Personal data, performances, and GDPR

The General Data Protection Regulation (GDPR) is a set of EU-wide data protection rules. It had direct application in the UK from 2018 and was retained as the ‘UK GDPR’ after Brexit. The UK Data Protection Act 2018 complements UK GDPR. Under UK GDPR, collecting and processing personal data (referred to as ‘performance data’ in this document) is subject to strict rules. These rules govern when the collection and any subsequent processing of performance data is lawful; what other obligations data controllers and processors (Engagers and their sub-contractors) must respect; what rights the performer (as a ‘data subject’) has access to, and what sanctions apply for breaching these rules and rights. The definition of ‘processing’ is very broad and includes any operation on personal data, including creation, consultation, communication, storage or deletion of data (ICO legal definitions).

Recorded performances typically involve different types of data (together ‘performance data’): 

1. Data representing facial features

And/or

2. Data representing bodily features and/or movement

And/or

3. Data capturing the voice (tone, pitch, rhythm, accents)

Performance data is typically recorded (recorded, stored and sometimes processed) with technology such as: 

1. Photographs (still images)
2. Films or audiovisual recording (moving images)
3. Sound recordings
4. Broadcast, satellite transmission
5.  Two or three-dimensional scans of faces and/or bodies
6. AI models either trained on or fine-tuned to live or pre-recorded performances to imitate the visual and/or vocal likeness of a performer (sometimes referred to: digital replicas, ‘skins’, face masks, voice prints).

Performance data will qualify as personal data if it contains any information capable of identifying the performer directly or indirectly. This may be the case in instances where a performance features the performer’s voice (not modified or distorted to not resemble the natural voice of the performer) or their face (again, not masked or made-up to the extent that they would not be recognised).

The legal definition of ‘personal data’ in UK GDPR is:

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’ (UK GDPR, Article 4(1))

Processing of performance data can also count as ‘special category processing’: 

‘Special category processing’ is defined as:

“Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.” (UK GDPR, Article 9(1)). 

Special category processing of performance data includes processing: 

• Revealing racial or ethnic origin; or
• Of biometric data for the purposes of uniquely identifying someone.

‘Special category processing’ is subject to stricter rules, effectively giving the data subject (the performer) more scope to stop or limit processing of their data. Our position, based on case law and the current guidance issued by data protection authorities in the UK and the EU, is that processing of voice, face or body data (like sound recordings, films or photographs, as well as digital prints, clones or synthetic performances) could amount to ‘special category processing’. But this will depend on the circumstances of each case. Even in circumstances where processing does not amount to “special category” processing, the performer still has important data rights they can assert in relation to uses of generative AI.

GDPR rules will apply whenever an individual’s personal data is collected and processed. This may include for example: 

• A casting director storing a performers’ self-tape.
• A production company recording and storing audio and audiovisual recordings.
• A production company creating and storing a two or three-dimensional scans of a performers’ faces or body for VFX.
• An AI company training or fine-tuning a digital replica.

GDPR applies if an individual can be ‘identified’ directly or indirectly – even if only in the sense of being ‘singled out’ by a system. Therefore, even if the performer’s name is anonymised and replaced with pseudonyms or codes in a system, if they can be singled out by it, then their personal data is being processed. Therefore, the processing of performance data for generative AI will generally engage GDPR.

GDPR rights – such as the right to information or to object to processing – involve balancing performers’ interests against those of Engagers. Performers’ interests will weigh more heavily – meaning the rights are applied more strictly – in relation to technologies or uses which are invasive of the performer’s privacy. AI models capable of generating a performer’s voice, face, body likeness or movement on demand (as is the case with so-called ‘digital replicas’, ‘face masks’ or ‘voice prints’) are particularly invasive of a performer’s privacy. This is because the performer is required to relinquish control over key markers and identifiers of their identity to a third party when done consensually or through a contract. 

We are currently advocating for the UK Information Commissioner’s Office to publish clear guidance confirming how UK GDPR applies in relation to performance data that is used both as “input data” to train a generative AI system and “output data” for generating synthesised performances. 

When an Engager hires a performer to deliver interpretations in which they are recognisable as individuals, they process personal data protection subject to regulations (eg. UK GDPR and EU GDPR) when it captures the performer’s voice or face or other identifiers (such as gait). 

In this scenario, the performer is the data subject, the Engager is the data controller and the recorded performance (in any media) is the personal data. If the Engager sub-contracts certain technical treatment of the performance data to technicians (e.g. sound or virtual effect studios) these sub-contractors may act as joint-controllers or processors of the performer’s personal data.

Engagers must identify a lawful basis for processing personal data. Article 6 of the GDPR sets out an (exhaustive) list of the six lawful basis: (1) Consent; (2) Contract; (3) Legal obligation; (4) Vital interests; (5) Public task; (6) Legitimate interests. 

Article 6 of the GDPR sets out the bases on which a data controller may lawfully process personal data. Personal data can only be collected and processed by the Engager on the basis of 6 (exhaustive) legal grounds: (1) Consent; (2) Contract; (3) Legal obligation; (4) Vital interests; (5) Public task; (6) Legitimate interests. 

