GDPR and street photography

13 February 2018

SIG: Contemporary

The author of this blog is not a lawyer!

The GDPR (General Data Protection Regulation) seeks to create a harmonised data protection law framework across the EU and aims to give citizens back control of their personal data, whilst imposing strict rules on those hosting and 'processing' this data, anywhere in the world. The Regulation also introduces rules relating to the free movement of personal data within and outside the EU.  Whilst clearly targeted at businesses there may be some implications for individual photographers.

Personal data is defined as any information relating to an identified or identifiable natural person.  In a computing sense this includes online identifiers, such as IP addresses and cookies if they are capable of being linked back to the data subject.  It also includes information such as physical, physiological, genetic, mental, economic, cultural or social identities that can be traced back to a specific individual.

Don’t photographs often include physical, economic, cultural or social identities that can be traced back to an individual?

A person’s face is considered as biometric information or data.  The GDPR defines biometric data as “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person”.  It is one of the “special categories of personal data” that can only be processed if:
• The data subject has given explicit consent;
• Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the fields of employment and social security and social protection law;
• Processing is necessary to protect the vital interests of the data subject;
• Processing is necessary for the establishment and exercise of defence of legal claims; or
• Processing is necessary for reasons of public interest.

One context for managing data is if one has a photography business; for this I think it’s clear that such businesses will have databases of clients, contact details etc., plus archived client images.  Such businesses might have been aware of previous data protection legislation and perhaps know a little about what’s coming with GDPR which covers data security and how you keep data safe from hackers, issues around deleting records, backups etc. if the data subject requests it, plus the use of facial recognition technology.

Individual project focussed photographers might not have been so concerned, e.g. consider a street photographer working and perhaps gathering images to create a photobook.  Do they stop every subject and ask for a model releases for any potential commercial use?  If the book is made and sold then there could be an issue here?  Ok, in the UK there’s freedom to take images in public places but for me it’s a guess as to the impact of GDPR if someone objected to their image appearing in a photobook.

What about my Adobe Lightroom catalogue? It’s a database and it has pictures of people in it.  This and other software have built-in facial recognition features.  I’ve not seen anything in the GDPR that covers personal (non-business) photographers’ managing their image databases in terms of the individuals captured in those images, keywords, filenames and recognised faces.  But what if I make and sell a book?

What about the likes of Facebook, Twitter, Instagram etc... are going to receive a lot of requests of people to remove images using GDPR legislation?  Where social media companies archive the data of EU citizens is something that may be covered also?

GDPR becomes law 100 days from today.  Do you know how it will affect you?

My sources for this blog include


Image downloaded from


Comments (8)

10 September 2018

Mike Naylor's comment and story from 9th September 2018 has only a tenuous link to GDPR but is certainly important in terms of understanding your rights as a photographer. Mike's story is a horrible one but reminds us of two things - rights and norms are different in other countries.

In the UK we are blessed with a law that protects the rights of the photographer to take an image if he/she is standing on public ground - but please be aware this is not universally true and in some countries the rights may be completely reversed!

Even in the UK one might be challenged by someone who doesn't want their image taken and defending your rights can be come uncomfortable (and even violent with some idiots)... Handling that requires tact - and quite some nerve on behalf of the photographer. Agreeing to delete an image can diffuse the situation. Asking if someone minded you taking the image also prevents a problem - a "no" (or stronger language) is a no-harm response.

Good information on photographer's rights in the following blog:

Regarding deleting images from your memory card, do you know that once back in the comfort of your home you can simply undelete..? If you need to delete an image to pacify a situation just stop using that memory card after you walk away, then so long as you've not taken new images on the card the data you still have a high possibility to recover the deleted images. There's plenty of 3rd party utilities to do that, but some memory card companies provide a link to download their undelete tool when you buy their device.

