A Collective Effort - The Impact of the GDPR on Collective Management Societies

This article was kindly drafted by Axel Beelen, who writes the blog IP News (focusing on EU and Belgian IP developments). He can also be found on Twitter here. He is also a data protection specialist.

The rules surrounding personal data are about to change on 25 May 2018 when the new General Data Privacy Regulation (GDPR) will enter into force. Because collective management organisations (CMOs) process their members' personal data, they will have to be compliant with the GDPR next year. Fines can be very high in the case of non-compliance. Below you will find the key points introduced in the GDPR concerning CMOs.

Data-subjects’ rights enlarged and more defined

The processing of personal data is lawful only if, and to the extent that, it is permitted under the GDPR. If the data controller (here the CMO) does not have a lawful basis for a given data processing activity (and no exemption or derogation applies) then that activity is prima facie unlawful. A lawful basis would be the consent of the data subject to do so, contractual necessity, compliance with legal obligations, the vital interests of the data subject, necessary for public interest or the legitimate interests of the data controller.

The "legitimate interests" lawful basis, under Article 6, is the more difficult to understand. It requires the balancing of the legitimate interests of the CMO against the interests and fundamental rights of the data subject (the rightholder).

To be a member of a CMO, rightholders (for example, authors, publishers, artists and producers) enter into an agreement with the CMO. This contract will generally be the lawful basis for the future processing of the rightholder’s data.

Members must be informed before any processing

The GDPR requires that the members of the CMOs have to be clearly and fully informed about their set of rights, including new rights that have been introduced, before the collection and processing of their personal data. CMOs are strongly advised to adapt their privacy provisions, communications and information to meet the requirements of the GDPR.

CMOs will also need to ensure that they have effective systems in place to enable them to give effect to these rights without any costs to the rightsholders. In the case of non-compliance, fines can be very steep: €20 million or up to 4% of the total worldwide annual turnover of the CMO for the preceding financial year.

CMSs have gone through quite the change,
even before the GDPR (Source: Oatmeal)

The GDPR expands the existing set of rights provided in the 1995 Data Protection Directive, and creates several entirely new rights increasing the ability of members of CMOs to better control their personal data. CMOs must provide any requested information in relation to any of the rights of their members within one month of receiving such a request. Only where CMOs receive large numbers of requests, or especially complex requests, may the time limit be extended by a maximum of two further months. Internal policy enabling the CMO to quickly reply to a member request will need to be written.

Members’ rights under the new GDPR

In a nutshell, members have the following rights under Articles 12-22:

• Right of access: members of CMOs (as data subjects) have the right to obtain information relating to (i) confirmation of whether, and where, CMOs are processing their personal data, (ii) the purposes of the processing, (iii) the categories of data being processed, (iv) the categories of recipients with whom the data may be shared, (v) the period for which the data will be stored, (vi) the existence of the rights of erasure, rectification and restriction of processing and to object to processing, (vii) the existence of the right to complain to the DPA, (viii) the existence of, and an explanation of the logic involved in, any automated processing that has a significant effect on data subjects. Additionally, members may request a copy of the personal data being processed by their CMO;
• Right of rectification regarding any inaccurate personal data possessed by the CMO;
• Right to erasure (the "right to be forgotten"): following the Google Spain ECJ ruling of 2014, the GDPR now allows data subjects to request that their personal data be erased if (e.g.) the data are no longer needed for their original purpose (and no new lawful purpose exists) or the data subject exercises the right to object, and the controller has no overriding grounds for continuing the processing;
• Right to restrict processing;]
• Right of data portability: members will now have the right to receive a copy of their personal data in a commonly used machine-readable format, and request that these data are transmitted directly to another data controller (which could be another CMO). This new right has been the subject of Guidelines written by the Article 29 Working Party (Article 29 WP consists of representatives of the national supervisory authority in data protection);
• Right to object to processing for the purposes of direct marketing (including profiling); and
• Right to not be evaluated on the basis of automated processing: members have the right not to be subject to a decision based solely on automated processing which significantly affects them (including profiling). Such processing is permitted where (i) it is necessary for entering into or performing a contract with the data subject provided that appropriate safeguards are in place, (ii) it is authorised by law or (iii) the data subject has explicitly consented and appropriate safeguards are in place.

