The new European Union General Data Protection Regulation (GDPR) is creating uncertainty among professional and enthusiast photographers, with some schools in Germany banning all photography of students, and serious speculation as to whether street photography is even legal any more under the new data protection rules.
This is directly relevant to Australian photographers with clients in Europe and, more broadly, because all democratic countries are likely to follow with similar – possibly even parallel – laws in response to the massive appropriation of their citizens’ personal data over the last decade by the likes of Facebook and Google.
The issue for photography is that, under the new regulations introduced in May, images of people fall into the category of personal data, so that all the rules and regulations regarding possession, storage and handling of data like email addresses, credit cards numbers, etc, also apply to a digital file of an individual.
An recent article in German publication imaging+foto contact reported that German schools were banning photography at events such as awards and sports. The German Photographic Association (PIV) has asserted that taking photos is allowed provided the distribution is for private use only. This is where things get tricky; putting an image in a family album is private use but posting an image on Facebook could breach the rules.
The new rules create an extra layer of complexity for schools photography businesses, which as ‘data processors’, have a range of onerous compliance obligations – for instance, all images must be destroyed after a nominated time span. And as data processors, they are legally liable for any breaches.
Under GDPR, consent must be explicitly given to anything that isn’t within the normal business of the school, especially if it involves a third party, such as a schools photographer, managing the data. Parents (or the pupil themselves depending on their age) must express consent for their child’s data to be used outside of the normal business of the school.
Street photography ‘non-compliant’?
Taking pictures in public – from events and sports through to candid street photography is potentially caught up in the GDPR. The GDPR covers photographs where it is possible to identify the subject, and with increasingly sophisticated facial recognition software, that’s not a hard bar to pass.
‘If you’re a professional, then you will need to fix your customer relationship management, your website, your data security, and much more,’ German photographer and journalist Hendrik Wieduwilt said in an article by Alex Mita in the London School of Photography website.
‘If you’re just a mom or pop shooting pictures of your family, you should be fine. The GDPR does not apply to data processing “in the course of a purely personal or household activity.” But beware: if you have a million Instagram followers, your kid’s birthday party is probably not a “household activity” anymore.’
Street photography becomes questionable because the GDPR requires you to obtain consent of the subject before taking a picture of them! A photographer hired to shoot an event, or a professional photojournalist, would likely pass a ‘legitimate interests’ exception, but there are still questions to be answered when it comes to the balance of ‘legitimate interests’ to take a photograph, and the interests or fundamental rights and freedoms of the subject of the photograph – particularly when the subject is a child.
Freedom of expression does not seem to fall into the category of ‘legitimate interests’, leaving non-professional photographers more exposed to prohibitions on capturing images of people who aren’t friends or family.
The GDPR is still new and there is hopefully going to be some bedding down as unintended consequences – like the end of street photography in Europe – are sorted through. Currently freedom of expression is collateral damage in the pursuit of data protection.
There hasn’t been a lot written on the GDPR and photography but perhaps the most succinct and helpful article we came across in preparing this story was, of all places, on the Skylum (software) website: ‘Photographers and videographers are affected [by the GDPR] especially wedding, sports or event photographers – because they store sensitive data like other businesses,’ it states. ‘Every recognisable image of someone is data, even if they are in the background of the image. If you are photographing a wedding, event, or doing some street photography, you’re collecting people’s personal data without knowing it.’
The article goes on to explain the measures photographers need to take to be compliant.