Category Archives: privacy law

She-Hulk v. Paparazzi

Today’s post was inspired by a question from the enigmatically-named Master182000, who recently reminded me that I hadn’t gotten around to it.  The question points to a 1985 John Byrne-era She-Hulk story (in Fantastic Four #275) in which She-Hulk is photographed while sunbathing on the roof of a tall building (maybe the Baxter Building).  The paparazzi used a helicopter to take the photos, the propellor wash of which blew away the towel she was covering herself with.  As Master18200 summarizes:

Later that day [She-Hulk] (in alter-ego form) and her friend track down the chopper, intimidate the pilot, and confront the photographer, who owns a tabloid called “The Naked Truth”. She confronts him, telling him since She-Hulk is a member of the SAG [as well as other show business unions] and images of her require her release before going to print. The photographer balks, claiming that She-Hulk is a ‘public figure’ and thus images of her are in the public domain and thusly don’t require She-Hulk’s release to print. He carries this argument forward until She-Hulk appears and crunches the photographer’s safe.

This led to the following questions:

1) Which party’s interpretation of the law is more accurate?
2) At what level of celebrity does a person lose 100% of their ‘media rights’ or become ‘public domain’ as the photographer suggests? Is this issue a settled matter at Federal law level or State law level?
3) Aren’t there issues with the way the pictures were taken? I don’t know much about aviation laws, but that chopper was pretty close to the building, close enough for She-Hulk’s clothes and stuff to be blown around.

I’ll take them one at a time.

I. So Who’s Right?

Well, technically neither of them.  There’s nothing special about being a member of SAG that would grant someone more rights than usual with regard to their image, unless SAG has negotiated an agreement with the other party (e.g. a movie studio).  Presumably the tabloid has no agreement with SAG or any other union.

On the other hand, public figures can still have an expectation of privacy, and the roof of a 30 story building, while somewhat exposed, is still a place where most people would have a reasonable expectation of privacy.  Furthermore, She-Hulk was covered up initially and only became exposed because of the close approach of the helicopter, which was intentionally done to blow away her towel.  The First Amendment wouldn’t protect that kind of action.

So She-Hulk is right in that the photographs can’t be published, but not for the reason she offers.

II. Public Figures, Invasion of Privacy, and the Right of Publicity

The notion of a person being a “public figure” mostly has to do with slander and libel, the standard for which for statements about a public figure is higher than for statements made about ordinary people.  Curtis Publishing Co. v. Butts, 388 U.S. 130 (1967).  As Chief Justice Warren described it in his concurrence, public figures are those who are “intimately involved in the resolution of important public questions or, by reason of their fame, shape events in areas of concern to society at large.”  Curtis Publishing, 388 U.S. at 164.  As between federal and state law, this is a federal First Amendment issue.

Is She-Hulk a public figure?  Maybe.  It’s hard to get a sense of just how famous any particular comic book character is within their own universe (with a few exceptions such as Superman).  But even if she were, that would only matter for purposes of libel and slander.  And as the sleazy tabloid owner said, the pictures are accurate depictions of what happened, so truth might well be a defense to any libel or slander claim anyway.

But that’s not the claim She-Hulk should be bringing.  What she should be claiming is invasion of privacy (which, when it involves nudity, is a crime in many states) and violation of her right of publicity.  These would be state law claims.  All of this would be sufficient to claim significant damages if not prevent publication of the photos outright (although the courts are pretty loathe to engage in censorship).

III. Aviation Laws

Nowadays the regulations regarding helicopter flights in and around Manhattan are fairly strict.  There are no-flight corridors, weekend bans, and other rules.  But these are mostly new developments, often in response to noise concerns.  Thirty years ago things were a little more free-wheeling, as far as I can tell, and private helicopters may well have been free to more or less buzz buildings.  Of course, had been an accident it would likely have been very easy to establish the tabloid’s negligence or recklessness.

