Posted on

New York Moves To Expand the Right of Publicity

As New York law currently stands basically the only right of publicity that is recognized in New York is the right to prevent appropriation of a living person’s name or likeness (e.g., portrait, picture, image) for commercial purposes.  A violation of the law can have both criminal and civil consequences, although only civil actions currently include the misappropriation of ones’ “voice,” in addition to names and photographs. New York courts have also allowed claims based on the use of look-alike models (Onassis v. Christian Dior-New York, Inc., 472 N.Y.S2d 254 (N.Y. Sup. Ct. 1984)).

New York does not recognize any common law right of publicity (Stephano v. News Group Publications, 474 N.E.2d 580 (N.Y. 1984)). Consequently all New York rights of publicity are purely creatures of statutory law.  Of interest in recent years is the fact that unlike over 20 other States in the United States and many jurisdictions internationally,* New York has never recognized any post-mortem rights of publicity. In other words, only living New York persons have any right of publicity and those are governed exclusively by statute!

Well that may change if and when New York State Governor Andrew Cuomo signs a bill recently passed by both houses of the the NYS legislature and although the bill differentiates between “deceased personalities” and “deceased performers,” if signed into law it would broaden the current law and create a new transferable (and inheritable) right that would protect those rights of publicity after death – rights that would last for 40 years after the death of the individual.

This new legislation is likely to have implications to performers, celebrities and others who are domiciled in New York, as well as to advertisers, advertising agencies and sponsors, among others.  Once the bill is signed into law, watch for updates on Legal Bytes for more detail. In the meantime, if you have questions or want more information, feel free to contact me, Joe Rosenbaum or any of the Rimon lawyers with whom you regularly work.

* Note: In some jurisdictions, rights of publicity are referred to as “personality rights” and one should never assume these rights are identical in scope or effect.

 

Posted on

Brazil Adopts Comprehensive Data Protection Law

Katie Hyman, Partner

Brazil’s Lei General de Proteção de Dados (“LGPD”) officially came into effect on Friday, September 18 2020. This Brazilian General Data Protection Law (LGPD), Federal Law no. 13,709/2018, was published on August 15, 2018, is heavily influenced by the EU GDPR and is Brazil’s first comprehensive framework regulating the use and processing of personal data. Prior to the LGPD, data privacy regulations in Brazil consisted of various provisions spread across Brazilian legislation.

The LGPD applies to businesses of all sizes, with only a few listed exceptions, such as where data are collected for artistic or academic purposes, or for national security and public safety. It will apply when data is collected or stored in Brazil or where data is processed for the purposes of offering goods or services to individuals in Brazil.

The LGPD defines “personal data” broadly: it means any information regarding any identified or identifiable natural person, including data that could be aggregated to identify a person. The general principles underlying the LGPD are set out in Article 6, and these will be used by the Brazilian data protection authority to determine a company’s compliance with the law. The principles are purpose, suitability, necessity, free access, quality of the data, transparency, security, prevention, non-discrimination and accountability.

In line with these principles, the rights of the data subject are set out in Article 18, and these are very similar to those in the GDPR, including access to data, correction of inaccurate data, portability, deletion of data processed with consent, information about entities with which the controller has shared data, information about the possibility of denying consent and revocation of consent.

Companies are required to report data protection breaches to the local data protection authority, but no deadline for reporting is included in the LGPD. Guidance on this is to come from the data protection agency, which is yet to be established. Companies that violate the LGPD can be fined up to 2% of the revenue of their organization, up to a total of R$50 million (approximately US$9 million) per violation. However, penalties for infractions will only start to be applied from August 1, 2021.

An official English translation is not yet available, but the IAPP has provided a translation and you can read it here: Brazilian General Data Protection Law.

If you want more information about this article feel free to contact Katie Hyman or me, Joe Rosenbaum or any of the Rimon lawyers with whom you regularly work.

Posted on

Swiss-US Privacy Shield

In July, we reported that the EU Court had invalidated the viability of the US-EU Privacy Shield (EU Invalidates the Privacy Shield . . BUT Says Contracts May Save the Day!).  A few weeks ago (September 8, 2020), the Swiss Federal Data Protection and Information Commissioner (FDPIC) also decided to remove the United States from a list of nations that are considered to be providing “adequate level of data protection.”

Unlike the EU Court’s decision, decision by the Swiss FDPIC does not automatically invalidate the applicability of the Privacy Shield, because the list of countries on or off the list is technically not legally binding. That said, if your company is relying on the Swiss-US Privacy Shield to continue to transfer data from Switzerland to the United States, it would not be prudent to assume these transfers will continue to be viewed as complying with the adequate protection standards under Swiss law.  It seems to make sense to re-assess the risks and start relying on corporate policies and regulations, as well as legally binding contract clauses to ensure they are consistent with Swiss data protection law.

Even when the company policies and contract provisions are properly constructed, there still remains the risk that even these protections may be considered inadequate.  For example, if local authorities have the right to obtain the data without safeguards and legal protections consistent with those required under Swiss regulation, the transfer may be considered in contravention of Swiss law.  Similarly, if the entity to which the data is being transferred is not legally obligated, for any reason, to cooperate with the enforcement requirements that may apply under Swiss law this too creates a problem.  While encryption technology exists that can ensure no personal data can become available in another country, that approach only makes sense for pure storage capability (e.g., cloud based storage) but NOT if the data is intended to be used, displayed or otherwise handled in another nation.

While further guidance and information may ultimately be promulgated by the FDPIC, at present, a review of current procedures and data transfers, the exercise of caution and consideration of implementing additional steps to deal with this development in Switzerland, as with the EU Court decision, seems to be a prudent course of action.

At Rimon Law, our professionals are available to answer question about these developments, so feel free to contact me, Joe Rosenbaum, or any of the Rimon lawyers with whom you regularly work for information about this or any other matters.