SXSW South by Southwest Conference

As some of you already know, South by Southwest ®(SXSW) is one of the world’s premier events showcasing music, film and interactive media. This internationally-recognized event has live panels, special events, cinema and combines entertainment and educational activities in a conference and festival atmosphere.  The event takes place annually in Austin, Texas in the United States – this year between March 8th and 16th, 2024.

I have made a proposal to participate by making a presentation entitled “Legal Implications of AI: The Good, the Bad and the Ugly” and voting by the online community is now live!  That allows the public to help the organizers decide on ideas that are the most creative, innovative, and relevant for 2024.  Starting today and until August 20th (11:59 PM PT), you can see my proposal and vote using this link: Legal Implications of AI: The Good, the Bad and the Ugly.  I hope you will vote to include my presentation in the event.

My objective is to make the presentation interactive and entertaining, including some potentially innovative uses of AI to make the point. What do I want to talk about? First, how does current law deal with the film, television, music, art, literary industries – what are the challenges and the opportunities. Second, how can celebrities, sports figures, creative artists and talented professionals protect themselves while also exploiting the evolving technology. Of course, last but not least, is it too soon to start regulating AI? If so, what are we waiting for? If not, how do we even suggest regulation when we can’t predict where we are going?

I won’t pretend to have all the answers, but I will try to provide an enlightening, stimulating and thought provoking presentation – and yes, entertaining!  Again, I would appreciate your vote:  Legal Implications of AI: The Good, the Bad and the Ugly.

New York Post-Mortem Right of Publicity Signed into Law

Following up on our posting about rights of publicity in New York State (New York Moves to Expand the Right of Publicity), on November 30, 2020, Governor Cuomo signed S. 5959 into law and New York has finally joined the growing list of States in the United States to adopt and allow the enforcement of a post-mortem right. The legislation, which takes effect 180 days after it was signed (i.e., it only applies to individuals who die on or after that date), adds a new Section (50-f) to the New York Civil Rights Law entitled “Right of publicity” and deals with two categories of deceased persons: “deceased personalities” and “deceased performers.”

The new law in New York applies to deceased persons domiciled in New York State at the time of their death and creates a right of action for the use of names, voices, signatures, photographs or likenesses of “deceased personalities” for commercial purposes without consent and that right extends for 40 years after their death. The law defines a “deceased personality” as an individual “whose name, voice, signature, photograph or likeness has commercial value at the time of his or her death or because of his or her death”. Anyone claiming to represent these rights must register with the New York Secretary of State before making any claim. There are a number of exceptions to prohibited uses, so it is important to read and understand the statute carefully.

In deference to the world of virtual reality, the new law also provides a damage remedy for using a “deceased performer’s digital replica” in a “scripted audiovisual work as a fictional character” or in the “live performance of a musical work” without consent when the use “is likely to deceive the public into thinking it was authorized.” The law defines: (i) a “deceased performer” as someone who “for gain or livelihood was regularly engaged in acting, singing, dancing, or playing a musical instrument.”; and (ii) a “digital replica” as a computer-generated, electronic performance “that is so realistic that a reasonable observer would believe it is a performance by the individual.”

There are also a number of important exceptions to the prohibited uses enumerated in this portion of the new law, and also allows for “a conspicuous disclaimer” that appears in the credits of a scripted audiovisual work and corresponding advertising making it clear it has not been authorized.

For completeness, I should note there is also a section providing for a private right of action for unlawful “dissemination or publication of a sexually explicit depiction of an individual.” This relates to works that have come to be known as “deepfakes,” distributed without approval and although these might also be considered a “digital replica”, the law distinguishes the two categories and makes it clear consent is required and a disclaimer that otherwise might apply to digital replicas is not sufficient.

