If you dig deep enough on digital media platforms (including this one), you’ll find a privacy policy. Seldom read, perhaps. But probably no more neglected than the pages on compliance to data regulations or the detailed information embedded, for example, in the Substack Publisher Agreement on compliance to the European General Data Protection Regulation (GDPR). If you’re based in the European Economic Area (European Union plus Iceland, Liechtenstein, and Norway) or the United Kingdom,1 or engage with citizens of those jurisdictions online, you’re obliged to respect terms of the GDPR. Moreover, your European country of residence might well have its own additional privacy regulations as well. So it’s worth your while to get acquainted with privacy policy, European style.

Why I’m writing about this: In my professional life in Ireland, I bore responsibility as a senior administrator for managing personal data representing more than 23,000 individuals at my home institution; I also served as head of a national data archive that managed extensive social survey data, making it available throughout the EU via the Consortium of European Social Science Data Archives. As a result, when the GDPR was poised to go into effect, I was required to get trained and certified, and took part in a broad review of data management policies and procedures to assure overall institutional compliance. I spent well over a year up to my eyeballs understanding and implementing privacy policy then dealing with its record-keeping ramifications. Now, I find myself continuing to think about such things as I inevitably encounter instances of personal data in my little Substack domain (think of all those names, email addresses and usage data available in the dashboard, or of all the people whose images appear in photos you post).

Creators on social media obviously don’t need total immersion in privacy regulations, but there are some things one does need to pay attention to. And privacy policy doesn’t end with the GDPR. Individual EU countries have their own privacy laws, and if you work in one of them it makes sense to become acquainted with what those laws require of you. So here’s a brief what-you-need-to-know explainer.

GDPR Basics

Most of what creators on Substack need to know about the GDPR can be found at the website https://www.gdprsummary.com/. In particular, the page presenting a “GDPR Summary” is a brief read that provides an overview of the objectives of the GDPR, and how responsibilities for compliance are distributed among those who handle personal data. The summary covers key points, including:

• Data acquisition: Collecting personal data must have a clear and immediate purpose; it may not be acquired from some undeclared future use.

• Data retention: Personal data cannot be retained beyond beyond the period during which it is necessary.

• Data security: Data must be stored and managed in a secure environment, whether that be online or in some physical form.

• Legality of use: Use of data must be legal, and a fundamental aspect of legal use is the consent of the individual to whom data refers. Consent cannot be inferred, it must always be granted specifically. For example, one cannot infer that a user consents that their personal information, such as name and contact information, be migrated from one business environment to another; specific prior consent is required for such an action.

• Data breaches: Breaches of personal data must be reported within 72 hours, regardless of which custodian of the data is responsible.

• Responsibility for suppliers and sub-contractors: If a business that acquires personal data contracts with a third party, e.g., a payments processor, the business is also responsible for contractually assuring the third party’s compliance to GDPR regulations.

Share

Substack’s corporate conformance to the principles of the GDPR, including those highlighted above, is described in detail in the Publisher Agreement (8 August 2024) under the rubric “Privacy.” Further specific details are presented in the Data Processing Agreement (DPA), which comprises Annex 1 of the Publisher Agreement.

This is not easy reading, even if you are experienced with issues of GDPR compliance. The Publisher Agreement employs vocabulary that reflects concepts defined by the GDPR—terms such as Data Controller (which in context identifies the business entity Substack) and Data Processor. (which is used interchangeably with “Creator,” i.e., the individual who makes use of the Substack platform for publication of their creative work). The term “Data Subjects” refers to readers—those who register as subscribers or followers and whose personal details therefore become available to Creators.2

The specific responsibilities of Creators is detailed in the section “Creator Obligations” and is therefore mandatory reading for Creators based in or who has clients in the EEA/UK. It does not, however, mention two of the key tenets of the GDPR—that an individuals’ personal data can only be used for the purposes for which they were originally shared, and for which the individual has given specific consent. That personal data—name, contact details, etc.—can only be used in other contexts if the user has given prior consent.