CMOs shall provide the data subject with all of this information at the time when personal data of the members are obtained.

A DPO to supervise the personal data activities

CMOs will have to appoint a Data Protection Officer (DPO) to supervise their personal data processing activities. CMOs will have to involve the DPO properly and in a timely manner in all issues which relate to the protection of personal data.

Each CMO will ensure that its DPO does not receive any instructions regarding the exercise of those tasks. The DPO cannot be dismissed or penalised by his CMO for performing his tasks. The DPO will directly report to the highest management level of his company. A DPO can be an employee of the CMO or an outside consultant.

The DPO may be contacted by the members with regard to all issues relating to processing of their personal data and to the exercise of their rights under the GDPR.

Conclusion

 For many collective management organisations, compliance with this new GDPR will be very challenging and expensive. They would be well advised to urgently carry out a legal assessment of the current status of their compliance in order to ascertain any gaps. CMOs will then need to implement adequate solutions and monitor their suitability. All of that before May 25th next year.

Video Games and Copyright - 21st Century Art

Video games have surged to become the new pass-time of choice for millions of people, with sales of new titles like Grand Theft Auto V reaching a billion dollars in sales in its first three days alone. This clearly demonstrates just how important video games are in the sphere of commerce, and therefore the sphere of intellectual property. Even with its immense popularity video games have still been largely left out, at least in terms of specific protection, in most jurisdictions. In addition to this the sheer complexity of video games as copyrighted works presents some issues.

A recent study prepared for the World Intellectual Property Organization attempted to shed some more light on this matter by looking at a variety of jurisdictions and the protection they offer for video games. The study clearly is weighted towards civil law countries (included were for example Denmark, Germany, China and Russia), but common law countries such as Canada and the United States were included in the study.

Super Mario - a modern literary hero?

Copyright protected subject matter in video games shows exactly just broad the category itself is when dealt with under copyright. Three distinct elements can be found in video games, along with their sub-categories respectively; audio elements (e.g. speech, music, sound effects), video elements (e.g. images, animation, text), and computer code (e.g. game engines, ancillary code, plug-ins). In addition to the above any  literary works would be covered as well, including scripts, maps and characters. However the study does point out that "...the real issue, and one of the objects of this study, involves analyzing the legal protection of video games as single, unique works of authorship, since it is irrefutable that the individual elements included in video games can deserve independent copyright protection". The objective of the study is not to introduce possible legal reform or frameworks to protect video games, but to increase awareness to all possible stakeholders, through which potentially exact change or better protection for video games.

In Canada video games are not protected by themselves under the Canadian Copyright Act, but predominantly as a computer program. This would still include all the other copyrighted parts individually, and potentially as a literary work as well. In addition video games could be protected as a 'collective work' as a sum of several distinct parts by different authors. In the US video games would fall under 17 USC § 102, although not expressly mentioned, should it fulfill its specific requirements. Video games have shown some problems to the American judiciary, as is pointed out by the study, but can be said to fall under the protection of copyright.

Always pointing fingers

So this begs the question: why should there be specific protection for video games? Arguably the protection offered to them as it stands can be said to cause some uncertainty. If a video game is not protected as a whole, if individual elements are not deemed protectable the entire game's integrity as an artistic work would clearly be undermined, as the pieces making the game arguably constitute that very artistic expression as a part of a whole. Even in the case of Brown v EMA, the US Supreme Court saw that "[l]ike the protected books, plays, and movies that preceded them, video games communicate ideas-and even social messages-through many familiar literary devices (such as characters, dialogue, plot, and music) and through features distinctive to the medium (such as the player’s interaction with the virtual world)..."; clearly demonstrating this very point. Video games as a whole are a work which should be protected, not merely a collection of pieces which only merit protection by themselves.

The study is an intriguing and wide-scoped view of the sphere where video games currently reside, and do highlight some issues in a variety of jurisdictions, not to mention their protection in the world as a whole through inconsistencies in approaches. As the medium has become very prevalent, this matter should be addressed further and provided with explicit protection not as a mere collection of different forms of expression, but as a viable form in itself.