As you can appreciate, rights of publicity have often been the subject of controversy beyond the financial implications. For example, how does the law characterize a company’s creation and use of the likeness of an athlete or musician in a video game where the company may argue there is a First Amendment right of free expression – inconsistent with the rights of publicity. Again, the law is not always settled and the jurisdiction applicable to the deceased, the rights and the subject matter may well determine the outcome of any legal action. What about so called “industrials” in the entertainment business (e.g., content such as fitness and workout videos, dance instructional videos, company training content or instructions on product use and repair). Since these may not be characterized as either an advertisement or a product, it may not be clear if and how the law will be applied and certainly the answer will depend on these same jurisdictional factors.

For those of you who want context to the right of publicity, one of the first cases to deal with a post mortem right of publicity is the case involving Elvis Presley, whose brand even today is valued in the hundreds of millions of dollars. In this case (Estate of Presley v. Russen, 513 F. Supp. 1339 (D.N.J. 1981)) the court held that the right of publicity evolved from the common law of privacy and the corresponding tort “of the appropriation, for the defendant’s benefit or advantages, of the plaintiff’s name or likeness.” The term “right of publicity” has since come to signify the right of an individual to control the commercial value and exploitation of his name and picture or likeness and to prevent others from appropriating this value for their commercial benefit without their consent. This marks an interesting shift from the right of publicity being viewed as a personal right into a property right that can be exploited after a person’s death.

You can download and read a copy of the final bill here: New York State Rights of Publicity Bill S5959D Final. Of course, if you need more information about this post or have any questions, feel free to contact me Joe Rosenbaum or contact any of the Rimon Law professionals with whom you regularly work.

California CPRA – CCPA 2.0

On Election Day in California, voters will not only be determining choices among candidates standing for election, but they will also be deciding the fate of Proposition 24, referred to as the California Privacy Rights Act (CPRA).  Proposition 24 is intended to build upon the California Consumer Privacy Act (CCPA) that came into force at the beginning of 2020. Among other things, the CPRA would create a California Privacy Protection Agency, a new regulatory agency that would ultimately take over privacy enforcement responsibility from the Office of the California Attorney General.

Among the areas that would be affected by the CPRA would be a clear ban on discrimination against anyone choosing to ask a company to delete their information and opt-out of marketing communications, stronger rights to prevent data sharing by companies (e.g., cross-context behavioral advertising), clearer mechanisms to enable consumers to correct information that is not accurate and a requirement that companies tell consumers how long they plan to retain the information.

Proposition 24 would also legitimize marketing and promotional schemes that offer consumers a discount or access to benefits in exchange for voluntarily disclosing personally identifiable information (e.g., in the context of rewards or loyalty programs).  Privacy and data protection proponents and opponents have long debated whether consumers should have an option to pay for privacy – viewed as a logical consequence of offering benefits in exchange for information that can be used for marketing and promotional purposes.

Since the CCPA came into force, companies have already been scrambling to comply.  If Proposition 24 passes and CCPA 2.0 comes into force, companies will again have to review and likely revamp their policies and practices to deal with the added new compliance obligations. Just as significantly, a separate California Consumer Privacy Agency would likely end up brining many more enforcement actions since protecting the privacy rights of California consumers will be its only mission.  Proponents of Proposition 24 say that may well be a good thing for California consumers, but they also argue that an agency solely focused on data protection will also mean more clarity, consistency and guidance surrounding some of the nuances of the California requirements.

Stay tuned. Election day is only a week away.

New York Moves To Expand the Right of Publicity

As New York law currently stands basically the only right of publicity that is recognized in New York is the right to prevent appropriation of a living person’s name or likeness (e.g., portrait, picture, image) for commercial purposes.  A violation of the law can have both criminal and civil consequences, although only civil actions currently include the misappropriation of ones’ “voice,” in addition to names and photographs. New York courts have also allowed claims based on the use of look-alike models (Onassis v. Christian Dior-New York, Inc., 472 N.Y.S2d 254 (N.Y. Sup. Ct. 1984)).

