Content localization has rocketed and dubbing and voiceover service providers are in higher demand than ever to deliver television series, films, cartoons, corporate videos, documentaries, advertising, etc. voiced with local flavour.
Language service providers are confronted with a multitude of operational and legal challenges as they continuously receive and deliver cross-border projects. Personal data is often involved and requires a good understanding and constant monitoring of market-specific protection laws.
Voice localization projects share a unique and potentially dangerous dynamic. Every project requires a continual exchange of biometric personal data that is protected by data protection laws worldwide – VOICE.
As voice related AI technologies continue to evolve, voice-data related risks have become a focal point of data protection supervisory authorities who are keeping their eyes on all industries handling voice data. European GDPR has brought voice-data to the center stage of global data protection discussions and the majority of worldwide legislations include voice-data protection articles.
The number of VOD platforms and supports diffusing localized voice content continues to multiply, the volume of circulating voice-data is extensive. If the voice-data is not correctly managed, it can be a virtual GDPR time bomb for the entire production chain, from suppliers and final clients alike, both financially and their brand reputation.
Voice Casting Databases… the Trojan Horse of Voice Localisation
If your company produces voice content of any kind, there is a good chance voice-data is circulating, non-secured and unmonitored, in different in-house departments. Actor lists and their voice samples are often kept on hand in “casting databases”, from which project managers and voice directors will pull samples for their casting projects.
New voice samples are added regularly to these casting databases, often collected from auditions, live-castings, voice directors, castings delivered by subcontractors, voice casting platforms… These databases are rarely cleaned and often contain thousands of voice recordings. Often, actors are not even aware they are referenced in a company’s casting database.
Even if samples were provided directly by voice actors, and it seems obvious they would want to be referenced in a casting database, European GDPR, and other data protection laws, require companies respect voice actor rights and process the data in compliance with data protection laws.
Navigating the complex labyrinthe of global data protection laws related to voice can be daunting, especially as this personal data is biometric and more strictly protected than “classic” personal data. Ever-evolving voice-data protection legislations keep localization service providers busy in keeping their strategies updated.
While most service providers apply their resources to the content voicing, there is a huge risk potential if resources are not also used for voice-data protection management which should be considered as a critical part of their business strategy. Companies should begin by assessing what policies, controls, staff training and checks and balances they have in place.
Voice-Data Circulation in Dubbing & Voiceover Production
Actor personal data is shared continuously by the entire production chain during the casting phase. Samples are shared internally and externally, and often sent by email. Once personal data is received, it must be managed to ensure it is deleted after the casting phase is completed, or if saved, it must be entered into structured compliance processing.
Who is responsible for the compliance?
Every project stakeholder is co-responsible for the compliance of a project. Unmonitored processing and sharing of data is dangerous for everyone involved, from the sub-contracted studio to the final client.
The company: When you share actor voice samples, you engage the responsibility of your company, as well as those who receive the data. What do you do with the samples you receive from your sub-contractors? What are the people you send samples to doing with them after the casting phase?
Sub-contractors: The company and their clients are co-responsible for the compliance of their sub-contractors. Is the data they are sharing compliant? Can they guarantee their compliance?
Final clients: They are often sent final castings via email. If they are unaware of voice-data GDPR related obligations, they are put at financial and brand reputation risk.
Who is Subject to GDPR?
➔ All European companies processing European data
➔ All companies outside of Europe working with European companies or processing European data
What casting scenarios are subject to GDPR?
The following summary of voice casting scenarios subject to GDPR is validated by Attorney Henri Leben of LEBEN AVOCATS in Paris, specialising in New Technologies, Privacy, Intellectual Property, Regulatory and Compliance, Distribution Networks and Video Games:
EU actor + casting delivered to EU company ➔ GDPR applies
EU actor + casting delivered to non-EU company ➔ GDPR applies
Actor outside of EU+ casting delivered to EU company ➔ GDPR applies
Actor outside of EU + casting delivered to non-EU company ➔ GDPR N/A
Voice-Data GDPR Obligations
The following compliance recommendations are based on GDPR obligations. GDPR is the strictest data privacy legislation in the world, and serves as a model for most data protection laws. Price Waterhouse Cooper – Switzerland recommends companies operating internationally implement solid GDPR strategies to respect the foundation of most global data protection laws and adjust for regional-specific specificities.