IV. Conclusion

In the US the paparazzi can get away with a lot because of the stringent protections of the First Amendment.  But (perhaps unsurprisingly) ambushing someone with a helicopter in a private space and forcibly removing their clothing is beyond the pale.  She-Hulk (as attorney Jennifer Walters) could probably have succeeded in court where She-Hulk (as She-Hulk) failed using traditional Hulk methods.  In the end, the pictures were published anyway, but the developer messed up the skin color so that the pictures didn’t look like She-Hulk.  A court case might have meant a more satisfying result.  At the very least the damages award (and possible criminal sanctions) might have driven the tabloid out of business.

Powers: Little Deaths

The third major story in Powers is entitled “Little Deaths.” It has to do with the investigation into the death of a superhero known as “Olympia,” discovered dead, and completely naked, in a crappy apartment in a seedy part of town. This story lends itself to a discussion on the issue of superheroes and privacy rights. James wrote a four-part series on privacy rights (1, 2, 3, 4) in December 2010, and we had a pair of guest posts on the related right of publicity (1, 2) in late 2011, but I don’t think either of us have come across another story that touches on these issues so directly.

Definite spoilers within, and almost right away. Like most of the Powers stories, this is a murder mystery, but it’s hard to talk about some of the legal issues without giving it away. If you haven’t read it and want to preserve the sense of surprise, go read it and check back. You have been warned.

Also: This story is a little on the racy side. We’re a family blog, but this post is basically a legal analysis of the public disclosure of allegedly private facts, specifically details of superheroes’ sexual histories. If that isn’t something you want to read about, maybe skip this one. Continue reading

Superhero Journalists Revisited

You may recall our previous post about superhero journalists Clark Kent and Peter Parker, which discussed how copyright affected them differently as an employee and an independent contractor, respectively.  Well the times they are a changin’, and Clark Kent quit his job at the Daily Planet in Superman #13 to become a blogger.  This will have more than a few legal consequences for Kent, some of which we’ll touch on today and some of which will have to wait for a future post.

I. Intellectual Property

As an individual Kent will either be working as a freelancer, selling stories to companies like the Huffington Post, or he may publish stories himself.  Regardless of which business model Kent chooses, he’ll also have to choose a form of business association (corporation, LLC, etc).  Basically, he could either choose some sort of corporation, or he could operate a sole proprietorship.  The latter is easier, but it’s also riskier (more on that later).

With regard to IP, the different kinds of business association give him some options.  For example, he could be an employee of a corporation, in which case the copyright in his works would be automatically owned by the corporation, just as they were owned by the Daily Planet when he worked there.  Or, if he wasn’t an employee then he could assign those copyrights by contract.  And if he chose not to incorporate, then he could retain ownership of the copyrights as an individual.

One practical effect of this choice will come into play when contracts with publishers are signed.  If Kent’s company owns the copyrights (either automatically or by assignment), then the company will be the one selling the stories, which entails either assigning the copyright to the publisher or granting the publisher a license.  If Kent operates as an individual, then it’ll be Kent selling the stories directly.  Either way it’ll probably be Kent signing the contracts, since he’ll be his company’s sole employee/shareholder/member.  The difference will be whether he signs it something like “Clark Kent, Manager, KentCo LLC” or just “Clark Kent.”

So what’s the point of all of this?  Why would Kent bother setting up a company, especially if he’s going to be the only employee or if it won’t even have any employees?  The answers are, as they so often are in the law, liability and taxes.  Taxes will have to wait for a future post, but let’s take a brief look at liability.

II. Liability

As a writer working alone, Kent probably won’t have to worry too much about some of the common sources of liability for companies, such as products liability or workplace injuries.  But he will have to worry about suits for defamation, invasion of privacy, and related torts.  To a certain extent these risks can be insured against, and it’s usually part of commercial general liability insurance, but there are limits to what insurance will cover.  If Kent intentionally defames someone or (more likely) intentionally invades their privacy, then an insurer isn’t going to cover that.  This is where the liability protection of the corporate form comes in to play.

