Right to Not Be Forgotten (Sometimes): Celebrity Privacy Rights in a Data-Driven World

This article was first published in the ABA's Landslide? Magazine November/December 2020 issue (Volume 13, Number 2). Download a copy of the article from SSRN.

Co-written by Franklin Graves & Germaine Gabriel.

Access to data plays a crucial role in how society consumes entertainment. At the tap of an app, we can find out the name of the familiar face playing a secondary role in a classic TV sitcom or learn the (estimated) net worth of an athlete featured in a commercial that just aired. Additionally, we can explore the back catalogs of our favorite artists on a streaming music platform or read about their careers without leaving the platform. We can also dig into the latest gossip or paparazzi video documenting a celebrity’s meltdown.

The realms of entertainment, media, and sports law traditionally rely on a bundle of privacy and publicity rights that, when taken together, form a protective legal shield for celebrities. These rights range from invasion of privacy to libel and slander to misappropriation of name, image, and likeness. Whether classified as celebrities, athletes, influencers, or something else entirely, famous individuals have always faced legal hurdles across jurisdictions when they seek to secure legal protections over their personal lives, businesses, brands, and numerous revenue streams. Public figures are now looking to the ongoing advent of groundbreaking privacy regulations around the world to add more tools to their legal arsenal. However, to what extent have they given up, or signed away, such rights?

Value and Ownership of Personal Data

Over the last few years, the general population has become familiar with privacy laws through their routine, everyday use of products and services. It is nearly impossible to avoid privacy issues, whether it is accepting an onslaught of updated social media platform privacy policies1 or reading about weak user passwords leading to bad actors gaining access to a camera in a child’s bedroom.2 Data is commonly analogized as the “new oil” and powers much of our economy and daily lives.3 According to cloud software firm DOMO, predictions indicate that “[b]y 2020, there will be 40x more bytes of data than there are stars in the observable universe.”? What is the value of all this data? Estimates attempting to place a monetary value on personal data range from a couple hundred dollars per service used? up to thousands of dollars per individual.? It is clear that there is a value to businesses and individuals when it comes to personal data and the regulations that govern its use.

The most notable privacy legislation in recent years came from Europe in the form of the General Data Protection Regulation (GDPR).? The state of California soon followed suit with the California Consumer Privacy Act of 2018 (CCPA).? Both pieces of legislation laid the groundwork for handing over the controls of personal privacy and the use of personal data to the individual (referred to as “data subjects” under the GDPR and “consumers” under the CCPA), as opposed to sole control and use, termed “processing” under both regulations, by the businesses transacting with such data (referred to as “processors” and/or “controllers” and “sub-processors” under the GDPR and “businesses” and/or “service providers” under the CCPA).

The concept of data “ownership” within the context of personal data has largely been upended by privacy regulations and resulted in a change to transacting with personal data within the entertainment, media, and sports industries. Currently, privacy regulations do not differentiate between personal data subjects who are well-known and those who might only have a couple of hundred Instagram followers, so industries have been forced to adapt.

Key Rights and Obligations under the GDPR and CCPA

As a starting point, it is helpful to understand that, generally, the GDPR applies to: (1) the processing of personal data within the European Economic Area (EEA), regardless of whether it is the personal data of a citizen of an EEA member state or not; and (2) the processing of EEA data subjects’ personal data, regardless of whether the processing takes place within the EEA, or whether the controllers and/or processors are established outside of the EEA.? The CCPA establishes a less broad approach for applicability by focusing on for-profit legal entities that do business in California and meet the following thresholds: (1) gross annual revenues over $25 million; (2) annually buy, receive, sell, or share commercially the personal information of over 50,000 consumers, households, or devices; or (3) derive 50 percent or more of their annual revenues from selling consumers’ personal information.1?