Report this comment
Mike Naylor
09 September 2018

Having just been assaulted after taking one single shot of a couple sitting on a bench in a very public place in Amsterdam, I’m feeling reluctant to go out with my camera ever again. The began by shouting something about his copyright before grabbing my and then my camera, demanding I delete the image. It took several helpful tourist to restrain him, but not befor I proved to him the picture was gone. So what is legal and what is not? Is street photography allowed? Will the RPS please clarify how this GDPR applies to street photography

Report this comment
Mark Buckley-Sharp
09 August 2018

A post-script
It would be less than desirable for the RPS to issue GDPR advice to photographers. If they did it alone, they would be held liable. If they did it through lawyers you would get such a convoluted mess it would be of little use.
Best to rely only on the ICO advice (which is diffuse enough).

Report this comment
Mark Buckley-Sharp
09 August 2018

Just discovered this blog.
To answer one specific question, personal data obtained and used for purely domestic purposes is and always has been completely exempt from the data protection legislation. That means pictures including identifiable people which you have in your personal collection are exempt and you don't have to take any action.
The issue arises however if you choose to share, publish or exhibit pictures of identifiable people. As commented, images are only sensitive data if they are processed specifically in order to identify the person, not as casual recognition by an acquaintance. As I understand it, you need to distinguish between 'editorial' use of an image and 'advertising' use. Provided that the image is treated entirely as fact of the person's presence then there is unlikely to be a problem.
Exotic travel shots with people who have not specifically consented are shared. There are apps to make people look rather silly, and they get shared. It s sensible to consider these matters, but it's also necessary to keep a sense of proportion.

Report this comment
Paul French - Vidibiz
09 April 2018

Simple question, I have 100's of photographs of people I have collected over the years all stored in my Lightroom Library system, I cannot/will not contact any of them now . Do I have to delete them all or can I keep them when GDPR hits?

Report this comment
01 March 2018

hi, I have communicated with the ICO about this. they say:

"The GDPR allows member states to introduce exemptions/derogations. These will be set out in the Data Protection Bill - it's likely there will be a similar exemption for personal data processed for the purposes of "journalism, literature and art" but as the Bill has not yet been approved and adopted by Parliament, we can't yet confirm what those exemptions will be.

In relation to street portraits of individuals; these will not be 'biometric' data. "

Report this comment
21 February 2018

Thanks for raising this important issue. I have recently joined the Contemporary Group. I am Secretary of the South Wales Region. Could the RPS obtain expert legal advice to inform all members and/or run a seminar for members ? I think it is important to get expert advice, especially with the current UK Government determined that Brexit will happen by March 29 2019. However this GDPR legislation will apply as we will still be members. Some information is given here on this URL about the post BREXIT period and this seems to be a useful summary

Anyone can object to anything being posted on social media and I have done so on many occasions and I also know of people who have in the past been prosecuted for taking film photos of their kids in a bath and being reported to the police by the establishment who processed the film.

Can we get confirmation that data protection laws will apply equally the same in all current EU countries and will social media providers comply as a lot of them are based in the US and subject to different legislation ?

Sorry to raise a lot of questions - it seems a minefield to be honest.

Rhys Jones

Report this comment
Paul Gilmour
14 February 2018

Thanks. You raise an important issue about data protection generally and should be noted by all. It is also interesting to learn what guidance The RPS deliver to photographers and members on this issue, in line with their new Strategic Plan 2018-2023.

Not much has changed and from the Data Protection Act. There is still a requirement to lawfully process personal data. This does include any information that can identify an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. Examples include including name, identification numbers, email address, home addresses etc. but it is noteworthy that it now includes online identifiers (IP address etc.), genetic information and location data (eg. GPS coordinates).

Images themselves are included – yes, especially if it can clearly identify someone within. However, I would be most mindful about the detail contained within meta-data embedded in a file, the sharing of images and how they are stored.

Regarding ‘sensitive personal data’, processing photographs is not included as sensitive data unless it holds biometric data for the purpose of identification (think facial recognition software).

The GDPR is wider reaching and fines for non-compliance are heftier. It also places more obligation on the data controller in how data is processed, most significantly around informed consent.

So most street photographers need not worry. It does not mean street photography is not allowed. All photographers and businesses should be aware of their obligations under the new GDPR. It is worth having a look at the ICO website:


Report this comment