Basically, the way this works is that the plaintiff could sue Kent’s corporation or company but not Kent himself as an individual.  This means that the corporation’s assets would be vulnerable in the suit, but not Kent’s personal assets.  There are some exceptions to this general rule, however.  Sometimes a plaintiff can “pierce the corporate veil” and sue the employees or directors and officers of the corporation as individuals.  There are several reasons why this can happen, but some of the most common are when the corporation is just an “alter ego” of the individual (i.e. they aren’t really distinct entities) or when the corporation is under-capitalized (i.e it doesn’t have nearly the assets it should given the kinds of risks it undertakes).  Both of these are potential issues for a one-person corporation or LLC.  Kent will have to be careful to observe the corporate formalities, avoid commingling personal and corporate assets, and maintain adequate capital in the company.

If Kent decides not to incorporate but instead operate a sole proprietorship or even act as an individual, then he won’t have this benefit.  He could be named in the suit as an individual and his assets would all be up for grabs, subject to the limitations of bankruptcy.  Incorporation has some upfront costs and requires some effort to maintain, but it beats being on the wrong end of a million dollar damage award.

III. Conclusion

So far there haven’t been a lot of details in the comics, but it’ll be interesting to see where this part of the Superman story goes.  Clark Kent’s work at the Daily Planet has been an iconic part of the character for decades.  “Clark Kent, mild-mannered blogger” doesn’t have quite the same ring to it.

Cerebro and Privacy Laws

The X-Men movies feature Professor X’s Cerebro device, which amplifies the power of telepathic mutants, allowing them to find other mutants anywhere in the world.  In X-Men: First Class, Professor X and Magneto collaborate with the US government to assemble a team of mutants.  Although the movie is set in the early 1960s, Cerebro (nowadays called Cerebra) is also used in stories set in the modern day.  What’s more, it’s used to collect information on mutants around the world.  This caught the attention of Law and the Multiverse reader Mathias Ullrich, who wrote a great guest post on the subject using First Class as an example:

A data-protection consideration of Prof. Xavier’s recruiting methods according to German law

When reading the article about the responsibility of Prof. Xavier as the principal of a full time school some weeks ago, I started wondering about Prof. Xavier’s way of recruiting. As a data protection officer in Germany, my attention turns to data protection concerns.

As I’m not so familiar with the X-Men, I’ll stick to the movie X-Men: First Class. To analyze the whole process, I divide it into the different relevant steps:

1) data acquisition by telepathy

2) merging the data with another database (e.g. the CIA database) in order to get real addresses

3) offering specific services

4) deletion / blocking of the personal data

Some basics about the German data protection law: The German implementation of the European Data Protection Directive (“Directive 95/46/EC”) is one of the strictest implementations in Europe and is probably the strictest data protection law in the world. It’s called the “Bundesdatenschutzgesetz” or BDSG in short. In general it says that data processing of personal data is forbidden, unless there is an authorization of it in either the BDSG or other laws. So every data acquisition and processing needs an authorization.

Is German law applicable?

The first question we need to answer is if German law applies, when somebody in the world is acquiring customer data. The answer is quite simple: if there is an acquisition of personal data from German citizens, then German law can be used. This is similar to the discussions regarding Google Analytics or Facebook.

What kind of organization are the X-Men?

As stated in a recent blog post, Xavier’s School is a private school.

Step 1: the acquisition

When Professor Xavier searches for mutants, he is gathering data about the health status and some other information about potential students. Health status is one of the so-called “special kinds” or sensitive kinds of personal data according to §3 Abs. 9 BDSG, alongside racial and ethnic origin, political or religious belief and some more.

Acquiring and processing these kinds of personal data has some special rules. As said before, the German data protection law forbids unauthorized data processing, so we need to find permission.

From the reaction of the mutants visited by Magneto and Professor X, I assume none of them gave permission for acquiring the data. So I would also say that Professor X did not inform the people concerned about the concrete use of the data. This is mandatory. It is illegal to acquire data without the knowledge of the person concerned (§33 Abs. 1 BDSG).

