This article details the issue of GDPR compliance in the music industry, exploring whether the artist data, such as ISRC identifiers, can be considered personal data under the current legislation and what challenges such a definition might pose for the music business. When preparing this article, we got in touch with the Spanish-based legal services company Sympathy for the Lawyer, which provided us with their advice on the topic. That said, the questions reviewed in this article are somewhat in the grey legislative area, so it shouldn't be taken as definitive legal advice. If you believe that you and your company might be affected by some of the concepts discussed below, we suggest you seek professional legal advice. Additionally, please beware that this article is focusing specifically on EU-based GDPR, leaving UK GDPR and US CCPA out of scope.

Personal data protection and GDPR compliance have been a significant concern for companies based in the EU for more than four years. Since the law came into force in 2018, we've seen companies large and small hit with fines for not complying with the regulations. According to the Enforcement Tracker database, over 1,1k GDPR-related fines were issued in the past 4 years — ranging from a few hundred euros to Amazon's record-breaking 746 million forfeit.

The music industry has also been affected by GDPR. Back in 2019, most major streaming services had been challenged regarding their compliance with new privacy regulations, with Swedish authorities launching an official review on Spotify data processing practices just a few months later. Yet, streaming services have quickly amended their privacy policies — and since then, the regulations have mostly become a concern for marketing departments across the music industry, looking to establish transparent ways of processing fan data. 

A quick google search for "GDPR in the music industry" would reveal that fan data processing is the first and sometimes the only consideration for GDPR compliance in music — but what about the artists? Could the data collected in connection to the artist's career be considered personal data — calling for the same level of transparency and control? And if so, what would be the implications for the music data industry? Let's try to get to the bottom of it.

Anyway, What is Personal Data?

So, we should probably begin at the beginning: what is personal data anyway? As per the official definition offered by the European Commission, "personal data is any information that relates to an identified or identifiable living individual." Such as, for example, your IP or home address or the number of your identification document — essentially, any piece of information which can be used to track down a living person can be considered personal data. 

Another important distinction is that the information you hold doesn't have to directly identify an individual for it to be considered personal data. If the data you hold can identify the person indirectly, it should also be regarded as private data under GDPR. According to the official GDPR documentation, if the data you hold on someone can become identifiable when combined with other data that can be reasonably accessed (by you or another third party you're sharing the data with), it should also be considered private data.

At the same time, the "any information" part of "any information that relates to an identified or identifiable living individual" is not exactly a closed term, as it leaves a lot of room for interpretation. Depending on the context of data processing, artist-related information may or may not be considered personal data — and as we are dealing with novel concepts with no legal precedents to speak of, it's hard to say anything definitively. Yet, we'll try our best.

Should Artist Data be Considered Personal Data?

Given the definitions outlined above, it's easy to imagine how large chunks of artist data processed today would fall under the umbrella of private data. From a certain perspective, all commonly used artist and songwriter identifiers, such as ISRC or ISWC codes, could be used to identify the living individual behind the given project, release, or composition. Even if the ISRC code in itself isn't enough to definitively identify the person behind the release (i.e., the performing artist's real identity), an ISRC code could be used to track down the artist's name (though the IFPI database, for example) which can, in turn, lead you to the real identity of the artist. 

If we follow that logic, most of the time, music identifiers should be considered indirectly identifiable data. Thus, it should be treated the same way as private user data: data controllers must provide artists and songwriters with a clear definition of how their identifiable data would be used, which third parties it will be shared with, etc. — while also offering a clear opt-out and "right to be forgotten" options. Some of the music tech companies on the market are already abiding by these definitions — to quote TuneCore's privacy policy, for instance:

"Personal Data means information that directly or indirectly relates to You as an identified or identifiable natural person. This may concern, depending on the contract, the Sites, the Products or Services, Your status and/or the means of collection, all or part of the following Personal Data:  

  • [....]
  • For performing artists or their representatives only: their stage name, textual, graphic, photographic or video elements or sound and date elements related to a sound recording reproducing the performance…
  • Necessary metadata to identify the works fixed on the Recordings and Music Videos, and their assigns, in particular the authors', composers', publishers' names, or all assigns, ISWC, ISRC, UPC codes, etc ;"

Furthermore, there's an argument that not only artist names or identifiers should be considered private data. According to the official GDPR documentation, any data that "relates to" an individual might also become personal data: 

"Information that identifies an individual, even without a name attached to it, maybe personal data if you are processing it to learn something about that individual or if your processing of this information will have an impact on that individual". 

