GDPR and street photography

13 February 2018

SIG: Contemporary

The author of this blog is not a lawyer!

The GDPR (General Data Protection Regulation) seeks to create a harmonised data protection law framework across the EU and aims to give citizens back control of their personal data, whilst imposing strict rules on those hosting and 'processing' this data, anywhere in the world. The Regulation also introduces rules relating to the free movement of personal data within and outside the EU.  Whilst clearly targeted at businesses there may be some implications for individual photographers.

Personal data is defined as any information relating to an identified or identifiable natural person.  In a computing sense this includes online identifiers, such as IP addresses and cookies if they are capable of being linked back to the data subject.  It also includes information such as physical, physiological, genetic, mental, economic, cultural or social identities that can be traced back to a specific individual.

Don’t photographs often include physical, economic, cultural or social identities that can be traced back to an individual?

A person’s face is considered as biometric information or data.  The GDPR defines biometric data as “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person”.  It is one of the “special categories of personal data” that can only be processed if:
• The data subject has given explicit consent;
• Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the fields of employment and social security and social protection law;
• Processing is necessary to protect the vital interests of the data subject;
• Processing is necessary for the establishment and exercise of defence of legal claims; or
• Processing is necessary for reasons of public interest.

One context for managing data is if one has a photography business; for this I think it’s clear that such businesses will have databases of clients, contact details etc., plus archived client images.  Such businesses might have been aware of previous data protection legislation and perhaps know a little about what’s coming with GDPR which covers data security and how you keep data safe from hackers, issues around deleting records, backups etc. if the data subject requests it, plus the use of facial recognition technology.

Individual project focussed photographers might not have been so concerned, e.g. consider a street photographer working and perhaps gathering images to create a photobook.  Do they stop every subject and ask for a model releases for any potential commercial use?  If the book is made and sold then there could be an issue here?  Ok, in the UK there’s freedom to take images in public places but for me it’s a guess as to the impact of GDPR if someone objected to their image appearing in a photobook.

What about my Adobe Lightroom catalogue? It’s a database and it has pictures of people in it.  This and other software have built-in facial recognition features.  I’ve not seen anything in the GDPR that covers personal (non-business) photographers’ managing their image databases in terms of the individuals captured in those images, keywords, filenames and recognised faces.  But what if I make and sell a book?

What about the likes of Facebook, Twitter, Instagram etc... are going to receive a lot of requests of people to remove images using GDPR legislation?  Where social media companies archive the data of EU citizens is something that may be covered also?

GDPR becomes law 100 days from today.  Do you know how it will affect you?

My sources for this blog include


Image downloaded from


Comments (1)

Paul Gilmour
14 February 2018

Thanks. You raise an important issue about data protection generally and should be noted by all. It is also interesting to learn what guidance The RPS deliver to photographers and members on this issue, in line with their new Strategic Plan 2018-2023.

Not much has changed and from the Data Protection Act. There is still a requirement to lawfully process personal data. This does include any information that can identify an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. Examples include including name, identification numbers, email address, home addresses etc. but it is noteworthy that it now includes online identifiers (IP address etc.), genetic information and location data (eg. GPS coordinates).

Images themselves are included – yes, especially if it can clearly identify someone within. However, I would be most mindful about the detail contained within meta-data embedded in a file, the sharing of images and how they are stored.

Regarding ‘sensitive personal data’, processing photographs is not included as sensitive data unless it holds biometric data for the purpose of identification (think facial recognition software).

The GDPR is wider reaching and fines for non-compliance are heftier. It also places more obligation on the data controller in how data is processed, most significantly around informed consent.

So most street photographers need not worry. It does not mean street photography is not allowed. All photographers and businesses should be aware of their obligations under the new GDPR. It is worth having a look at the ICO website:


Report this comment