New York does not recognize any common law right of publicity (Stephano v. News Group Publications, 474 N.E.2d 580 (N.Y. 1984)). Consequently all New York rights of publicity are purely creatures of statutory law.  Of interest in recent years is the fact that unlike over 20 other States in the United States and many jurisdictions internationally,* New York has never recognized any post-mortem rights of publicity. In other words, only living New York persons have any right of publicity and those are governed exclusively by statute!

Well that may change if and when New York State Governor Andrew Cuomo signs a bill recently passed by both houses of the the NYS legislature and although the bill differentiates between “deceased personalities” and “deceased performers,” if signed into law it would broaden the current law and create a new transferable (and inheritable) right that would protect those rights of publicity after death – rights that would last for 40 years after the death of the individual.

This new legislation is likely to have implications to performers, celebrities and others who are domiciled in New York, as well as to advertisers, advertising agencies and sponsors, among others.  Once the bill is signed into law, watch for updates on Legal Bytes for more detail. In the meantime, if you have questions or want more information, feel free to contact me, Joe Rosenbaum or any of the Rimon lawyers with whom you regularly work.

* Note: In some jurisdictions, rights of publicity are referred to as “personality rights” and one should never assume these rights are identical in scope or effect.

 

Brazil Adopts Comprehensive Data Protection Law

Katie Hyman, Partner

Brazil’s Lei General de Proteção de Dados (“LGPD”) officially came into effect on Friday, September 18 2020. This Brazilian General Data Protection Law (LGPD), Federal Law no. 13,709/2018, was published on August 15, 2018, is heavily influenced by the EU GDPR and is Brazil’s first comprehensive framework regulating the use and processing of personal data. Prior to the LGPD, data privacy regulations in Brazil consisted of various provisions spread across Brazilian legislation.

The LGPD applies to businesses of all sizes, with only a few listed exceptions, such as where data are collected for artistic or academic purposes, or for national security and public safety. It will apply when data is collected or stored in Brazil or where data is processed for the purposes of offering goods or services to individuals in Brazil.

The LGPD defines “personal data” broadly: it means any information regarding any identified or identifiable natural person, including data that could be aggregated to identify a person. The general principles underlying the LGPD are set out in Article 6, and these will be used by the Brazilian data protection authority to determine a company’s compliance with the law. The principles are purpose, suitability, necessity, free access, quality of the data, transparency, security, prevention, non-discrimination and accountability.

In line with these principles, the rights of the data subject are set out in Article 18, and these are very similar to those in the GDPR, including access to data, correction of inaccurate data, portability, deletion of data processed with consent, information about entities with which the controller has shared data, information about the possibility of denying consent and revocation of consent.

Companies are required to report data protection breaches to the local data protection authority, but no deadline for reporting is included in the LGPD. Guidance on this is to come from the data protection agency, which is yet to be established. Companies that violate the LGPD can be fined up to 2% of the revenue of their organization, up to a total of R$50 million (approximately US$9 million) per violation. However, penalties for infractions will only start to be applied from August 1, 2021.

An official English translation is not yet available, but the IAPP has provided a translation and you can read it here: Brazilian General Data Protection Law.

If you want more information about this article feel free to contact Katie Hyman or me, Joe Rosenbaum or any of the Rimon lawyers with whom you regularly work.

Swiss-US Privacy Shield

In July, we reported that the EU Court had invalidated the viability of the US-EU Privacy Shield (EU Invalidates the Privacy Shield . . BUT Says Contracts May Save the Day!).  A few weeks ago (September 8, 2020), the Swiss Federal Data Protection and Information Commissioner (FDPIC) also decided to remove the United States from a list of nations that are considered to be providing “adequate level of data protection.”