Let’s go back to the acquisition. In §28 Abs. 6f and 9 BDSG we find the exceptions.

It’s possible to acquire these data without an explicit permission, if

– it is vital to the person concerned and he / she is not able to give the permission (§28 Abs 6, Nr. 1 BDSG)

– the data is has been made public by the person concerned (§28 Abs 6, Nr. 2 BDSG)

– the data is necessary for a legal transaction (§28 Abs 6, Nr. 3 BDSG)

– the data is necessary for medical research, if this research cannot be done without (§28 Abs 6, Nr. 4 BDSG)

– the data is necessary for medical care, if the acquisition is made by a doctor or somebody else with an obligationtoconfidentiality (§28 Abs 7 BDSG)

– the acquisition is made by a political, philosophic or religious organization without financial interest, but only for their members or associated people.

I do not think any of these exceptions apply. That means that the acquisition of the health status of the possible new students is illegal according to German law.

Step 2: the merging

After acquiring the data, I assume Professor X needs to get information about the new students, he wants to visit. Therefore, he merges the data with some database, according to the movie, it might be a CIA database. Here we have the exact same circumstance as in step 1. With just one exception more.

§28 Abs. 8 BDSG says, that the proceeding or transmitting sensitive data is allowed, if it is needed for defense of public safety.

Of course, thinking about maniacs who try to take over the world, the merging sounds legit, but the merging did not fight a concrete danger. It is more a “long term” investment. Unfortunately the acquisition of the data is still illegal and where did the CIA get data about European citizens? But that is another question, which will not be answered here 😉

So, the merging might be legal, because of the exception for defense of public safety.

Quick note: §28 Abs. 8 BDSG only allows the processing or transmitting of data, not its acquisition.

Step 3: the offering

The last step is the personal visit to the possible new student in order to offer a personal service, in this case a place in Professor X’s private school.

As this is just again data processing, the same legislation applies as in step 2. So, maybe it’s legal because of the defense exception, but that need be discussed.

Step 4: blocking and / or deletion of data?

 In German data protection law, no data should be stored forever. As soon as the purpose of the data has expired, the data needs to be deleted (§35 Abs. 2 BDSG) or at least blocked.

When looking at the reaction by Wolverine, visited by Magneto and Professor X, one can assume that the purpose is expired, as Wolverine seems not to be interested in the offer. As we know, since Wolverine joins the X-Men later, the data may be blocked and not deleted.

Let’s check the terms for blocking instead of deleting, which are stated in §35 Abs 3 BDSG. Blocking data is allowed,

– if there are any laws or other legal issues that prohibit the deletion

– if it can be assumed that a deletion would affect the interests of the person concerned

– if the deletion is not possible or only possible with high effort because of the special way of storing the data

Again I do not think any of the exceptions apply. The data must be deleted, not blocked, at least as far as we are talking about a real database (e.g. the CIA one). If Professor X keeps the information in his mind, this is not affected by German data protection law.


Of course, there are a lot of unanswered questions, which make a final analysis quite difficult. Is telepathy acquisition of personal data and does German law apply here at all? Where is the data stored and how?

Besides that, the conclusion is quite simple. The acquisition was not legal, so every step beyond the first one, such as the uses the data from step 1, was illegal as well. According to §43, Abs. 2 Nr. 1 this is an administrative offense, with a penalty of up to 300,000 Euro in each case.

Translation guide

 Using §1 BDSG as an example:

– ‘§’ or Paragraf means paragraph in English, in this context it is translated to ‘section’.

– ‘Abs.’ is the abbreviation for ‘Absatz’. In this context it is ‘subsection’. In the example an ‘Absatz’ is marked by the brackets.

– The next one is Nr. (‘Nummer’), which means number. It is the next subsection, and in the example it is marked by the normal ‘1.’

– ‘Satz’ means sentence, if referring to a concrete sentence of the text, one uses ‘Satz’.