As published in the Reteller Magazine – Written by Attorney Henri Leben, LEBEN AVOCATS, Paris.
The voice constitutes personal data, and it is strictly protected by the EU’s GDPR rules – meaning that all organizations processing voice data should take notice as the authorities step up enforcement activities.
There are many things to worry about when dubbing a project, from selecting exactly the right voice actor through to delivering on deadline to the client.
Given the pressures to create top quality dubs, GDPR compliance might understandably not be high up on the list of concerns.
But they should be. Voice recordings – the heart of dubbing and voiceover production – are strictly protected by the European Union’s General Data Protection Regulation (GDPR) rules.
In effect since May 2018, GDPR is regarded as the strictest personal data privacy and security law in the world, and is the model for most worldwide data protection legislations. In fact, 66% of countries now have protection policies in place, and another 10% are in the process of enacting draft data legislation.
GDPR is designed to protect an individual’s right to privacy, and considers any of their data that can be used to identify them as personal data. That includes the voice, which is considered biometric personal data, comparable to DNA and fingerprints.
For industries working with voice recordings, GDPR means that all workflows involving the collection and exchange of voice data fall under GDPR compliance and should be analyzed to ensure they respect the legislations requirements.
Voice casting databases, often maintained by production teams, include a lot of artists’ data (phone numbers, addresses, URLs, social security numbers, etc.), including voice recordings. Even if these databases were created before the GDPR came into effect, they are now subject to GDPR and must be processed differently that before. Whether or not the recordings were sent in by actors, agents, saved from past voice projects, downloaded from casting platforms, or shared by partner studios or voice directors, this data falls under GDPR’s scope. The legislation is applicable right across the Media and Entertainment industries, spanning the dubbing and voiceover efforts of those working in advertising, through to film, TV, and video games, audiobooks, podcasts, etc.
Even though most actors want to be referenced in casting databases so they stand a chance of being selected for a project, their personal data must be processed in compliance with GDPR.
Making things more complicated, there are always many stakeholders involved in casting a project. From creators through to agents and suppliers, they all rely on the exchange of voice samples to choose which actor suits the character for each language.
GDPR’s notion of compliance co-responsibility means that the entire supply chain is responsible for the compliance of all project stakeholders. Thus, a data breach anywhere in the chain puts all participating entities at potential financial and reputation risk, from agents to studios to final clients.
Another particularity of the GDPR is that the regulations are extra-territorial. Thus, no matter where they are located, any organization who processes the personal data of an EU resident falls under the reach of GDPR. This not only includes EU data originating from and delivered within the EU, but also EU data transiting to non-EU countries and non-EU data transiting to or through the EU.
Given that studios, production houses, publishers, advertising groups, brands are located all over the world, without a technological solution, it is impossible to monitor and control where voice data is sent and how it is processed. GDPR is truly a ‘Trojan Horse’ for the entertainment industry. It shouldn’t be considered an EU issue, but rather a critical worldwide concern.
GDPR legislation allows the EU’s Data Protection Authorities to issue fines of up to EUR20 million (USD24.1 million) or 4% of annual global turnover (whichever is higher). Those who fall foul of the legislation can also be made to delete non-compliant data. As well as the financial impact of these sanctions, brand damage for penalized companies can be devastating. The companies likely to be recipients of the biggest fines are the companies contracting dubbing and voiceover projects.
Some EUR1.3 billion (about USD1.5 billion) of fines have so far been issued for a wide range of infringements, according to published sanctions on the European Data Protection Board and Data Legal Drive platforms.
In one high profile case, the British tax authority – HMRC – was found to be unlawfully processing the biometric data of around seven million customers through the use of a voice authentication system on its helpline. HMRC, and any of its suppliers who also processed the biometric data on HMRC’s behalf, were ordered to delete over 5 million customer records.