For example, Substack’s “Creator Obligations” state that the Creator “ensures its instructions for processing personal data comply with the applicable data protection laws and the Creator shall have sole responsibility for the accuracy, quality and legality of the personal data and the means by which the Creator acquired the personal data.” The key phrase here is “applicable data protection laws,” which means laws that apply to one’s home jurisdiction, but also other regulations—like the GDPR—that can have the legal effect of protecting residents and citizens of other jurisdictions.

Example: In the Substack context, a Creator will have acquired the personal data through the subscription or “following” mechanisms provided by the Substack platform. But if a Creator imports a pre-existing list of potential subscribers captured in some other data processing environment (such as an email contact list or from another publishing platform), it is the Creator’s sole responsibility, in complying to “applicable data protection laws,” to assure that individuals based in the EEA/UK have provided their consent for this specific new use of their personal data. If consent for such new use has not been solicited, “Data Subjects” protected by the GDPR have a legal legal right to lodge a complaint with a European Data Commissioner or enforcement agency, which in turn has the right to issue a take-down notice or levy a fine for abuses. (Note that EU residents’ rights are enforceable in cross-border contexts, such as between an EU member state and the United States.)

Another example: If a Creator downloads lists of subscribers and/or followers who are residents of the EEA/UK from their Substack dashboard, they similarly have sole responsibility for handling that data in compliance with the GDPR regulations, as the Substack Publisher Agreement specifies. So, if one were to export lists of personal data with the intention of uploading them to a personal contact list, to a third party’s email management system,3 or to migrate their publication to another media platform, it is their sole responsibility to seek specific consent for doing so.

Similarly, since the Creator has agreed to comply with “applicable data protection laws,” these personal data cannot be retained once their original purpose has ceased to exist (or after an individual protected by the GDPR has withdrawn their consent for its use)—that data must be deleted.4

It is also important to understand that, according to the GDPR, images of people are a form of identity and use of such images also requires the consent of the subject. (More detail on what constitutes an identifier below.)

The GDPR also has provisions that relate to children, who are accorded the same right to control of their personal information as adults, but with specific refinements. Typical contexts requiring consent are social media accounts; Article 7 of the GDPR states that children of age 16 can validly proffer consent, though it also allows individual EU jurisdictions to identify a different age, though none lower than age 13. (France, for example, has established 15 as the age for granting consent). For children younger than this legal age of consent, parental consent serves as a proxy for the child’s.

This is by no means an “all you need to know” summary of the GDPR. I hope, though, that it provides incentive to take it seriously and to respect its specific implications for creators using the Substack platform.

Other European Privacy Regulations

Part of the process of implementing the GDPR in the countries of the EEA and the UK was harmonisation of national data policies with the GDPR prior to 25 May 2018, the date when the GDPR took effect. Indeed, a major objective of the GDPR was the establishment of consistency in privacy regulations across the 28 countries that adopted it.

Whether this objective has been fully achieved or not is still debated. There have also been concerns about cross-border enforcement, the Regulation’s complexity, and its flexibility in adapting to new technological developments; there have even been concerns that the GDPR has played a role in stifling innovation with the EEA/UK. Attempts to ease the growing pains of adoption have been evident in 2025: in the passage in the UK of the Data (Use and Access) Act 2025, which implements several amendments; the European Commission and European Parliament have also taken steps to address the awkwardness of cross-border enforcement.5

Still, maintaining an exclusive focus on the GDPR potentially misses the additional privacy regulations of individual European states. (Though perhaps of lesser interest to creators, the European Union’s Artificial Intelligence Act of 2024 also has language relating to data protection and privacy.)

Privacy regulations, France

In my previous country of residence, the Republic of Ireland, the GDPR and EU ePrivacy Directive have substantially subsumed earlier Irish data protection regulations. The situation in my current home country, France, is quite different. I’ll therefore take France as an example of why Substack creators would be wise to investigate the specific regulations of their own EEA/UK country of residence.

In addition to the GDPR, France’s cornerstone privacy laws are codified in the Code Civil, Livre Ier : Des personnes (Articles 7 à 16-14). The fundamental right to privacy is expressed simply in a single sentence: “Chacun a droit au respect de sa vie privée” (Everyone has the right to privacy). The remaining articles speak to rights such as the presumption of innocence, of rights relating to the human body (e.g., respectful handling of the deceased, cloning, handling of genetic information, etc.). French privacy legislation also covers the use of cookies and requirements for the consent of cookie use (extending the EU’s ePrivacy Directive), the handling of health-related data and information, and data and information relating to criminals and criminal activity.