Most companies within the entertainment, media, and sports industries would easily fall within the categories of businesses, or processors and/or controllers, subject to the CCPA, the GDPR, or both. However, not all public figures fall within the scope of existing privacy regulations. As regulators expand protections, such as federal privacy regulations in the U.S.,11 businesses will have to continue adapting processes and procedures for the handling of personal data. Absent an idyllic future in which a uniform approach to privacy laws exists, building a foundational understanding of the CCPA and GDPR is a perfect starting point for shaping a lawyer’s approach to personal data rights.

The CCPA allows consumers the right to prohibit businesses from selling their personal information, the so-called “opt-out right,” with such options being clearly and conspicuously located on a business’s website. Additionally, the CCPA explicitly requires parent or guardian consent for consumers under the age of 13, or explicit consent for consumers between the ages of 13 and 16 (a so-called “right to opt-in”). This particular obligation might prove problematic for websites that rely on user-generated content, or crowdsourcing, such as IMDb or Wikipedia. By way of example, IMDb’s California Consumer Privacy Act Disclosures list “professional information, for example data you may provide about your acting experience” as a category of personal information that may be collected and disclosed for a business purpose.12 It, therefore, would be possible, at least operating within the view of the CCPA, for a public figure within California to submit an opt-out request, as well as requests for other information. However, would this lead to a breach of contract claim if the public figure, or their agent, is the party responsible for supplying the personal information under the terms of a subscription agreement with IMDb? An argument that personal information would be deemed public information after being published might not hold up under the CCPA given that its definition of “publicly available” is limited to personal information “lawfully made available from federal, state, or local government records.”13 The GDPR similarly includes language addressing a public authority’s release of personal information that might be contained within official documents.1? The GDPR also references personal data that originates “from publicly accessible sources,”1? within the context of still placing an obligation upon the controller to inform the data subject about the processing. While the GDPR does not include a right to prohibit the sale of personal information, it does include an opt-out right of data processing for marketing purposes1? and a right to withdraw consent at any time.1?

Both the CCPA and the GDPR contain provisions regarding the right to have personal information deleted, but the GDPR contains six grounds under which the limited right applies. Those six grounds include: (1) the personal data is no longer necessary in relation to the purposes for which it was collected; (2) the data subject withdraws consent; (3) the data subject objects to the processing; (4) the personal data has been unlawfully processed; (5) the personal data has to be erased for legal compliance; and (6) the personal data was collected without parental or guardian consent.1? The GDPR also offers, among other things, a right to rectification of inaccurate or incomplete personal data1? and a right to restrict processing,2? which are absent from the CCPA. It is likely that future debates over what is deemed “inaccurate” or “incomplete” will arise, especially if the ability to rectify would provide some benefit to the public figure and their overall public perception.

In accordance with the GDPR, the Article 29 working party provided within their Guidelines on Transparency21 that transparency requires that any information and communication relating to the processing of personal data be easily accessible, be easy to understand, and use clear and plain language. The requirement to inform the data subjects about the processing of their personal data, which guarantees transparency of all processing, is all the more important since it affects the data subjects’ exercise of their right of access22 and right to object to the processing of that data.23 A best practice is to present data subjects with transparent notice of whether their personal data will be collected, and how it will be processed, at the point of collection. This can be in the form of a privacy notice if consumer data is collected in an online context.

Notice obligations exist under both the CCPA and the GDPR, which can directly impact the drafting of contracts for entertainment, media, and sports purposes. The GDPR and CCPA both create a broad range of operational and technical requirements that must be followed to ensure proper compliance at the time of collection, but both essentially boil down to clearly identifying the categories of personal information and the types of processing that will be done with the personal information.2? As a best practice, the level of detail around the processing of personal data that should be included in contracts that are entered into directly with public figures should be carefully considered and drafted in a manner that supports the present and future intents of the parties involved.