If we were to unwrap this definition in the context of music data, any information that relates to the artist's career — for example, streaming performance analytics on the artist's distributor dashboard or the artist's airplay logs generated by radio-tracking tools — could also be considered private data. So under the broadest definition possible, all artist data is kinda personal data. But what does it mean for the music industry?

The Music Data Chain(s)

The modern music industry runs on (meta)data — it's the oil that makes the wheels of the digital music business spin. Look at publishing for a moment: ISWC codes are used universally across the publishing chain to identify the songwriters and right holders. When a new composition is registered, a single ISWC code is shared repeatedly to create records with hundreds or even thousands of companies: from CMOs to publishers to asset management solutions and beyond. 

In such a case, GDPR compliance should be assured through the contract between the songwriter and their publisher. And indeed, most standard contracts in Europe would include a standard data protection clause, authorizing the processing and transfer of songwriters' personal data to third parties when it's necessary to fulfil contractual obligations (i.e., exploit the composition). Yet, it's then up to the companies along the publishing data chain to ensure that this personal data is stored and processed in a GDPR-compliant way — i.e., only using the strictly necessary data, guaranteeing safe data transfer, etc. And given that the notion of "ISWC as personal data" is still a pretty fringe idea, the chances are that this data chain will never be 100% compliant.

Beyond that, music tech is still a rapidly developing (and pretty chaotic) landscape. Given the complexity of the data-sharing structure, it might be very tricky to determine who would actually have access to artist data on the other end of the data chain. For example, imagine you're distributing an artist release to Spotify: Spotify will ingest the track and expose the track's data (including the ISRC code) through their open API. Now, anyone with a Spotify account and an authorization token can access the artist's private identifiers (provided that ISRC codes should be treated as such). Unfortunately, the music data chains have been built with little regard to the artist's control over their data, so tracking down all the third parties who might have access to the artist's data will often prove a near-impossible task.

Third-party Music Data Solutions

Out of all the companies working with music data, this definition of "artist data as private data" would be the most problematic to the third-party tracking solutions. These companies entirely sidestep the music data-sharing chain and use open sources or proprietary tracking technologies to collect artists' data. Third-party analytics, airplay tracking solutions, music databases, etc. — music data services have records on millions of artists and, most of the time, don't have any sort of data processing consent from artists or their teams.

GDPR makes a specific exception for data processing for "archiving purposes in the public interest", which could mean that public music databases like MusicBrainz are in the clear, as they are processing data for archiving and statistical purposes. However, most companies gathering and processing artist data for profit are left in a gray area. That is, once again, if we go with the definition of artist data as private data we've outlined at the beginning of this article. And by way of a reminder, the GDPR doesn't only apply to the companies based in the EU — a US-based enterprise still has to abide by the GDPR when processing the personal data of European citizens. So, even the biggest and oldest players on the market, like Nielsen's Luminate (previously MRC Data), would still be impacted.

Artist Data Ownership in the Music Business

Another significant implication of such a definition would be the question of data ownership in the music business — the topic is somewhat of growing concern, especially in the recording industry. The idea is quite simple: the proprietary data generated in relation to the artist's career can be extremely valuable — so, who should own that data? 

Imagine the following: you've signed an album deal with a major label. The label has invested in the release cycle, claiming 85% of the royalties and potentially owning the master copyrights themselves. Fast forward to a couple years later, you're out of that release cycle and what to move to another label — but what would happen with the data generated on your debut? Beyond purely analytical purposes, some subsets of artist data might have a direct monetary impact on the artist's career: for instance, the Facebook pixel with all of your fans' data, which can be very useful for running future advertising campaigns. So who should own that data: the artist or the label?

Today, there's no clear-cut answer to that question, to the point when we're heard of some recording companies introducing "data ownership" clauses in their contracts. But suppose we adopt the view that "data that are used for learning or making decisions about an individual are also personal data." In that case, all artist data should be considered private data — the answer becomes apparent.

In conclusion of this thought piece on GDPR compliance in the music industry, there's one thing we want to clarify. This article wasn't written to offer concrete answers but to ask the right kinds of questions. We're not here to point fingers or raise alarmist concerns. Instead, we want to bring the attention of the music data community to the issues outlined above, get the conversation going, and find the answers together. For now, we're not in a position to clearly size the problem nor offer ready solutions — but we hope that by publishing this piece, we can start looking for answers together.