The EU General Data Protection Regulation (GDPR) will take effect across Europe on May 25. But giving users greater control of personal data might have undue consequences for artists and cultural organizations.
Artists and musicians who rely on email marketing to publicize their latest happenings and creations have been feverishly informing subscribers that they are abiding by new EU data protection laws set to come into effect on May 25. All member states must conform to the General Data Protection Regulation (GDPR) — including the UK, which despite Brexit must also implement the EU directive.
The new data protection regime essentially forces corporations, government agencies, charities, but also artists and arts organisations, to get consent for any personal information they use, and to be transparent about the private data they hold. Those who continue to use this data without consent after May 25 could be subject to significant fines amounting up to 4 percent of global turnover or €20 million ($23.5 million), whichever is higher.
While such dizzying fines are reserved for serious infringements, such as a corporation's breaching of a data subject's rights and freedoms, smaller cultural organizations are also facing changes.
Sam Wareing is a Berlin-based musician and organizer of the monthly Sofa Salon house concerts in living rooms across the German capital. Running since 2010, the concert series that hosts up to 50 people per show and provides a platform for touring musicians from around the world is almost wholly attended by guests who respond to regular email newsletters about the event.
To satisfy one of the GDPR's key data privacy upgrades, Wareing has asked subscribers to her email to "opt in" by confirming that they are happy to consider receiving the newsletter and share their personal data — including names and email addresses but in some cases phone numbers and physical addresses.
But due to "human oversight," Wareing is now worried that she may lose up to half of her subscribers — and hence customers. At worst, the changes could potentially threaten the viability of Sofa Salon.
While much of this process has been automated by email marketing services such as Mailchimp, there's a widespread fear that the transition will be a difficult one.
"Can we carry on selectively emailing and mailing our people or do we have to get their formal consent first?" Peter Osborne, the director of London-based gallery Osborne Samuel, asked in The Arts Newspaper in February.
Osborne fears that if his gallery has to contact everyone on its existing lists to get them to opt in, only a small percentage will respond and "the people we most want to contact (VIPs and top clients) are just the kind of time-poor people who may not reply."
An email sent out by artist duo Danielle de Picciotto and Alexander Hacke (of band Einstürzende Neubauten) merely asked email newsletter recipients to unsubscribe if they no longer wanted to receive it, but also stressed the importance of the newsletter for marketing.
"As freelance artists that do not have the budgets for huge press campaigns this is our only possibility of letting you know what we are up to."
But while the GDPR could adversely affect arts organizers, musicians, and potential concert-goers or art buyers who may have merely forgotten to respond to the litany of requests to opt-in in recent weeks, Wareing supports the general principle of privacy.
"I think it's a good idea for any content provider to have an opt-in," she told DW. "It means you have to confirm that you want that content." Users also get a chance to spring clean their inboxes by simply not opting in.
The art market's secretive ways
But the concerns of art curators like Osbourne are more complex.
According to Andreja Velimirovic, who in March wrote an article on "How Will EU's New GDPR Law Affect the Art Business?" for Widewalls magazine, "the entire art market is built upon a secretive way of dealing with information, a manner of conducting business that enables the leading figures to make as much money as possible. This lack of transparency will be in direct conflict with the GDPR and it will be interesting to see how the entire situation will unfold."
Indeed, the Financial Times reported in March on how "A secretive art world grapples with data protection legislation." The article describes how art galleries build relationships with clients based on years and sometimes decades of collected private information — "from their tastes and their buying histories to their private addresses and even their dietary preferences."
Ian De Freitas, a lawyer at Farrer & Co, a legal firm that is trying to get art businesses to become GDPR-compliant, told the Financial Times that the art world was "unusual" in the way it retained personal data.
"They say that they often need to keep information for decades in relation to sales of artwork, for example for provenance purposes," he said.
While the news law is still veiled in ambiguity, if galleries need to purge private data as a result of the GDPR, or lose VIPs and major clients from subscription lists, then the broader artistic community may suffer as a result.
Anxiety at the grass roots
According to London-based arts writer Katherine Tyrrell, whose Making A Mark on Art blog has been advising readers about the GDPR, the EU has failed to assess the impact of the changes on artists who are effectively sole or small traders.
Since the new regulation was approved in 2016, the EU has not only failed to adequately communicate the changes to small businesses, but have "only succeeded in frightening them and sending them into a spin with very little time left to implement change," she told DW.
Though Tyrrell also believes the EU should improve personal data security, she fears that a "one size fits all" approach to regulations will unduly affect the small, under-resourced businesses run by artists and cultural bodies.
"The level of change is seismic in its impact for a sole/small trader such as an artist compared to companies which can afford to employ individuals to tackle this topic," she said. "It's very likely to succeed in causing much anxiety and choking off economic activity at the grass roots."
As The Verge magazine wrote in March: "Regulations like this tend to hit small companies the hardest, so the GDPR might also tip the scales even further toward big players like Google and Facebook, even as the overall pool of data shrinks."
Reuters reported in April that almost 1.5 billion Facebook users in Africa, Asia, Australia and Latin America would have been protected by the GDPR because the social network is based in Ireland — in part due to the low corporate taxes.
This could leave the social network open to billions of euros in fines if the more stringent data privacy policies are not maintained — which might seem unlikely following the massive Cambridge Analytica Facebook privacy breaches.
But the social network has simply changed its terms of service so that the non-European users are no longer subject to EU regulations but more lenient US privacy laws. That simple — even if corporations like Facebook and Google ultimately have the resources to ensure GDPR compliance.
Tyrrell believes that many small creative businesses will simply carry on as before. "I suspect most artists are still not aware that any change is happening on the 25th of May," she said.
She is unsure whether this will create legal problems — and potential million euro fines — down the track.
"I certainly don't think the regulators should be spending their time chasing after artists who probably don't understand much of the language and terms that the regulations and guidance is written in," she added.
Lawmakers and regulators need to get their priorities right, she believes, and "focus all their efforts on holding the corporate giants to account."
Artists like Daniele de Picciotto agree. "I think this law should be for large companies that abuse people's data," she told DW. "Small artists and companies only want to get their news out to their fans to be able to survive."