There are some exceptions that appear to provide some level of support for common business transactions within the entertainment, media, and sports industries. For example, the CCPA excludes situations under which “[a] consumer uses or directs the business to intentionally disclose personal information or uses the business to intentionally interact with a third party” from the scope of selling personal information as such activity is defined under the statute.2? However, such disclosures to or interactions with third parties by a business must prohibit the third party from selling the personal information beyond what might be within the scope of the business purpose. Therefore, it again becomes important that contractual terms, such as a detailed business purpose, between parties are carefully drafted to incorporate any nuances that might be required under applicable laws and regulations. Another consideration might be to include language that mirrors traditional intellectual property obligations and further assurances that the rights owner will support the licensee with any additional steps that might be necessary to secure the full scope of rights intended to be conveyed under the agreement. Whether this approach, or a limited power of attorney appointment, would be enforceable under privacy regulations remains to be seen.

Another example of an exception can be found under GDPR Article 85, titled “Processing and freedom of expression and information.” Article 85 provides a so-called “journalism exception” for the processing of personal data in furtherance of “the right to freedom of expression and information, including processing for journalistic purposes.” Building upon privacy regulations before it,2? GDPR Article 85 provides a broad exemption to support the needs of free speech within the context of data protection. Article 85 covers more than just traditional journalism and specifically includes processing exemptions for “the purposes of academic, artistic or literary expression.” Additionally, Article 85 allows individual EEA member states to determine whether free speech protections extend beyond just those listed in the GDPR, akin to the state-by-state approach to regulations in the U.S., so when dealing with data subjects across the EEA, it is important to take each jurisdiction’s potential approach into consideration.

Privacy Rights of Celebrities in the EEA

Across the pond in the EEA, the European Convention on Human Rights (ECHR) has recognized privacy in public for celebrities and the right to privacy under the Data Protection Act of 1998.

In fairly recent EEA case law, specifically, Murray v. Express Newspapers plc2? and Weller v. Associated Newspapers Ltd.,2? photographs of celebrities’ children were taken and thereafter published without parental consent. In Murray, J.K. Rowling, a famous author, filed suit in U.K. court after a photograph of her toddler son was taken when she and her husband took the toddler for a walk. Among other contentions, J.K. Rowling claimed breach of confidence, privacy, and infringement of the Data Protection Act of 1998 over the unauthorized publication of her toddler son’s photograph. While the case was originally dismissed, upon appeal, the court found that “personal data which have been obtained, recorded, held and disclosed covertly and without giving the data subject any opportunity to object to any of those operations on the data, are not processed ‘fairly’ within the meaning of the first data protection principle.”2? The court further found that a photograph constitutes information as to the physical or mental health or condition of the data subject, which amounts to “sensitive personal data” within section 2(e) of the Data Protection Act of 1998.

In Weller, a similar case, Paul Weller filed suit in U.K. court when photographs of his three minor children were published without his consent. Weller is a well-known singer and contended that the publication of the images of his children amounted to misuse of private information and breach of the Data Protection Act of 1998. The court found that the defendant was liable for misuse of private information and breach of the Data Protection Act of 1998. There were contributing factors to support the court’s finding, including that the parents had not consented to the taking or publishing of the photographs, and the claimants were children and had been identified by name, thus exposing them to special vulnerability.

In Von Hannover v. Germany,3? Princess Caroline von Hannover of Monaco brought suit in German courts after several photographs of her and her family were published on several occasions without her or her family’s consent. Hannover contended that the photographs infringed on her and her family’s right to respect for their private life under ECHR Article 8. In 2004, the court held that there was a violation of Article 8. The court came to its rationale after balancing the protection of private life against freedom of expression and the possible contribution that the published photos and articles would make to a debate of general interest. Ultimately, the court deemed that the photographs made no such contribution, since the applicant exercises no official function and the photos and articles related exclusively to details of her private life. In short, Hannover had a “legitimate expectation” of protection of her private life.

With the passing of the GDPR, it is unclear whether celebrities will have additional vehicles for recourse if their likeness is photographed and published without their consent.

