Category Archives: privacy law

Powers: Little Deaths

Posted on March 4, 2013 by | 13 Comments

The third major story in Powers is entitled “Little Deaths.” It has to do with the investigation into the death of a superhero known as “Olympia,” discovered dead, and completely naked, in a crappy apartment in a seedy part of town. This story lends itself to a discussion on the issue of superheroes and privacy rights. James wrote a four-part series on privacy rights (1, 2, 3, 4) in December 2010, and we had a pair of guest posts on the related right of publicity (1, 2) in late 2011, but I don’t think either of us have come across another story that touches on these issues so directly.

Definite spoilers within, and almost right away. Like most of the Powers stories, this is a murder mystery, but it’s hard to talk about some of the legal issues without giving it away. If you haven’t read it and want to preserve the sense of surprise, go read it and check back. You have been warned.

Also: This story is a little on the racy side. We’re a family blog, but this post is basically a legal analysis of the public disclosure of allegedly private facts, specifically details of superheroes’ sexual histories. If that isn’t something you want to read about, maybe skip this one. Continue reading

→ 13 Comments

Posted in privacy law, torts

Superhero Journalists Revisited

Posted on December 21, 2012 by | 14 Comments

You may recall our previous post about superhero journalists Clark Kent and Peter Parker, which discussed how copyright affected them differently as an employee and an independent contractor, respectively.  Well the times they are a changin’, and Clark Kent quit his job at the Daily Planet in Superman #13 to become a blogger.  This will have more than a few legal consequences for Kent, some of which we’ll touch on today and some of which will have to wait for a future post.

I. Intellectual Property

As an individual Kent will either be working as a freelancer, selling stories to companies like the Huffington Post, or he may publish stories himself.  Regardless of which business model Kent chooses, he’ll also have to choose a form of business association (corporation, LLC, etc).  Basically, he could either choose some sort of corporation, or he could operate a sole proprietorship.  The latter is easier, but it’s also riskier (more on that later).

With regard to IP, the different kinds of business association give him some options.  For example, he could be an employee of a corporation, in which case the copyright in his works would be automatically owned by the corporation, just as they were owned by the Daily Planet when he worked there.  Or, if he wasn’t an employee then he could assign those copyrights by contract.  And if he chose not to incorporate, then he could retain ownership of the copyrights as an individual.

One practical effect of this choice will come into play when contracts with publishers are signed.  If Kent’s company owns the copyrights (either automatically or by assignment), then the company will be the one selling the stories, which entails either assigning the copyright to the publisher or granting the publisher a license.  If Kent operates as an individual, then it’ll be Kent selling the stories directly.  Either way it’ll probably be Kent signing the contracts, since he’ll be his company’s sole employee/shareholder/member.  The difference will be whether he signs it something like “Clark Kent, Manager, KentCo LLC” or just “Clark Kent.”

So what’s the point of all of this?  Why would Kent bother setting up a company, especially if he’s going to be the only employee or if it won’t even have any employees?  The answers are, as they so often are in the law, liability and taxes.  Taxes will have to wait for a future post, but let’s take a brief look at liability.

II. Liability

As a writer working alone, Kent probably won’t have to worry too much about some of the common sources of liability for companies, such as products liability or workplace injuries.  But he will have to worry about suits for defamation, invasion of privacy, and related torts.  To a certain extent these risks can be insured against, and it’s usually part of commercial general liability insurance, but there are limits to what insurance will cover.  If Kent intentionally defames someone or (more likely) intentionally invades their privacy, then an insurer isn’t going to cover that.  This is where the liability protection of the corporate form comes in to play.

