Creative commons attribution and GDPR

Question

When using content released under an open licence such as creative commons, it might be required to provide attribution to the author.

For instance, if I were to use this image from Wikimedia Commons released under CC 4.0 BY-SA, I would be required to specify the username for the creator, as part of the attribution.

However, according to GDPR, usernames are identifiable information.

Does that mean that there are privacy implications in attributing the content? Or is the dealing of the information for the purpose of attribution fair and proper because the creator set a specifically open licence with attribution?

Answer 1

Under GDPR article 6 paragraph 1 item (c) one lawful basis for processing personal information (PI) is:

processing is necessary for compliance with a legal obligation to which the controller is subject;

The obligation to attribute a reused work under a CC license is such an obligation. Moreover, the licensor has the option under any CC license to specify a pseudonym for attribution of that work, or to waive attribution totally. Not doing that while releasing content under a CC license that requires attribution could reasonably be considered consent to publish that name along with each re-released copy of the work, so there are at least two lawful bases for processing that name and making it public.

In some jurisdictions the license has the status of a contract, which imposes an obligation to attribute the author properly under GDPR Article 6 paragraph 3, as described in more detail in the answer by amon.

Also, usernames are PI if and only if it is reasonably possible to associate them with a specific natural person. If a person chose a user name for a single site, not used for any other, and did not post any info that allows the person's identity to be determined, it is not PI. Often, of course, the person can be determined.

Answer 2

Just because something is personal data doesn't mean you're prohibited from using/sharing/processing that personal data. You just need an Art 6 GDPR legal basis.

Here, the copyright holder is offering you a contract: you're allowed to freely use that image, as long as you attribute them properly. Since this attribution is necessary for fulfilling the license condition, you have a legal basis per Art 6(1)(b):

(1) Processing shall lawful [if] (b) processing is necessary for the performance of a contract to which the data subject is party […]

Furthermore, many copyright laws recognize moral rights: the right of the creator to be recognized for their creative works. This implies an attribution requirement, regardless of what the license says. So this attribution could also be argued to be necessary for compliance with your legal obligations, which is a legal basis under Art 6(1)(c).

Similar arguments could be made that the copyright holder has given their implicit consent, or that you have a legitimate interest in demonstrating the provenance of this image.

So are there privacy implications with attribution? Yes, absolutely. This is personal data, so you need to process it in accordance with the GDPR. However, the GDPR will not prevent you from fulfilling your contractual or legal obligations.