Impact on Data Licensing Agreements

A data processing addendum or agreement (DPA) contains contractual obligations between two parties relating to the processing of data. As with nearly all contracts, the approaches taken with entering into DPAs can range widely. DPAs can be structured and presented as stand-alone agreements, side letters, or amendments to existing agreements; incorporated as a set of clauses within an existing agreement template; attached as an exhibit or attachment to an agreement template; or presented as a set of unilaterally binding online terms. It is worth noting that the use of a “DPA” within this context should not be confused with a possible reference to “data protection authorities,” the independent public authorities that enforce data privacy regulations across Europe.

A DPA that is used for a relationship contemplating the sharing of personal data should typically cover most, if not all, of the following points: (1) the nature and purpose of the processing activities; (2) a description of the categories of data subjects and the categories of personal data; (3) the length of time for processing of the personal data, and what happens when the contractual relationship between the parties ends; (4) the technical and organizational measures to ensure processing of personal data in a manner compliant with relevant laws and regulations, or the policy requirements established by a particular business (including details such as de-identification, aggregation, and/or anonymization procedures and requirements); (5) rules for data transfers, addressing any potential cross-border transfers; and (6) the use of third-party contractors, referred to as “sub-processors” under the GDPR and “service providers” under the CCPA. Additional information that will inform the legal analysis used to draft the contract includes: (1) methods under which the data licensor has collected the personal data being supplied; and (2) whether the personal data has come directly from the data subject or consumer, publicly available resources (such as websites, social media platforms, or news outlets), or unaffiliated third parties.

Within the context of the entertainment, media, and sports industries, data licensing agreements are commonly used to govern the contractual relationship between two parties sharing data. For example, a commercial music database may license artist biographical data to a music streaming platform so that end users can read about the artist, or a sports betting website may license data about a particular sports league to power its platform. Data licensing agreements can take the form of stand-alone agreements or follow a more technical, industry-specific structure, incorporating concepts such as an application programming interface (API) license and restrictive or permissive data usage terms.

Following the implementation of data protection laws and regulations, many entertainment, media, and sports data licensing agreements have been expanded to include DPAs in some fashion. Data licensing agreements are now including provisions that govern a data subject’s right to be forgotten and obligations to which the parties transacting with the data must comply. More specifically, it is not uncommon to have a contract that includes an obligation to communicate such deletion requests from a data subject to the other party to the contract. From a practical standpoint, this may require each party to ensure an appropriate process and procedure for tracking and communicating such requests is implemented and followed (or audited) on a regular basis. For businesses that operate as a service provider to consumers, such as SaaS services or social media platforms, and utilize a privacy policy designed to comply with the CCPA and GDPR, existing processes and procedures for data privacy compliance programs might be an option for management of personal data requests relating to data subjects governed by a data licensing agreement. This leads to the question of whether the data was lawfully collected from the start.

When negotiating a data licensing agreement that will involve personal data, it is important to establish and identify from the start the role of the parties. Under the GDPR, there are two potential classifications: (1) one party can be a controller and the other a processor;31 and (2) if two or more parties can determine the purpose for processing, then it might be a joint controller relationship.32 The GDPR does not explicitly recognize an independent controller relationship, where each party independently determines the purpose for processing, but there is a term previously identified under the U.K. Data Protection Act of 1998 as “controllers in common.”33 Drafting the data licensing agreement, and accompanying DPA, correctly is important to ensure each party understands their obligations under privacy regulations, and to each other. Inappropriate use of personal data can subject all parties to a risk of liability and fines, potentially even if the inappropriate use occurs downstream.

An important representation and warranty to include in data licensing contracts would be language that the party supplying the personal data has adequately, or in a legally compliant manner, obtained permissions not only to collect personal data but also to further distribute (either commercially or not) the personal data without the need for additional permissions gathering. Analysis should explore potential regulatory requirements for each lawful basis of, and consents necessary for, downstream processing of the personal data. For example, a video game licensee receiving personal data subject to privacy regulations does not want to be in a position where it is forced to individually contact and obtain the consent of the data subjects, or potentially be left without recourse if it receives requests from data subjects or inquiries from data authorities.