Areas of law that would be more directly pertinent to creators of text and other media in an online environment include the following:

Loi n°78-17 du 6 janvier 1978 and the CNIL

Loi n°78-17 du 6 janvier 1978, Loi relative à l'informatique, aux fichiers et aux libertés (Law relating to information technology, files and freedoms). The law was put into place as France’s use of informatics systems for handing social data and newly implemented personal identifiers matured. The law has been updated repeatedly as technology has developed and societal use of networked systems has become commonplace.

The establishment of the law also saw the creation of the Commission Nationale de l’Informatique et des Libertés (CNIL), whose mandate, post-adoption of the GDPR, is (1) to investigate complaints of violations of privacy regulations, determine whether an infringement has occurred, seek resolution with Data Controllers and Processors and potentially to sanction penalties; (2) to establish and coordinate a network of Data Protection Officers at public and private organisations in France; and (3) to analyse the consequences of new technologies on citizens’ private lives.6 CNIL’s authority applies to the Loi n°78-17 du 6 janvier 1978 as well as other French privacy and data protection regulations. The CNIL website (which also has an English-language version) contains a wealth of information relevant to the GDPR and French legislation pertaining to data protection and privacy regulations.

What is a personal identifier ?

Creators in France should be aware of the range of things which, under EU or French legislation, constitute identifiers of personal information, publication of which without consent would represent a violation of privacy statutes. The CNIL lists the following (noting that some such information can sometimes be embedded as metadata in digital objects such as photographs or videos):7

• name, pseudonym, birthdate;

• photos, vocal recordings;

• numbers of landlines or mobile phones, postal address, email address;

• IP addresses, computer account login names;

• digital fingerprints, handprints, retina scans;

• ID numbers of pieces of identity (passports, driving licences, licence plates, etc., social security numbers, etc.);

• data pertaining to user engagement with online applications (e.g., usage statistics that include IP addresses or names), etc.

Share

Special provisions for children

France has also focused special attention on children’s rights to privacy and the responsibilities of their parents or guardians. The CNIL has published specific advice on parental sharing of images of their children or grand-children—a practice referred to as “sharenting”—which is seen to have an impact on children’s privacy:8

Le partage de vidéos ou de photos de vos enfants sur les réseaux sociaux n’est pas un acte anodin et comporte de nombreux risques.

D’une manière générale, la CNIL déconseille fortement de partager des photos ou des vidéos de vos enfants ou petits-enfants sur les réseaux sociaux, surtout lorsque votre profil est public. Si malgré tout, vous souhaitez le faire, la CNIL vous donne les bonnes pratiques à respecter pour limiter les risques.

Sharing videos or photos of your children on social media is not a harmless act and carries many risks.

Generally speaking, the CNIL strongly advises against sharing photos or videos of your children or grandchildren on social networks, especially when your profile is public. If you wish to do so in spite of this, the CNIL provides you with best practices to follow to limit the risks.

The advice offered includes the following:

• Be aware that photographs can contain metadata that identifies time and place that an image was captured; such metadata should not be shared.

• Be aware that publishing photographs of children may create a digital identity whose long-term impact on the child cannot be foreseen.

• Do not choose to share your children’s images with friends and family by social media; rather, give preference to email, instant messaging systems, etc.

• Ask your child for their consent, and for the consent of a second parent, before publishing their likeness on web-based media.

• Avoid pictures that may betray the privacy of a child, such as those of children in bathing clothes.

• Consider blurring the face of children in photographs published on social media or the web.

Parents are also counselled to be vigilant of any re-use of photos of their children by third parties on the web, and to take appropriate action to assure their removal.9

Leave a comment

Data protection and privacy rights are important concepts in European law and this explainer only provides an introduction, albeit with a focus on things that creators based in the EEA/UK need to know, and what creators anywhere need to understand about the handling of personal data of those resident in the EU.

If you found this post of value, you can always …