Why the worldwide localization industry should worry about GDPR

As published in the Reteller Magazine, October 2021 IssueWritten by Attorney Henri Leben, LEBEN AVOCATS, Paris.

The voice constitutes personal data, and it is strictly protected by the EU’s GDPR rules – meaning the localization industry should take notice as the authorities step up enforcement activities.

There are many things to worry about when dubbing a project, from selecting exactly the right voice actor through to delivering on deadline to the client.

Given the pressures to create top quality dubs, GDPR compliance might understandably not be high up on the list of concerns.

But they should be. Voice recordings – the heart of dubbing and voiceover production – are strictly protected by the European Union’s General Data Protection Regulation (GDPR) rules.

In effect since May 2018, GDPR is regarded as the strictest personal data privacy and security law in the world, and is the model for most worldwide data protection legislations. In fact, 66% of countries now have protection policies in place, and another 10% are in the process of enacting draft data legislation. 

GDPR is designed to protect an individual’s right to privacy, and considers as personal data anything that can be used to identify them. That includes the voice, which is considered biometric personal data, comparable to DNA and fingerprints.

One might be forgiven for not realizing this. According to a 2019 Mediartis survey, 82% of French people are unaware that their voice constitutes personal data in its own right. This is despite the voice increasingly becoming central to tech innovation with the rise of voice assistants, AI voice generators, or the recording of phone calls on customer service platforms.

For the localization industry, GDPR means that all workflows involving the storage or exchange of audio samples that can be used to identify individuals fall under GDPR compliance.

For example, any localization firm or voice director with a voice casting database that includes names and addresses and voice samples – which may have been compiled over years before the current legislation came into effect – is now subject to GDPR. The samples in the database might have been sent in by actors or agents, saved from past projects, downloaded from casting platforms, or shared by studios and voice directors. No matter – this voice data is covered by GDPR. The legislation is applicable right across the media and entertainment industry, spanning the dubbing and voiceover efforts of those working in advertising, through to film, TV, and video games, audiobooks, etc.

Even though most actors want to be referenced in casting databases so they stand a chance of being selected for a project, their personal data must be processed in compliance with GDPR.

Making things more complicated, there are always many stakeholders involved in casting a project. From creators through to agents and suppliers, they all rely on the exchange of voice samples to choose which actor suits the character for each language.

However, the entire production chain is considered ‘co-responsible’ for the compliance of all project stakeholders, so any breach at any step of the process can put the entire work chain at risk. It means that creators can be affected if contractors are not compliant, and vice versa.

No matter where they are located, any organization or individual who processes data related to people in the EU falls under the reach of GDPR legislation. This not only includes EU data originating from and delivered within the EU, but also EU data transiting to non-EU countries and non-EU data transiting to or through the EU.

Given that publishers, intermediaries and studios are located all over the world, it means it is impossible to control where samples or personal data will be sent or heard, or how they will be  processed. As a result, GDPR is truly a ‘Trojan Horse’ for the entertainment industry. It shouldn’t be considered an EU issue, but rather a critical worldwide concern.

GDPR legislation allows the EU’s Data Protection Authorities to issue fines of up to €20 million ($24.1 million) or 4% of annual global turnover (whichever is higher). Those who fall foul of the legislation can also be made to delete non-compliant data. As well as the financial impact of these sanctions, brand damage for penalized companies can be devastating. The companies likely to be recipients of the biggest fines are the final clients of a dubbing or voiceover project.  

For the GDPR’s first 18 months, things were a little quiet. Although there were plenty of complaints and investigations, there were few fines. That has changed in the past year and a half.

Some EUR1.3 billion (about USD1.5 billion) of fines have so far been issued for a wide range of infringements, according to published sanctions on the European Data Protection Board and Data Legal Drive platforms.

With the exception of Luxembourg and Ireland, who recently issued record breaking sanctions against Amazon and WhatsApp, France’s regulator tops the rankings for aggregate fines having imposed more than EUR193 million (about USD228 million) since the application of GDPR. Germany, Italy and Spain follow with aggregate fines of EUR61 million, EUR42 million, and EUR18 million respectively. 

In total, there have been more than 281,000 data breach notifications, with Germany (77,747), The Netherlands (66,527) and the UK (30,536) topping the table for the number of data breaches notified to regulators, according to international law firm DLA Piper.

