GDPR and photography

Christopher Graham, former Information Commissioner. Photo © Paul Clarke

Since the very earliest whispers of a revamp of data protection law, I’ve been looking for some clarity on its implications for my profession. As it came in, I looked even harder. It’s been up and running for over 2 years now, and I’ve still been looking.

What, precisely, does GDPR mean for photographers (and those who commission, or use, photographs?)

GDPR – the General Data Protection Regulation – conceived at EU level, and implemented in member states (let’s not get into Brexit implications just yet, ok?) sets out a series of principles, expectations and requirements for the processing of data about individuals.

What it is not is a case-by-case set of rules, or even examples, that are readily recognisable in a photographer’s world. And as well as being a bit frustrating, that’s also quite interesting. Why would that be the case?

I can think of a few potential reasons: that nobody’s really thought it through at that level; that the number of potential use cases is so vast that any attempt to corral them all as examples will have big holes in it; that the implications of drawing boundaries too tightly or too loosely could be horrendous; or maybe that it’s only through lots of cases being studied and adjudicated by courts and the regulator (the Information Commissioner’s Office: ICO, in the UK) that we’ll get a clear picture.

Possibly a bit of all of these is going on: and something else, too. What if GDPR is more about the journey than the destination? About a process to follow, rather than a set of rigid rules. The more I’ve read, the more I lean to this view. Sure, you can find all sorts of posts on the internet by lawyers who do the usual lawyering thing: we think it might mean this, so err on the safe side and gold-plate your business against any possible risk by… (and there usually follows some prescription for ensuring every person who might appear in a photo has signed their consent to do so).

And before I get to what GDPR actually gives us, a quick word about the territory it lives in. Historically, English law has recognised no general right of privacy. There is a patchwork of laws, from rules about public and private space, to offences of harassment, and regulation of what can be done with our data (to bring us back to the topic of this article) – but it’s fair to say that there’s a mismatch: public appetite or desire for privacy protection is undersupplied by what the law can actually offer.

With such a mismatch, it’s inevitable that popular myths will flourish. You can’t use my photo without my permission! You can’t publish personal information about me! You can’t just take photos of children at all, ever. I’m not going to delve into these examples in detail in a short post, but I think any reading of GDPR in relation to photography has to be done through this lens of regulatory undersupply. In short: we want more than GDPR gives us.

So what does it give us? Boiled down to its bare essentials, I see it as having two main components with particular relevance for photographers. One is a set of 6 justifications (“legal bases”, in the jargon) for processing personal data. The other is a process for thinking about, and drawing up, a privacy policy that you make available for the world to see. This will cover off things like how you approach nitty-gritty matters like the withdrawal of consent by a photo subject, and how you’ll go about demonstrating that you’re managing personal data responsibly.

Between them, they form the core of what photography practitioners should be doing. You should have a privacy policy (there’s a template here) and you should know under which of the 6 bases you are “processing” data (i.e. taking and storing photos).

The two bases that feature most in my working world are “consent” and “legitimate interests”. They’re worth a bit of attention. (I am simplifying heavily here for obvious reasons, but if you take nothing else from this article, it’s that anyone who trots out a list of “you musts” and “you can’ts” without referring to this framework of bases is talking through their arse. To put it technically.

So. You can elect to demonstrate ‘consent’ from all your photographic subjects. You will enter a world of bureaucracy and form-filling; of interruptions to flow, and of fraught assessments about whether someone is or isn’t prominent enough in a frame to justify their own consent form. As the updated aphorism might say: “Two’s consent, but three’s a crowd.” You might end up shooting very little indeed, and having a lot of stress. Or you could look at “legitimate interests” as your chosen basis.

Now, I’m just a jobbing photographer, and not a lawyer, and certainly not a Data Protection Consultant – they will have their opinions, but you must form your own view (that’s how all this works) – but I like the way that “legitimate interests” is constructed. Essentially, it’s a test of reasonableness. Are the rights of the parties involved – say someone running an event and wanting marketing images, and the delegates attending the event – in an appropriate balance? Have you done sensible things to help establish that balance? Perhaps by putting up signs about photography, or avoiding shots that might be considered ‘riskier’ in terms of their content? (You know the sort of thing I mean.)

Basically, if you are trying to do something that’s pushing at boundaries; e.g. taking strongly identifiable images of prominently-featured individuals that you intend to try and sell for use as commercial stock images even though they were taken in the guise of general event background pictures, then you will fall foul of this test of reasonableness. And quite rightly too, frankly.

As with other matters of photography ethics, it’s up to us as practitioners (and commissioners) of photography to have our own clear lines and understanding on this. Beyond GDPR there are other things you should be aware of (the privacy protections in Article 8 of the Human Rights Act, for one – fall foul of that, and you’ll be falling foul of GDPR). And I’m sure that as GDPR matures, we’ll get more case law, and other worked examples emerging to guide us.

But until then, don’t fret that you can’t find a rigid set of rules, or a description of how to handle every single case that you may find when working as a photographer. Instead: have a privacy policy, have a working knowledge of the bases for lawful processing, be able to articulate these clearly, and you won’t go far wrong.

Leave a Reply

Your email address will not be published. Required fields are marked *