Notable GDPR obligations include alerting actors their data is being processed and obtaining opt-in consent of use that must be recorded. Consent must be renewed regularly, more or less every two years, and also every time new voice recordings are collected. Contrary to what many industry professionals believe, consent must be 100% independent of work contracts and NDAs. Communicating precisely how the personal data will be processed, for what purposes, who it will be shared with, and the duration of processing are also important.
Actors themselves also have specific rights. Say an actor requests modifications or deletion of some or all of their data, an organization must carry out the request within 30 days or delete the data. If an actor requests access to personal data, this too mustex- be respected within 30 days.
The voice data itself must be kept securely, with access controls, and there is an obligation to ensure partner and vendor compliance.
It was against this background of extensive and extremely time consuming privacy obligations that Mediartis designed its automated voice-data GDPR solution for localization companies and independent studios worldwide.
Mediartis is a highly secure cloud platform that offers voice casting tools as well as automated GDPR compliance. Put simply, the platform allows companies to improve their casting workflows while protecting them and their clients from GDPR non-compliant risks.
“Mediartis is tackling an important and often overlooked compliance issue,” says Chris Fetner, ex-Managing Director of the Entertainment Globalization Association.
The Mediartis voice casting platform was created by industry specialists Mobilis Pro. Founded in 2014 and led by CEO Cécile Limal, Paris-based Mobilis Pro provides solutions to more than 1,000 production companies and studios for the voice casting phase of their dubbing and voiceover productions. It also runs the voice talent platform Voxing Pro, a union- and agent-friendly voice casting platform that offers free access to a curated selection of 1,600 leading voice talents.
Working closely with production companies, Mobilis Pro started to feel the impact of GDPR even before the legislation came into effect as many of its clients began raising concerns about the looming impact of GDPR on voice usage in dubbing production.
The Mediartis platform was born as an organic response to these GDPR concerns, and in consultation with several legal firms specialized in GDPR, audiovisual, intellectual property rights, and distribution.
Designed for private voice casting databases and scalable for companies of all sizes, Mediartis provides secure cloud-based workspaces for organizations to upload their casting databases and access tools to automate voice-data GDPR compliance, create, receive and deliver interactive and branded projects to clients. All features are available via API.
“Voice data management is rarely compliant with the GDPR in the Media and Entertainment industry”, says Mobilis Pro CEO Cécile Limal, “Audio services process high volumes of voice recordings for dubbing and voiceover projects, but this data is rarely entered into structured compliance workflows. We created Mediartis specifically for the dubbing and voiceover eco-system to ensure they are fully compliant with GDPR and our platform provides added value with innovative casting tools.”
The platform automates primary GDPR obligations. For example, when users upload new voice samples or create new actor profiles in their Mediartis account, an automatic consent management workflow is triggered. Actors are alerted that the organization is processing their data, in what context, and with whom the organization is sharing their data (on streaming only). Talents can exercise their primary GDPR rights directly on Mediartis: data review, consent or refusal of use, request modifications and deletions. Crucially, none of the data can be downloaded or transferred.
Mediartis clients include independent studios and multi-national groups such as Publicis Groupe (Prodigious) a leading multinational French communications group, and Keywords Studios who provides services to many of the world’s leading video game companies. Alessandra Vincenzi, Audio Localization Head of Division, says: “We chose Mediartis and their tools to help our recording studios become the most secure and efficient in terms of personal data protection and GDPR compliance”
Video game publisher Bandai Namco is another Mediartis user. “We require full GDPR compliance from our suppliers and receive all of our voice castings via streaming on Mediartis,” says Bandai Namco’s European Localization Supervisor Franck Genty. “It’s pleasant, easy, efficient to use, and guarantees us full compliance with personal data legislation standards.”
As EU authorities step up their actions to enforce GDPR compliance, any company handling voice data, whether in the Advertising, Video Game, or Media & Entertainment industries, should be aware of their obligations when processing voice data – and ensure that they, and their partners, are operating within the rules. Given the complexity of the task, it’s little wonder that a platform like Mediartis is gaining traction within the industry.