Basically, the way this works is that the plaintiff could sue Kent’s corporation or company but not Kent himself as an individual.  This means that the corporation’s assets would be vulnerable in the suit, but not Kent’s personal assets.  There are some exceptions to this general rule, however.  Sometimes a plaintiff can “pierce the corporate veil” and sue the employees or directors and officers of the corporation as individuals.  There are several reasons why this can happen, but some of the most common are when the corporation is just an “alter ego” of the individual (i.e. they aren’t really distinct entities) or when the corporation is under-capitalized (i.e it doesn’t have nearly the assets it should given the kinds of risks it undertakes).  Both of these are potential issues for a one-person corporation or LLC.  Kent will have to be careful to observe the corporate formalities, avoid commingling personal and corporate assets, and maintain adequate capital in the company.

If Kent decides not to incorporate but instead operate a sole proprietorship or even act as an individual, then he won’t have this benefit.  He could be named in the suit as an individual and his assets would all be up for grabs, subject to the limitations of bankruptcy.  Incorporation has some upfront costs and requires some effort to maintain, but it beats being on the wrong end of a million dollar damage award.

III. Conclusion

So far there haven’t been a lot of details in the comics, but it’ll be interesting to see where this part of the Superman story goes.  Clark Kent’s work at the Daily Planet has been an iconic part of the character for decades.  ”Clark Kent, mild-mannered blogger” doesn’t have quite the same ring to it.

→ 14 Comments

Posted in copyright, intellectual property, privacy law, Superman, torts

Cerebro and Privacy Laws

Posted on June 25, 2012 by | 29 Comments

The X-Men movies feature Professor X’s Cerebro device, which amplifies the power of telepathic mutants, allowing them to find other mutants anywhere in the world.  In X-Men: First Class, Professor X and Magneto collaborate with the US government to assemble a team of mutants.  Although the movie is set in the early 1960s, Cerebro (nowadays called Cerebra) is also used in stories set in the modern day.  What’s more, it’s used to collect information on mutants around the world.  This caught the attention of Law and the Multiverse reader Mathias Ullrich, who wrote a great guest post on the subject using First Class as an example:

A data-protection consideration of Prof. Xavier’s recruiting methods according to German law

When reading the article about the responsibility of Prof. Xavier as the principal of a full time school some weeks ago, I started wondering about Prof. Xavier’s way of recruiting. As a data protection officer in Germany, my attention turns to data protection concerns.

As I’m not so familiar with the X-Men, I’ll stick to the movie X-Men: First Class. To analyze the whole process, I divide it into the different relevant steps:

1) data acquisition by telepathy

2) merging the data with another database (e.g. the CIA database) in order to get real addresses

3) offering specific services

4) deletion / blocking of the personal data

Some basics about the German data protection law: The German implementation of the European Data Protection Directive (“Directive 95/46/EC”) is one of the strictest implementations in Europe and is probably the strictest data protection law in the world. It’s called the “Bundesdatenschutzgesetz” or BDSG in short. In general it says that data processing of personal data is forbidden, unless there is an authorization of it in either the BDSG or other laws. So every data acquisition and processing needs an authorization.

Is German law applicable?

The first question we need to answer is if German law applies, when somebody in the world is acquiring customer data. The answer is quite simple: if there is an acquisition of personal data from German citizens, then German law can be used. This is similar to the discussions regarding Google Analytics or Facebook.

What kind of organization are the X-Men?

As stated in a recent blog post, Xavier’s School is a private school.

Step 1: the acquisition

When Professor Xavier searches for mutants, he is gathering data about the health status and some other information about potential students. Health status is one of the so-called “special kinds” or sensitive kinds of personal data according to §3 Abs. 9 BDSG, alongside racial and ethnic origin, political or religious belief and some more.

Acquiring and processing these kinds of personal data has some special rules. As said before, the German data protection law forbids unauthorized data processing, so we need to find permission.

From the reaction of the mutants visited by Magneto and Professor X, I assume none of them gave permission for acquiring the data. So I would also say that Professor X did not inform the people concerned about the concrete use of the data. This is mandatory. It is illegal to acquire data without the knowledge of the person concerned (§33 Abs. 1 BDSG).

Let’s go back to the acquisition. In §28 Abs. 6f and 9 BDSG we find the exceptions.