The mechanics involved with drafting and negotiating data licensing agreements that involve personal data require close attention to the scope of privacy rights applicable to the data subjects involved to ensure the contract adequately protects both parties and assigns obligations, liabilities, and risks as both parties intend.

Read the full article on the ABA Landslide? Magazine website. Or, download the article from SSRN.

Endnotes

1 Jefferson Graham, Why You’re Receiving All Those Privacy Update Emails, USA Today (Dec. 28, 2019), https://www.usatoday.com/story/tech/2019/12/28/have-you-taken-look-what-conde-nast-yelp-hulu-and-others-grab/2750460001.

2 Neil Vigdor, Somebody’s Watching: Hackers Breach Ring Home Security Cameras, N.Y. Times (Dec. 15, 2019), https://www.nytimes.com/2019/12/15/us/Hacked-ring-home-security-cameras.html.

3 Antonio García Martínez, No, Data Is Not the New Oil, Wired (Feb. 26, 2019), https://www.wired.com/story/no-data-is-not-the-new-oil.

4 Data Never Sleeps 7.0, DOMO (2019), https://www.domo.com/learn/data-never-sleeps-7.

5 Martínez, supra note 3.

6 Marie Baca, What You Do on the Internet Is Worth a Lot. Exactly How Much, Nobody Knows, Wash. Post (Oct. 14, 2019), https://www.washingtonpost.com/technology/2019/10/14/what-you-do-internet-is-worth-lot-exactly-how-much-nobody-knows.

7 Commission Regulation 2016/679, 2016 O.J. (L 119) 1 [hereinafter GDPR].

8 Cal. Civ. Code §§ 1798.100–.199. It should be noted that, as of this article’s publication, the California Privacy Rights and Enforcement Act (CPRA) is scheduled to appear on the November 2020 ballot, with an anticipated effective date of January 1, 2023.

9 GDPR, supra note 7, art. 3.

10 Cal. Civ. Code § 1798.140(c).

11 See Eric Newcomer, California Will Be Key Battleground in Tech Privacy Fight in 2020, Bloomberg (Jan. 2, 2020), https://www.bloomberg.com/news/articles/2020-01-02/privacy-fight-continues-in-california-dc-and-beyond.

12 IMDb California Consumer Privacy Act Disclosures, IMDb, https://help.imdb.com/article/issues/G73WRBWXE25UUTHP (last visited Oct. 28, 2020).

13 Cal. Civ. Code § 1798.140(o)(2).

14 GDPR, supra note 7, art. 86.

15 Id. art. 14(2)(f).

16 Id. art. 21(2).

17 Id. art. 7(3).

18 Id. art. 17(1).

19 Id. art. 16.

20 Id. art. 18.

21 Guidelines on Transparency under Regulation 2016/679 (wp260rev.01) (2018).

22 GDPR, supra note 7, art. 12.

23 Id. art. 14.

24 Id. arts. 13–15; Cal. Civ. Code § 1798.130(a)(5).

25 Cal. Civ. Code § 1798.140(t)(2)(A).

26 See, e.g., Council Directive 95/46/EC, art. 9, 1995 O.J. (L 281) 31 (“Processing of personal data and freedom of expression”).

27 [2008] EWCA (Civ) 446, [2009] Ch 481 (Eng.).

28 [2014] EWHC 1163 (QB) (Eng.).

29 Murray, [2009] Ch at 488.

30 [2004] ECHR 294.

31 GDPR, supra note 7, ch. IV.

32 Id. art. 26.

33 See also Serkan Kurt, Guide for Multi-Controller Situations under the GDPR, IAPP (Nov. 6, 2017), https://iapp.org/media/pdf/resource_center/guide-multi-controller.pdf.