GDPR and street photography

13 February 2018

SIG: Contemporary

The author of this blog is not a lawyer!

The GDPR (General Data Protection Regulation) seeks to create a harmonised data protection law framework across the EU and aims to give citizens back control of their personal data, whilst imposing strict rules on those hosting and 'processing' this data, anywhere in the world. The Regulation also introduces rules relating to the free movement of personal data within and outside the EU.  Whilst clearly targeted at businesses there may be some implications for individual photographers.

Personal data is defined as any information relating to an identified or identifiable natural person.  In a computing sense this includes online identifiers, such as IP addresses and cookies if they are capable of being linked back to the data subject.  It also includes information such as physical, physiological, genetic, mental, economic, cultural or social identities that can be traced back to a specific individual.

Don’t photographs often include physical, economic, cultural or social identities that can be traced back to an individual?

A person’s face is considered as biometric information or data.  The GDPR defines biometric data as “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person”.  It is one of the “special categories of personal data” that can only be processed if:
• The data subject has given explicit consent;
• Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the fields of employment and social security and social protection law;
• Processing is necessary to protect the vital interests of the data subject;
• Processing is necessary for the establishment and exercise of defence of legal claims; or
• Processing is necessary for reasons of public interest.

One context for managing data is if one has a photography business; for this I think it’s clear that such businesses will have databases of clients, contact details etc., plus archived client images.  Such businesses might have been aware of previous data protection legislation and perhaps know a little about what’s coming with GDPR which covers data security and how you keep data safe from hackers, issues around deleting records, backups etc. if the data subject requests it, plus the use of facial recognition technology.

Individual project focussed photographers might not have been so concerned, e.g. consider a street photographer working and perhaps gathering images to create a photobook.  Do they stop every subject and ask for a model releases for any potential commercial use?  If the book is made and sold then there could be an issue here?  Ok, in the UK there’s freedom to take images in public places but for me it’s a guess as to the impact of GDPR if someone objected to their image appearing in a photobook.

What about my Adobe Lightroom catalogue? It’s a database and it has pictures of people in it.  This and other software have built-in facial recognition features.  I’ve not seen anything in the GDPR that covers personal (non-business) photographers’ managing their image databases in terms of the individuals captured in those images, keywords, filenames and recognised faces.  But what if I make and sell a book?

What about the likes of Facebook, Twitter, Instagram etc... are going to receive a lot of requests of people to remove images using GDPR legislation?  Where social media companies archive the data of EU citizens is something that may be covered also?

GDPR becomes law 100 days from today.  Do you know how it will affect you?

My sources for this blog include


Image downloaded from


Comments (6)

Mark Buckley-Sharp
09 August 2018

A post-script
It would be less than desirable for the RPS to issue GDPR advice to photographers. If they did it alone, they would be held liable. If they did it through lawyers you would get such a convoluted mess it would be of little use.
Best to rely only on the ICO advice (which is diffuse enough).

Report this comment
Mark Buckley-Sharp
09 August 2018

Just discovered this blog.
To answer one specific question, personal data obtained and used for purely domestic purposes is and always has been completely exempt from the data protection legislation. That means pictures including identifiable people which you have in your personal collection are exempt and you don't have to take any action.
The issue arises however if you choose to share, publish or exhibit pictures of identifiable people. As commented, images are only sensitive data if they are processed specifically in order to identify the person, not as casual recognition by an acquaintance. As I understand it, you need to distinguish between 'editorial' use of an image and 'advertising' use. Provided that the image is treated entirely as fact of the person's presence then there is unlikely to be a problem.
Exotic travel shots with people who have not specifically consented are shared. There are apps to make people look rather silly, and they get shared. It s sensible to consider these matters, but it's also necessary to keep a sense of proportion.

Report this comment
Paul French - Vidibiz
09 April 2018

Simple question, I have 100's of photographs of people I have collected over the years all stored in my Lightroom Library system, I cannot/will not contact any of them now . Do I have to delete them all or can I keep them when GDPR hits?

Report this comment
01 March 2018

hi, I have communicated with the ICO about this. they say:

"The GDPR allows member states to introduce exemptions/derogations. These will be set out in the Data Protection Bill - it's likely there will be a similar exemption for personal data processed for the purposes of "journalism, literature and art" but as the Bill has not yet been approved and adopted by Parliament, we can't yet confirm what those exemptions will be.

In relation to street portraits of individuals; these will not be 'biometric' data. "

Report this comment
21 February 2018

Thanks for raising this important issue. I have recently joined the Contemporary Group. I am Secretary of the South Wales Regio. Could the RPS obtain expert legal advice to inform all members and/or run a seminar for members ? I think it is important to get expert advice, especially with the current UK Government determined that Brexit will happen by March 29 2019. However this GDPR legislation will apply as we will still be members. Some information is given here on this URL about the post BREXIT period and this seems to be a useful summary

Anyone can object to anything being posted on social media and I have done so on many occasions and I also know of people who have in the past been prosecuted for taking film photos of their kids in a bath and being reported to the police by the establishment who processed the film.

Can we get confirmation that data protection laws will apply equally the same in all current EU countries and will social media providers comply as a lot of them are based in the US and subject to different legislation ?

Sorry to raise a lot of questions - it seems a minefield to be honest.

Rhys Jones

Report this comment
Paul Gilmour
14 February 2018

Thanks. You raise an important issue about data protection generally and should be noted by all. It is also interesting to learn what guidance The RPS deliver to photographers and members on this issue, in line with their new Strategic Plan 2018-2023.

Not much has changed and from the Data Protection Act. There is still a requirement to lawfully process personal data. This does include any information that can identify an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. Examples include including name, identification numbers, email address, home addresses etc. but it is noteworthy that it now includes online identifiers (IP address etc.), genetic information and location data (eg. GPS coordinates).

Images themselves are included – yes, especially if it can clearly identify someone within. However, I would be most mindful about the detail contained within meta-data embedded in a file, the sharing of images and how they are stored.

Regarding ‘sensitive personal data’, processing photographs is not included as sensitive data unless it holds biometric data for the purpose of identification (think facial recognition software).

The GDPR is wider reaching and fines for non-compliance are heftier. It also places more obligation on the data controller in how data is processed, most significantly around informed consent.

So most street photographers need not worry. It does not mean street photography is not allowed. All photographers and businesses should be aware of their obligations under the new GDPR. It is worth having a look at the ICO website:


Report this comment