Of those six legal grounds, three are relevant for the processing of performance data: consent, contract, and legitimate interests. Performance data may be processed with the consent of the performer. Consent must be clear, informed and freely given to form a valid ground under Article 6 or exemption under Article 9. Informed consent requires transparency about how, by whom and for how long their performance data will stored and processed by the Engager, and who will be given access to the data. This information should be given to the performer before the performer gives consent or forms the contract for which their data will be processed. This information is commonly included in documents known as ‘privacy notices’ or ‘data processing notices’, annexed to an agreement. However, where consent is bundled alongside other contractual terms, it is unlikely to be valid.

Data may also be processed if it is necessary to fulfil their contract with the Engager. ‘Legitimate interests’ is a more flexible basis for controllers and can even be used by third parties (e.g. those taking recordings from a public online repository). Where it is used, the controller must (1) identify the purpose of the processing; (2) demonstrate that the processing is necessary for that purpose; and (3) balance their interests against those of the performer. The balancing exercise must consider, for example, whether the data is particularly sensitive, whether a data subject is likely to find it intrusive, and the impact it is likely to have on the data subject, such as to their work and income. The data subject can object to the processing – see below for further detail. 

The UK Information Commissioner’s Office (ICO) has made clear in its recent consultation response that the often-relied-upon “legitimate interests” lawful basis is unlikely to apply to widescale text and data mining by AI companies where alternative data collection methods may be feasible.

Special category processing covered by Article 9 GDPR is subject to a higher level of protection. In this context, as well as a legal basis under Article 6, the data controller needs an ‘exemption’ under Article 9. The main and possibly only Article 9 exemption relevant to performance data is ‘explicit consent’. 

Performance data is likely to be collected and processed either with the consent of the performer, or by virtue of their contract with the Engager. 

If a performer is hired to appear in recorded media or broadcast, and the work is clearly scoped in advance, an Engager can legally process the performance data in a way which is necessary for the performance of that contract, and therefore clear to the performer when forming the contract. 

A performer’s contract that is specifically for making a film, TV programme or a radio show would not by itself amount to a lawful basis for the same engager to train an AI model or generate a digital replica with the same performance data. Where data processing is done by a third-party AI company, there is no contract between the processing entity and the performer which can be relied upon as a lawful basis. Where a content owner itself processes performance data for AI purposes, the question is whether the processing is necessary for the performance of the contract. The UK’s Information Commissioner’s Office (ICO) has made clear in its recent response to the consultation series on generative AI that: "For the creative industries, the contract lawful basis is very unlikely to apply as it is unlikely that an organisation is under a contractual obligation to use a creator’s content to train its generative AI."
 
If an engager wishes to rely on contract as a lawful basis to train an AI model or generate a digital replica, the contract would need to have as an express purpose the training of AI and provide for compensation for such uses.

As data subjects, performers have a range of rights. For example, you have the right to:

• Be informed about the collection and use of your personal data.
• Obtain a copy of your personal data, and other supplementary information such as “meaningful information about the logic involved” in automated decisions, from the Engager within a one-month period upon requesting it (known as a Subject Access Request,); 
• Object to processing where it is based on the legitimate interests of the controller; and
• have your data corrected or erased by data controllers in certain instances.

These rights are subject to conditions outlined in the UK GDPR. 

The right to object to further processing or have your personal data erased can be a powerful tool at performers’ disposal to constrain further use. Performers’ contracts in many sectors of the entertainment industry, including contracts for the creation of AI models, will often involve a ‘buy-out’ of all rights. This purports to give the Engager rights to use the performance data in perpetuity and for all media. In these cases, GDPR rights could be used by performers to remove a recorded performance or digital replicas made available to the public without their consent or withdraw consent if it was once given for this purpose.

The right to be informed is a key transparency requirement under the UK GDPR. Producers and engagers who are processing performers’ personal data must be open with them and provide clear and concise information about what they do with their data. For example, they should always explain the purpose and the lawful basis for the processing. Engagers should always explain how long they will keep the personal data for and the rights available to individuals in respect of the processing. More information about these legal rights can be found on the ICO website. 

The UK GDPR gives individuals the right to object to the processing of their personal data in certain circumstances. Where the right to object applies and is used by a performer, the Engager can only continue processing if it has a compelling reason for doing so – a high standard. Where data is being processed unlawfully – for example because the Engager relies on consent which was not validly obtained, then the performer has the right to stop that processing.

UK GDPR introduces a right for individuals to have their personal data erased. This is also known as ‘the right to be forgotten’. The right is not absolute and only applies in certain circumstances. Performers can make a request for erasure verbally or in writing and Engagers have one month to respond to a request.