Unlike the EU Court’s decision, decision by the Swiss FDPIC does not automatically invalidate the applicability of the Privacy Shield, because the list of countries on or off the list is technically not legally binding. That said, if your company is relying on the Swiss-US Privacy Shield to continue to transfer data from Switzerland to the United States, it would not be prudent to assume these transfers will continue to be viewed as complying with the adequate protection standards under Swiss law.  It seems to make sense to re-assess the risks and start relying on corporate policies and regulations, as well as legally binding contract clauses to ensure they are consistent with Swiss data protection law.

Even when the company policies and contract provisions are properly constructed, there still remains the risk that even these protections may be considered inadequate.  For example, if local authorities have the right to obtain the data without safeguards and legal protections consistent with those required under Swiss regulation, the transfer may be considered in contravention of Swiss law.  Similarly, if the entity to which the data is being transferred is not legally obligated, for any reason, to cooperate with the enforcement requirements that may apply under Swiss law this too creates a problem.  While encryption technology exists that can ensure no personal data can become available in another country, that approach only makes sense for pure storage capability (e.g., cloud based storage) but NOT if the data is intended to be used, displayed or otherwise handled in another nation.

While further guidance and information may ultimately be promulgated by the FDPIC, at present, a review of current procedures and data transfers, the exercise of caution and consideration of implementing additional steps to deal with this development in Switzerland, as with the EU Court decision, seems to be a prudent course of action.

At Rimon Law, our professionals are available to answer question about these developments, so feel free to contact me, Joe Rosenbaum, or any of the Rimon lawyers with whom you regularly work for information about this or any other matters.

EU Invalidates the Privacy Shield . . BUT Says Contracts May Save the Day!

Today (July 16, 2020), the EU Court of Justice, (the EU’s highest court) struck down the validity of the Privacy Shield – a mechanism that well over 5,000 U.S. companies have been using and relying upon in order to legally justify the transfer of personal data across the Atlantic into the US.  This same court had previously invalidated the “Safe Harbor” protocol, concluding the Safe Harbor failed to adequately protect privacy rights of EU citizens, since it accorded law enforcement in the United States priority over the rights of EU citizens – permitting law enforcement virtually unrestricted access to the data.

This new case began when Max Schrems, an Austrian privacy advocate, complained to Irish data protection regulators that Facebook’s reliance on standard contract clauses to permit data being transferred from the European Union to the United States did not provide adequate protection. Schrems argued that it didn’t prevent intelligence officials and other third parties in the United States from getting at the information. The Commissioner at the Irish Data Protection Authority took the complaint to Ireland’s high court and they referred certain questions regarding the validity of standard contractual clauses to the EU Court of Justice. Although Schrems’ complaint never raised the Privacy Shield issue, it was raised in oral argument before the court, opening the door for the court to include it in their opinion and decision.

While the European Court invalidated the Privacy Shield, it didn’t buy Schrems’ argument that standard contractual clauses should be deemed invalid as a matter of EU law or regulation. They basically said that standard contract clauses could be among the “effective mechanisms” if they required both sides involved in the transfer to ensure information is accorded the equivalent level of protection as required under EU law. They went on to note that the parties should not use those clauses if they can’t comply with that requirement.

As a result, while neutering the Privacy Shield, they did uphold the validity of the use of standard contractual clauses to legally move personal information outside the European Union, if these clauses were effective in providing the same level of privacy protection as the EU requires.

The case is Between the Data Protection Commissioner and Facebook Ireland Ltd. and Maximillian Schrems (Case Number C-311/18) and as always, if you have any questions or need more information about this posting, feel free to contact me, Joe Rosenbaum, or any of the lawyers at Rimon with whom you regularly work.

Unsung Cyber Hero Adventures

On June 4, 2020, Steven Teppler and I (Joe Rosenbaum) were guests of Gary Berman, host of “Unsung Cyber Hero Adventures”.  You can watch the entire interview “The Judicial System & Cybersecurity” and many more on his “Unsung Cyber Hero Adventures” TV Network!

