Photography, Video & GDPR or the General Data Protection Regulation are explicitly linked as the GDPR treats certain images as an extension of the data that Photographers and Videographers keep about their clients. If you're reaction to this is "so what?", then you need to know that GDPR becomes law on 25 May 2018, and supersedes the UK Data Protection Act of 1998.
For the legally minded, the way this works is that similar to the Data Protection Act, GDPR is concerned with "personal data" and makes it clear for the first time that definition includes online data such as photographs which can be classified as biometric data. The reason is that technology is now sufficiently advanced to make facial recognition, as implemented in Adobe Lightroom for example, an identifier.
The GDPR defines biometric data as “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person”.
Use of facial recognition technology
Be aware that Adobe Lightroom and Apple Photo have facial recognition features. Although this is a grey area at present, it is a feature that I won't be using until I get clarity. A persons face is considered as biometric information or data and it follows that it is one of the special categories of personal data that can only be processed if:
- The data subject has given explicit consent
- Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the fields of employment and social security and social protection law;
- Processing is necessary to protect the vital interests of the data subject;
- Processing is necessary for the establishment and exercise of defence of legal claims; or
- Processing is necessary for reasons of public interest.
Businesses in the UK are used to the requirements of the Data Protection Act in that it applies to the records we keep, names, addresses, phone numbers etc. Everything in the Data Protection Act is also included in GDPR. However, GDPR has a wider brief in that it applies to automated personal data as well as manual records. That includes photographs where it is possible to identify the subject.
Overview of GDPR Requirements
Something Photographers and Video makers need to be on top of is that the responsibility for safeguarding the rights of individuals and their data is divided into two categories - "Controllers" and "Processors" under GDPR.
In general terms, a photographer or videographer could be a processor or a controller depending on how they use the data. The definition of processing can be useful in determining the sort of activities an organisation can engage in and what decisions it can take within its role as a data processor. A data processor’s activities must be limited to the more ‘technical’ aspects of an operation, such as data storage, retrieval or erasure.
Activities such as interpretation, the exercise of professional judgement or significant decision-making in relation to personal data must be carried out by a data controller. This is not a hard and fast distinction and some aspects of ‘processing’, for example ‘holding’ personal data, could be common to the controller and the processor.
Given these distinctions, the law applies in the following way.
- Processors - A new legal requirement to maintain records of personal data and processing activities.
- Controllers - are expected to ensure that their contracts with Processors comply with GDPR.
In the course of a shoot, this means that the Photographer or Videographer is the Processor and is responsible for the obtaining and maintaining of consents. After the shoot, the process of adding those records to a category in a mailing list makes the Photographer a Controller.
The Public's Rights
Outside the shoot, the GDPR includes certain rights for photographer's clients:
- the right to be informed;
- the right of access;
- the right to rectification;
- the right to erasure;
- the right to restrict processing;
- the right to data portability;
- the right to object; and
- the right not to be subject to automated decision-making including profiling.
Companies such as ours that work in Broadcasting will already be doing this. It means that people appearing in a film or photograph should be informed that they are being filmed. That they must be allowed access to the data i.e .be able to get a copy of it. They must be able to have their data corrected or erased. The right to restrict processing can be implemented by adopting a granular approach in consent forms - we're all familiar with the tick boxes that give a company permission to send marketing materials from themselves or their partners.
The right to object is implemented by most videographers in the form of a notice that says "There is a film crew recording this event. If you object to being filmed please make yourself know to a member of the crew." Best practice is to reserve an area that is not in shot for the sole use of objectors so that they are not excluded from the event.
The right not to be subject to automated decision-making including profiling applies to the use of artificial intelligence and I would think is outside the scope of most video and photography companies.
What do Photographers need to do to be compliant?
Refer to the ICO documentation - ICO is the body responsible for implementing GDPR in the UK
In practice for photographers and videographers, this comes down to the way data is gathered and the way it is processed.
In terms of data gathering, Photographers are compulsive networkers - with the GDPR's recognition that sole traders are private individuals, it will be technically illegal to add somebody's email address to a marketing list if they are a sole trader and their details were obtained from a business card at a networking event. They have to explicitly opt in to have their details harvested in this way.
To summarise, there are a lot of new responsibilities on photographer and videographers that are now enshrined in law. Broadly these are coming from a good place - the use of AI for example needs to be regulated to protect human rights. There is nothing too onerous for videographers that work in broadcasting to implement, it will mean a step up for many photographers, but a step up towards better practice. That's a good thing.
Position of the Council at first reading with a view to the adoption of a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)