It’s possible to acquire these data without an explicit permission, if

- it is vital to the person concerned and he / she is not able to give the permission (§28 Abs 6, Nr. 1 BDSG)

- the data is has been made public by the person concerned (§28 Abs 6, Nr. 2 BDSG)

- the data is necessary for a legal transaction (§28 Abs 6, Nr. 3 BDSG)

- the data is necessary for medical research, if this research cannot be done without (§28 Abs 6, Nr. 4 BDSG)

- the data is necessary for medical care, if the acquisition is made by a doctor or somebody else with an obligationtoconfidentiality (§28 Abs 7 BDSG)

- the acquisition is made by a political, philosophic or religious organization without financial interest, but only for their members or associated people.

I do not think any of these exceptions apply. That means that the acquisition of the health status of the possible new students is illegal according to German law.

Step 2: the merging

After acquiring the data, I assume Professor X needs to get information about the new students, he wants to visit. Therefore, he merges the data with some database, according to the movie, it might be a CIA database. Here we have the exact same circumstance as in step 1. With just one exception more.

§28 Abs. 8 BDSG says, that the proceeding or transmitting sensitive data is allowed, if it is needed for defense of public safety.

Of course, thinking about maniacs who try to take over the world, the merging sounds legit, but the merging did not fight a concrete danger. It is more a “long term” investment. Unfortunately the acquisition of the data is still illegal and where did the CIA get data about European citizens? But that is another question, which will not be answered here ;-)

So, the merging might be legal, because of the exception for defense of public safety.

Quick note: §28 Abs. 8 BDSG only allows the processing or transmitting of data, not its acquisition.

Step 3: the offering

The last step is the personal visit to the possible new student in order to offer a personal service, in this case a place in Professor X’s private school.

As this is just again data processing, the same legislation applies as in step 2. So, maybe it’s legal because of the defense exception, but that need be discussed.

Step 4: blocking and / or deletion of data?

 In German data protection law, no data should be stored forever. As soon as the purpose of the data has expired, the data needs to be deleted (§35 Abs. 2 BDSG) or at least blocked.

When looking at the reaction by Wolverine, visited by Magneto and Professor X, one can assume that the purpose is expired, as Wolverine seems not to be interested in the offer. As we know, since Wolverine joins the X-Men later, the data may be blocked and not deleted.

Let’s check the terms for blocking instead of deleting, which are stated in §35 Abs 3 BDSG. Blocking data is allowed,

- if there are any laws or other legal issues that prohibit the deletion

- if it can be assumed that a deletion would affect the interests of the person concerned

- if the deletion is not possible or only possible with high effort because of the special way of storing the data

Again I do not think any of the exceptions apply. The data must be deleted, not blocked, at least as far as we are talking about a real database (e.g. the CIA one). If Professor X keeps the information in his mind, this is not affected by German data protection law.

Conclusion

Of course, there are a lot of unanswered questions, which make a final analysis quite difficult. Is telepathy acquisition of personal data and does German law apply here at all? Where is the data stored and how?

Besides that, the conclusion is quite simple. The acquisition was not legal, so every step beyond the first one, such as the uses the data from step 1, was illegal as well. According to §43, Abs. 2 Nr. 1 this is an administrative offense, with a penalty of up to 300,000 Euro in each case.

Translation guide

 Using §1 BDSG as an example:

- ‘§’ or Paragraf means paragraph in English, in this context it is translated to ‘section’.

- ‘Abs.’ is the abbreviation for ‘Absatz’. In this context it is ‘subsection’. In the example an ‘Absatz’ is marked by the brackets.

- The next one is Nr. (‘Nummer’), which means number. It is the next subsection, and in the example it is marked by the normal ‘1.’

- ‘Satz’ means sentence, if referring to a concrete sentence of the text, one uses ‘Satz’.

 

→ 29 Comments

Posted in guest posts, movies, privacy law, X-Men