Data can only be processed for the purpose(s) specified when requesting consent, and not further processed in a manner incompatible with those purposes. Actors must be notified their data is being stored, processed and shared in the context of castings (article 13).
Duration of processing must be clearly communicated when requesting consent.
Valid Legal Basis for Processing
Organizations must have a valid legal basis for processing personal data. As voice is a biometric personal data, hence more strictly protected than “traditional” data, GDPR experts LEBEN AVOCATS strongly recommend using CONSENT as a legal basis for processing voice-data.
GDPR requires actor consent be :
➔ Freely given with access to transparent and explicit processing information
➔100% independent of work contracts and NDAs
➔Requested, recorded, and dated for every modification
CNIL – French GDPR Supervisory Authority
“The processing controller must be able to prove their consent requests were not contract-related – “free” consent” (GDPR articles 4 & 7)
Casting databases are active, and require ongoing compliance management
Actors should be reminded that their personal data is in the casting database and of the context it is being processed for.
Data Rectifications and Deletions
Data subjects (actors) have the right to request modifications, corrections and deletion of their personal data. These requests must be processed within 30 days of request. Once the request has been treated, a new consent is required in order to process the updated data. (GDPR articles 16 & 17)
Consent of use is not eternal and must be renewed regularly. GDPR expert Henri Leben at LEBEN AVOCATS in Paris, recommends renewing actor consent every two years, and also EVERY TIME modifications are made (ie actor profiles updated and/or new samples added).
GDPR calls for minimising the data being processed and companies need to makes sure they actually need, and have the right to process, the data they’re processing. Companies providing dubbing and voiceover services should resist the temptation to collect as many voice samples as possible from their actor pool, and conduct an assessment of the casting database to ensure that the recordings are pertinent and not outdated.
A fundamental obligation of most data protection legislations, is to ensure personal data risks are assessed and appropriately addressed with measured controls.
Is data access restricted to certain personnel? Specific departments? Is your network secure? Do you change passwords regularly? Are your teams sharing the personal data externally? How are your clients and sub-contractors managing the data?
Voice-Data Access & Portability
Organizations are required to make all voice-data accessible, samples included, upon request by both regulators and data subjects (voice actors) within 30 days of a request. This requires structured files and compliance monitoring.
Portability of personal data within the limits of other applicable rights (GDPR article 20).
When the data is correctly processed….
It takes approximately 1.25 hours / actor / year => 1,000 actors => 6 months full time
Aside from obvious risks such as brand reputation and client confidence, if a GDPR supervisory authority audits a company and finds they are non-compliant, they can:
- Require the company to render the data compliant and apply penalties
- Temporarily or permanently limit data processing
- Delete the data in question (2019 HMRC conviction – 5M voice recordings deleted)
- Apply fines of up to 10M€ or 2% of the annual turnover for breaches of “Privacy by Design” or “Privacy by Default” or up to 20M€ or 4% of the annual turnover (max of the 2) for any breach of data subject rights
- Create and make public a sanction named after the sanctioned company
Building a Compliance Strategy
Content providers who haven’t paid as much attention to voice-data protection as they should have might consider the following steps to tighten up their game:
- Carry out an audit to assess the disparity and analyse the disparity between the requirements of voice-data protection laws and voice production
- Define and integrate a rectification strategy with pertinent controls and staff training to ensure a data protection environment is active throughout the organization
- Test the effectiveness of the newly implemented compliance controls to confirm the objectives of the plan are successful
- Make certain the compliance framework is adequately robust with pertinent and efficient reporting to a senior position within the organization
- Stay updated on changes to voice-data laws and ensure production workflows and routes to client are regularly controlled with strong privacy impact assessments so that data protection risks are addressed by default