Erasure under Article 6

The ability for a performer to have their data withdrawn or erased will depend on how the data is processed. If personal data is processed based on consent (whether special category processing or not), the data subject (the performer) can: 

1. Withdraw their consent for processing the personal data at any time, without conditions or restrictions (per Article 7(3)); and
2. Request the erasure of the personal data held by the data controller (the Engager) (per Article 15(1))

If personal data is processed on the basis of contractual necessity, or ‘contract’, the data subject (the performer) cannot withdraw their consent, since the processing is not based on their consent. But erasure may be available if the processing is no longer (or was never truly) necessary for the performance of the contract. This requires looking at the true nature of the contract with the Engager. If it was to deliver a performance for one production, such as a TV episode or film, then further processing to create a general-purpose AI system would not be necessary for that contract. That’s true even if the contract has very wide wording about what the Engager can do: you need to look at the real subject matter of the contract. This may be more complicated than withdrawing consent but should not be overlooked.

If personal data is being processed on the basis of legitimate interests, then the performer can object to that processing under Article 21. Unless the Engager has ‘compelling legitimate grounds’ to continue, the processing must cease and erasure can be requested. As an example, a third party processing publicly available performance data for AI development is very unlikely to have ‘compelling legitimate grounds’ to continue processing if a performer objects.

It's therefore vital to identify the Engager (or other controller)’s legal basis early on. Look at your contract or the privacy notice provided to you to help you identify whether you have a route to seek erasure or stop future unwanted processing.

Erasure under Article 9 (special category processing)

The rules are different for special category processing. Here, it is very likely that the controller is relying on the ‘explicit consent’ exemption under Article 9. That explicit consent can be withdrawn by the performer without facing repercussion or limitations (such as the limitation of contractual necessity provided under Article 6 of UK and EU GDPR). 

Processing of voice, face or body data (like sound recordings, films or photographs, as well as digital prints, clones or synthetic performances) could be regarded as ‘special category processing’. Most AI models capable of reproducing the likeness of a performer (through ‘digital replicas’, ‘clones’, ‘face masks’ or ‘voice prints’), and their outputs, could also qualify as ‘special category’ biometric processing in the meaning of the UK GDPR. 

NB: Special category personal data (like performance data) manifestly made publicly available by the performer can be processed without the consent of the performer. This point may be relevant in the context of certain types of work like social media publications, ‘marketplaces’ or ‘performance libraries’. This specific provision will apply in limited circumstances and is excluded from the scope of this guidance.  

If personal data is processed on the basis of contractual necessity, or ‘contract’, the data subject (the performer) cannot access the right to withdraw their consent, to request the erasure of the personal data held by the Engager, or to request restricted processing (Article 17(1)(c)).

However, it is experts’ current understanding that a contract cannot be used as the basis to bar or block a data subject’s rights to withdraw ‘explicit consent’ to special category processing, if that is the exemption relied on by the data controller. We believe processing of performance data could fall in this category when it captures or reveals sensitive information about the performer such as their gender, racial or ethnic origins. 

Further, even if no special category processing is taking place, an Engager’s reliance on contract as the legal basis for processing may not be sound – see below.

There is a lack of case law clarifying ‘contract’ or ‘contractual necessity’ as the legal bases for processing, in particular as they relate to the voice or face data of professionals like performers. This means Engagers may initially push back on performers’ requests.

Unlike other rights conferred on performers, rights granted by GDPR are not transferable or waivable. While a performer may consent to the collection or processing of their performance data (or enter into a contract to that effect), this processing still needs to adhere to strict rules on informed consent, and data rights will survive valid consent being given or lawfully-formed contracts. 

The breach of personal data protection regulations is subject to sanctions and (in serious cases) financial penalties. The Information Commissioners’ Authority is the data protection authority in the UK. They write “Article 83(5)(a) states that infringements of the basic principles for processing personal data, including the conditions for consent, are subject to the highest tier of administrative fines. This could mean a fine of up to £17.5 million, or 4% of your total worldwide annual turnover, whichever is higher.” (Source: see the ICO website). Note that fines would not be paid to the performer, but to the Data Protection Authority. However, the fines act as a deterrent to block, limit or infringe personal data protection rights. Data rights can also be enforced through the courts, whether to secure compliance from a controller or to obtain compensation where rights have been breached in a way which caused damage.

GDPR can work hand-in-hand with intellectual property law and contracts to ensure agreements are respected by engagers. Performers often feel as though they are without recourse to enforce their contract against Engagers who do not respect pre-agreed terms because legal proceedings are too slow or expensive to access. Reporting Engagers for breach of GDPR to the relevant Data Protection Authority like the Information Commissioners’ Office in the UK is free and relatively easy, and can bring attention to the issue or leverage to a performer, where they may feel they have none. A breach of a performer’s license to use the recorded performance may also be a breach of the performer’s consent to process their performance data. 

If performance data (ie. a performance) is used and distributed by an Engager outside the scope of their agreement with the performer, this act could be an infringement of personal data rights. In this instance, the performer may rely on GDPR, as well as other legal grounds (intellectual property rights infringement, contractual breach) to negotiate redress with the Engager. In the event that negotiation fails, the performer can complain to the data protection authority to receive their opinion, which may generate leverage or momentum in the negotiation in favour of the performer. This is because Data Protection Authorities has the authority to issue fines upon entities calculated based on a percentage of their turn-over.