The GDPR. You’ve probably heard of it.
The General Data Protection Regulation (GDPR) is now one year old. It affects every business or organization, anywhere in the world, that markets to people in the European Union (EU). It applies to anyone who uses personal information of EU citizens for business or public sector purposes.
The aim of the GDPR is to protect all EU citizens from privacy and data breaches in today’s data-driven world.
– GDPR
The GDPR not only applies to organisations located within the EU but also applies to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
– GDPR FAQ
What About Photography?
Personal data are involved where individuals may be identified in photographs. This means that the GDPR applies to photography.
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
– GDPR
The GDPR does not apply to personal photography. But the moment you publish your personal photos online, this can change.
Does your photography business have a web site that is accessible from within the EU? Does it use cookies or trackers of any kind? Do you have a contact form?
Does your web site add people to a mailing list without their express consent?
Do you take photos anywhere in the world of people who reside in the EU? These people must consent to you recording their personal information through photography. They have the right to prevent you from publishing the photos and can even tell you to delete the pictures (although I believe you are under no obligation to do so). If they do consent to being photographed and having you publish those photos, they still have the right to revoke their consent at any time.
Do you publish images online that have embedded GPS data? This can reveal where your subject lives. This is important even without the GDPR.
Does your web site have a published privacy policy? (You needed this even before the GDPR.)
Legitimate Interests
There are a few GDPR exemptions that seem to cover many photo situations.
Article 6, Lawfulness of processing, seems to cover event photography. For example, you might be photographing a Toronto conference where some of the guest speakers or attendees are EU residents. Even then, the conference should seek prior consent by adding suitable text in the conference program and/or on conference signage near the entrance to the effect that all attendees may be photographed. It should also briefly mention the purpose of that photography. If your pictures are going to be used in a way unrelated to the event or beyond journalistic-editorial-event coverage, you will probably need extra consent.
The interests of the photographer may include the wishes to pursue the professional activity, which is subject to professional or artistic freedom, or the interests of the organizer (as third-party interests) to document an event. These interests are to be weighed against the photographer’s interests. The interests of the photographer depend on his or her reasonable expectations. At public or large events, the photographer must expect the event to be documented in photographs. Secret or discrediting photographs, however, will not outweigh the photographer’s legitimate interests, so that such photographs predominantly cannot be taken on the basis of legitimate interests.
– GDPR FAQ
Freedom of expression and information
Article 85, Processing and freedom of expression and information, seems to allow for photography in many situations including journalism.
Member States shall by law reconcile the right to the protection of personal data pursuant to this Regulation with the right to freedom of expression and information, including processing for journalistic purposes and the purposes of academic, artistic or literary expression.
– GDPR
There are exemptions for the press but this is for the journalistic press and not necessarily anyone who happens to have a camera, blog or social media account. Corporate public relations, for example, would not be considered as press.
The GDPR So Far
There doesn’t appear to be any case law or test cases involving photography and the GDPR. But a lawsuit settled last week between Prince Harry and Splash Picture Agency did mention data protection and misuse of private information.
I’ve also heard that people or publicists, acting on behalf of some EU-based celebrities, have asked (North American) photographers to remove photos of their celebrity from the photographers’ web sites. They claimed that it violated the GDPR. If the photographer refused, the celebrity’s people complained to Google which then removed the “offending” web page from search results accessible from within the EU.
Is the EU going to come after a non-complying photography business in Canada? Extremely unlikely. The main targets of the GDPR are larger companies and organizations that use/abuse personal information.
While the GDPR might not be a priority for North American photographers, you must still be aware of it as well as the privacy laws of your jurisdiction.
Please check the date of this article because it contains information that may become out of date. Tax regulations, sales tax rules, copyright laws and privacy laws can change from time to time. Always check with proper government sources for up-to-date information.