There is also a comic series and you can find out more by looking at  The CyberHero Adventures: Defenders of the Digital Universe.  The comic series, the streaming interview series and much more are all the brainchild of Gary L. Berman, a career marketing consultant and entrepreneur whose company – and the families it supported – fell victim to a prolonged series of insider cyber attacks.  Feeling powerless, Gary decided to educate himself about cybersecurity, attending conferences, listening to podcasts and learning from the real heroes, the cybersecurity experts in law enforcement, government, education, and business.

Crisis Management at the Intersection of Marketing, Privacy, Security and Reputation

For those of you interested and available, on Thursday, April 23rd at 1 PM ET, Joe Rosenbaum, NY Partner at Rimon Law and chair of Rimon’s Global Alliance will be conducting a one hour seminar entitled Crisis Management at the Intersection of Marketing, Privacy, Security and Reputation touching on some of the current issues in marketing, privacy, public relations, cybersecurity & reputation management arising from the COVID-19 pandemic.

While the issues raised may well apply in many crisis situations, now, more than ever, as increased numbers of people are working, schooling and playing at home or at other remote locations, the value of online and mobile advertising and promotions has increased substantially. At the same time, the amounts of information being made available by people scrambling for information, trying to keep up with breaking news, and signing up for online, digital services and information, present legal challenges for compliance with both old and newly enacted privacy and data protection regulation. Not coincidentally, online and mobile scammers are seeking to capitalize on the growing number of inexperienced web surfing consumers and cyber criminals are using the opportunity to capture valuable personally identifiable as a result of lax or relaxed security measures. The inaccurate perception that strong security may be an obstacle to utility or speed and simply the increased number of inexperienced users accessing the Internet, provide fertile ground for exploitation. What you should know? What you can do? What you should be telling your clients and employees? What can we all do to help?

To register simply go to REGISTER: Crisis Management at the Intersection of Marketing, Privacy, Security and Reputation

The course is open to lawyers and non-lawyers, is approved for New York bar members who are eligible for 1 CLE credit per course through NY’s Approved Jurisdiction Policy and approved by the California State Bar for 1 hour of CLE credit.  Most other states recognize CA accredited courses and if you would like credit in any other state, please check your local state bar’s regulations.

California Consumer Privacy Act (CCPA)

Although amended twice (September 13th and October 11th of 2018) after its initial passage by the California State Legislature and being signed into law by Governor Jerry Brown in June of 2018, the California Consumer Privacy Act (California Civil Code Section 1798.100) (“CCPA”) becomes effective with the new year (January 1, 2020).

Although it is intended to protect and afford California residents with certain rights (in some areas, greater or somewhat different than the European Union’s General Data Protection Directive 2016/679), it affects non-profit entities that do business in California, and that collect personal information of consumers and either has annual gross revenues over $25 million OR buys or sells personal data of 50,000 or more consumers/households OR earns over half its annual revenue from selling consumer personal information.

If your organization fits into any of those categories, you are required to establish, put into place and maintain reasonable security procedures and practices to protect consumer data and to afford California residents the right to know what personal data is being collected about them; to know whether and to whom the consumer’s personal data is sold or disclosed; to refuse to permit the sale of their personal data; to access their personal information; and to ask you to delete personal information collected from them.  The law also prohibits discrimination against any consumer for exercising any of their privacy rights under the CCPA.

While many business have been busily amending their agreements with suppliers, service providers and likely have been presented updated and revised contracts with “CCPA” amendments in order to ensure those in the chain of collection, storage, handling, distribution and use are in compliance, if you do any business in or with California residents, don’t forget to update your privacy policies and any terms of use that apply to your websites, e-commerce and online/mobile presence generally.  Those sites, even those that do not require any registration or input directly from consumers, almost certainly will be collecting information that is covered by the broad definition of “personal information” under the CCPA.

If you would like to know more about the CCPA or have any questions about this post, don’t hesitate to contact me Joe Rosenbaum, or any of the Rimon lawyers with whom you regularly work.