreement should also contain a data protection clause.  Remember that “processing” is widely defined, and covers any activity involving personal data, including storing, sharing, or reading.

Related image
The Cannes 2018 poster, featuring an image from Jean-Luc Godard’s 1965 film “Pierrot le Fou.”

“The Actor agrees and hereby give her consent to the holding and processing of personal data relating to the Actor in any form, whether obtained or held in writing, electronically or otherwise, by the Producer.”

The above clause may be acceptable under the UK Data Protection Act 1998, but is problematic under the incoming General Data Protection Regulation (GDPR).

Consent. As worded above, the Actor is providing the Producer with blanket consent to process her personal data.  Under the GDPR, consent means “freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her” (Art. 4(11)).

Given that this is a contract between a prospective employee and her boss, there is an imbalance of power between the parties. Accordingly, the Actor’s consent statement is unlikely to be considered “freely given” as is required under the GDPR.  Furthermore, personal data processing should neither be disguised nor bundled with the provision of a contract (Art 7(4)).

Even in other contexts, it would be unwise to rely on the Actor’s consent for processing, as this can cause difficulties if consent is withdrawn at a later date.  It is therefore advisable to rely on another lawful basis.

Another lawful basis? “Lawful basis” is just another way of saying “reason to do something.” Consent is just one of the six lawful bases permitted (Art. 6 GDPR). As the conditions for consent are very strict and unlikely to be met in this scenario, the Producers should consider their other options:

  • Contract: Processing is necessary for a contract with the person. Employment contracts are certainly applicable in this instance: for example, the Producers must process the Actor’s bank details to pay her.
  • Legal obligation: Processing is necessary for the Producers to comply with the law. This could include their tax obligations for HMRC, or complying with money laundering regulations.
  • Legitimate interests: The Producers must process the data for their legitimate interests. This could include business purposes such as sending out publicity emails with the Actor’s name and contact details, posting her image on social media, and so on. This is the most flexible basis to rely upon, but requires the Producers to demonstrate (inter alia) that their objectives are not unreasonable, and do not harm the Actor’s human rights (Recital 47).
  • The other lawful bases of protecting vital interests and carrying out a public task are not applicable in our scenario, but worth noting for completeness.

To be GDPR compliant, the clause could be amended to something like:

The Producers will collect and process the Actor‘s personal data in accordance with the Privacy Notice annexed to this Agreement. The Actor will sign and date the Privacy Notice and return it to the Executive Producer within 10 days of signing this Agreement.

The purpose of the Policy Notice is to provide the ActorActor with the information she is entitled to receive as a data subject (Articles 13 and 14). The Privacy Notice, likely to take the form of a letter, will explain how the Producer obtains, uses, and retains the Actor’s personal data. It will also set out the relevant lawful bases for each type of processing, and explain how the Actor can exercise her rights (Articles 15 through 22 inclusive).

Of course, the work doesn’t end once the agreement is signed. The Producers will need to make sure anyone who handles personal data within their organisation understands the new requirements under the GDPR. Having clear policies is only part of the story: those policies will need to be followed.

It’s a common misconception that the GDPR is just about IT security and marketing emails filling up your inbox. In reality, the legislation will provide enhanced rights for data subjects, and it’s important to remember that employees are data subjects too.

No more Safe Harbours for EU-ser Uploaded Content?

No more Safe Harbours for EU-ser Uploaded Content?

The European Union is considering a sweeping new Directive on Copyright in the Digital Single Market, currently in draft stages. Industry groups are keen to ensure their opinions are taken into consideration, especially in instances where consumers share content which belongs to artists, authors, record labels, and television channels.

Digital platforms and internet service providers which host User Uploaded Content (UUC) argue that they are not responsible for any copyright infringing material uploaded by their users. However, trade bodies representing various industries believe the incoming Copyright in the Digital Single Market Directive doesn’t go far enough to reform this safe harbour principle.

The E-commerce Directive states that EU Member States shall ensure that internet service providers are not liable for copyright infringements carried out by its customers, on condition that: (a) the ISP does not have actual knowledge of illegal activity or information;  and (b) the provider “acts expeditiously to remove or to disable access” to the illegal content, once they become aware of it (see Article 14).

This article provides ISPs with a “safe harbour” from copyright liability (also known as the “mere conduit” provision). Generally speaking, a safe harbour* is simply a protection available within a regulation that specifies that certain actions do not to violate a given rule, in particular circumstances.

1709 - EU Safe Harbour
In the United States, this principle operates under the “notice-and-take-down system”

About 18 months ago, the European Commission announced its plans to introduce a new Directive on Copyright in the Digital Single Market. As the explanatory memorandum sets out, “the evolution of digital technologies has changed the way works and other protected subjectmatter are created, produced, distributed and exploited. In the digital environment, cross-border uses have also intensified and new opportunities for consumers to access copyright-protected content have materialised. Even though the objectives and principles laid down by the EU copyright framework remain sound, there is a need to adapt it to these new realities.”

Amongst other things, the propsed Directive seeks to rebalance the position of the copyright owner against that of the internet service provider. Last week, various trade groups representing Europe’s creators and creative content producers published an open Letter to the European Council.

The authors suggest that, far from ensuring legal certainty, the Directive as currently drafted “could be detrimental to our sectors,” which include journalism, film and TV, music, and sport. While the authors support the objectives of the proposed legislation, the Letter critiques the latest draft of the directive, and expresses significant concerns about the safe harbour reforms.

In particular, the problems seem to arise with sections addressing the “use of protected content” by ISPs and other platforms which “store and give access to large amounts of works and other subject-matter uploaded by their users”. Put simply, the copyright industries want the safe harbour reformed, so that it no longer applies to user-upload sites (Complete Music Update).

This draws into question how online platforms hosting UUC should monitor user behaviour and filter their contributions. Currently, the platforms review material after it has been published and reported or “flagged” as copyright infringement. This may, as has been discussed with Facebook’s proposed use of artificial intelligence in copyright and hate speech monitoring, “inevitably require an automated system of monitoring that could not distinguish copyright infringement from legal uses such as parody” (The Guardian).

The authors of the Letter voice complaints in respect of the draft forms of Article 2, Article 13(1) and Article 13(4):

  • Article 2 defines which services fall under liability, mentioned further at Article 13. The latest draft could leave most UUC platforms outside the scope, despite the fact they continue to provide access to copyright protected works and other subject-matter. For example, music playing in the background of a makeup tutorial on YouTube.
  • The problem with Article 13(1) as currently written is that it risks narrowing the scope of the right and contravening CJEU jurisprudence. The Letter’s authors argue that “any new EU law should secure that this right is broad,” and “contain no additional criteria which could change via future CJEU rulings.”
  • As for Article 13(4) and its relevant recitals, the authors suggest the language is tantamount to a new safe harbour, which would both “seriously undermine fundamental principles of European copyright,” and pose “unwarranted liability privilege risks breaching the EU’s obligations under international copyright treaties.”

The Letter closes with the authors’ promise to “remain at the Council’s disposal to find solutions to these points.” For more on the proposed Directive, be sure to check out the IPKat’s numerous posts on the subject.

*This “Safe Harbour” in copyright law is not to be confused with the Safe Harbor Data Privacy exemptions between the US and the EU, which have since been declared invalid. On that subject, I might write on the new Privacy Sheild… at some point…