In one high profile case, the British tax authority – HMRC – was found to be unlawfully processing the biometric data of around seven million customers through the use of a voice authentication system on its helpline. HMRC, and any of its suppliers who also processed the biometric data on HMRC’s behalf, were ordered to delete over 5 million customer records.

To avoid fines or having to delete databases, localization firms must fulfil a number of obligations to make sure they are GDPR compliant.

They must alert and gain consent from actors that their data is being processed. This should be 100% independent of work contracts. They must also communicate how the actors’ data will be processed, for what purposes, who they will share it with, and the duration of processing. This needs to be renewed regularly, more or less every two years, and for every modification, including when new samples are added.

Actors themselves also have specific rights. Say an actor wants to modify their data or delete a sample, then this must be carried out within 30 days. If an actor requests access to personal data, it has to be granted within 30 days.

The voice data itself must be kept securely, with access controls, and there is an obligation to ensure partner and vendor compliance.

It was against this background of extensive and extremely time consuming privacy obligations that Mediartis designed its automated voice-data GDPR solution for localization companies and independent studios worldwide.

Mediartis is a highly secure cloud platform that offers voice casting tools as well as automated GDPR compliance. Put simply, the platform allows companies to improve their casting workflows while protecting them and their clients from GDPR non-compliant risks.

“Mediartis is tackling an important and often overlooked compliance issue,” says Chris Fetner, Managing Director of the Entertainment Globalization Association, which Mediartis joined earlier this year as a bronze sponsor.

The Mediartis voice casting platform was created by industry specialists Mobilis Pro. Founded in 2014 and led by CEO Cécile Limal, Paris-based Mobilis Pro provides solutions to more than 700 production companies and studios for the voice casting phase of their dubbing and voiceover productions.  It also runs the voice talent platform Voxing Pro, a union- and agent-friendly voice casting platform that offers free access to a curated selection of 1,300 leading voice talents.

Working closely with production companies, Mobilis Pro started to feel the impact of GDPR even before the legislation came into effect as many of its clients began raising concerns about the looming impact of GDPR on voice usage in dubbing production.

The Mediartis platform was born as an organic response to these GDPR concerns, and in consultation with several legal firms specialized in GDPR, audiovisual, intellectual property rights, and distribution.

Designed for private dubbing casting databases and scalable for companies of all sizes, Mediartis provides secure private clouds for customers to upload their casting assets and access tools to automate voice-data GDPR compliance, create and collaborate on projects, and deliver branded projects to clients.

Mediartis voice database GDPR compliance overview
Mediartis GDPR compliance overview
Mediartis voice actor CRM and media library
Mediartis voice actor CRM and media library
Mediartis branded client casting

“The processing of voice data is a common and dangerous oversight in the GDPR and data protection strategies of Entertainment and Media companies,” says Mobilis Pro CEO Cécile Limal. “Audio departments process and store high volumes of voice assets for dubbing and voiceover projects, but they are rarely entered into structured compliance workflows. Mediartis has been created specifically for dubbing and voiceover service providers to ensure they are fully compliant with GDPR and provides added value with innovative casting tools.”

The platform automates primary GDPR obligations. For example, when users upload a new sample or actor contact information to their private cloud, an automatic consent workflow is triggered.  This gives the actor a one-time use access link to access their encrypted data so they can review their data, and grant consent to it being processed. It also allows actors to request modifications or to refuse the processing of their data. Crucially, none of the data can be downloaded or transferred.

Mediartis clients include Keywords Studios, which provides services to many of the world’s leading video game companies. Alessandra Vincenzi, Audio Localization Head of Division, says: “We chose Mediartis and their tools to help our recording studios become the most secure and efficient in terms of personal data protection and GDPR compliance”

Video game publisher Bandai Namco is another Mediartis user. “We require full GDPR compliance from our suppliers and receive all of our voice castings via streaming on Mediartis,” says Bandai Namco’s European Localization Supervisor Franck Genty. “It’s pleasant, easy, efficient to use, and guarantees us full compliance with personal data legislation standards.”

As EU authorities step up their actions to enforce GDPR compliance, all companies in the localization industry should be aware of their obligations when processing voice data – and ensure that they are operating within the rules. Given the complexity of the task, it’s little wonder that a platform like Mediartis is gaining traction within the industry.

Share This Post

More posts