GDPR and Photographers

Transcript of the Video

Good evening ladies and gentlemen, Suzanne Dibble here, data protection law expert coming to you raw and uncut. And today I'm talking to you photographers in the group. I've been promising to do a little video for you guys for a while now, and to be honest, I've been deferring because there's a lot to talk about. I'm going to try to do it as quickly and simply and succinctly as possible this evening. But thanks for all your questions in the group, some really interesting questions coming up about the issue of photography.

A lot around the question of consent, and I particularly like the question about Auntie Doris. So, you're at a wedding, taking photographs of the guests, and you've got your model release from your clients, and immediate family maybe, that allows you to use those photographs for your own purposes, for your promotions, sales, and marketing your samples albums, etcetera. And Auntie Doris is in the background of that photo and is recognizable. What's the position there?

Okay, so let's strip this back to the basics of GDPR. Now, firstly, what kind of data are we dealing with? Are photographs personal data? Well, without going into the ins and outs of the regulations, the quick answer is yes. I have read some articles on photography websites that suggest that the photograph is biometric data and that therefore it's sensitive data, and therefore you need a higher level of consent for photographs that can be identified. And indeed, I think someone in the group asked whether you have to go around blurring the faces of everybody.

Well, the first thing to say is that there is an instance where it can be biometric data and therefore sensitive data, but only if it's used for the purpose of uniquely identifying somebody. So, for example, at airport security barriers. So, typically, a photograph, where a face can be recognized, would not be biometric data, and therefore sensitive data, unless you're using it for the purposes of uniquely identifying somebody.

So that's the first thing to say. So, the next thing to look at, once you've worked out that its data that the GDPR and the data protection regulations cover, is to look at your ground of processing that data. Now, as we know, consent is just one of the grounds for processing. There are also the grounds to carry out the contract, to which the data subject is a party. There's processing that's necessary for compliance with legal obligations. And there is processing where it's necessary for the purposes of legitimate interests.

So, the first thing to think about is whether it is actually consented that is the ground for processing. Now, the other thing to consider is that consent can be oral, and that specifically is said in the regulations. So, if Auntie Doris is standing there, smiling away at the photograph with the rest of the guests, then the chances are she's given her consent. That's pretty good evidence of her consent.

Now, if on the other hand, Auntie Doris is raving it up on the dance floor in a compromising position that she would rather not have anybody see, then obviously that's a completely different situation, and I think that any responsible photographer would not be using that photo of Auntie Doris. But in terms of model releases, and this isn't specific to GDPR, but this is ... The thing is, with photography is, that there isn't one photography law, it's very much a mish-mash of lots of different laws that impact it. Certainly, the practice is to obtain a model release from the happy couple, or whoever you're photographing, and the key guests.

Now, what people often do where there are hundreds and hundreds of guests, and you can't obtain consent from everybody, is to have almost like an opt-out system, where there will either be a notice at the event, or there'll be an announcement to say the photographs are being taken, and if you don't want to be included in those photographs, to make yourself known to the photographer.

But, typically, you'll be getting a model release from the people who are paying you for the photography. So, in answer to one of the questions in the group, there was a question about filming course members and having them sign the releases, and then asking do we still need to blur their faces, well no, you don't, because they've consented to that. So as long as you're upfront about why you're doing that filming, and what it's going to be used for, then you don't need to blur the faces, they're consenting to that.

Okay, so ... Oh, let's just talk about children actually, on the subject of consent. Now, if you are getting the model releases in place, then, as I'm sure the majority of photographers will know, if they're under 18 then you would need their guardian to sign on their behalf. But just on that point of GDPR, it is actually a myth that parental consent is always required for processing data to do with children. That's only if it's based on consent, but as I said, there are obviously other grounds of processing. So, if it's for a legal obligation or legitimate interest, or even to fulfill a contract. Although that contract would need to be with the child, and as the child isn't able to sign the contract in his own right until he's 18, then you would still need the consent of the parent. But certainly, for legal obligations and legitimate interests, the parental consent would not be required for that.

Okay, so other issues specific to ... Oh, actually, before I go onto that we'll just talk about image storage because that's where consent comes in again. And, on the model release, that should include storage as well. But the general data retention rule in GDPR is that you shouldn't keep data for longer than it's necessary to do so. And, you know, how long is a piece of string? It's not black and white, it's very gray, and I'm sure there are lots of arguments as to you're keeping it too long, or whatever, it's a very gray area. But the general rule is don't keep it for longer than is necessary.

Now, if you have received in your model release the right to store that for your own purposes, or whatever, then that's absolutely fine. Now, coming into that is the question about the right to be forgotten. And indeed this is a new data subject right that is coming in with GDPR. And the thing to remember here, because I read about, there was a question in the group that was talking about the right to be forgotten in the context of having paid a model to come to a session and model. And what would happen if they exercised their right to be forgotten?

Well, the thing about the right to be forgotten is it's not an absolute right. You can continue to process data if the data remains necessary for the purposes for which it was originally collected, and you still have the legal grounds for processing it. So, in the example where you're paying a model, and you've photographed that model, then the ground for processing that data is contractual. So no consent is necessary there. So, in that instance, that right to be forgotten, it's not an absolute right, you would still be able to process that data. So you wouldn't have to erase all of that data and all of the images that you have taken of that model.

If your processing was based on consent, and they've withdrawn their consent, then obviously that's a different question, you'd have to let them exercise that right. So, what else did I want to say about image storage? Yeah, I think that's it. The key thing here is really just to make sure that your release includes storage as well.

Okay, so the other things that I think photographers also need to have in mind, which is it's not anything above what other industries need to think about in GDPR, and that is transfers of data. And that might be, for example, for album fulfillment, retouching services, email service providers, like Mail Chimp, Cloud storage, if you're storing your images on the Cloud. Then that is all going to be transfers of data to processes.

And then there are a couple of things to think about following on from that. One is where is the company located that you're transferring the data to? So, if you have Cloud storage and their service is based in the States, then that company needs to be party to the EU/US privacy shield. And I'm not going to go into more detail in this video, because I've already done a video on transfers to third countries. That's countries outside of the EEA, so do go and watch that if you're doing any transfers outside of the EEA.

The other thing is, is that if you are transferring data to a processor, so someone like somebody providing retouching services, then you will need to have the processor agreement in place, and only use a processor that is themselves compliant with GDPR. And I did a video about processors last night, so go and have a look at that too.

So, I think, just looking at my notes here, hopefully, I've picked up on all the questions there. But I think, again, GDPR isn't bringing in a massive change to the way that you've been working as photographers. And I think if you're sensible about your photography, then the chances are you're going to be absolutely fine. So, yes, you can pontificate about the exact nuances of GDPR, but I think if you work on the basis that you're being upfront with people and telling them what you're going to be doing with their data. I mean mainly here we're talking about using it for your own purposes. So if you're upfront with them, you're telling them what you're going to do with it, you're getting their consent. You're not posting any dodgy photos of Auntie Doris raving it up on the dance floor. You're going to be just fine.

Now, do remember that all of the other things that I talked about in relation to GDPR also apply to you. So, in terms of privacy policies and things like that. And what other videos can I direct you to? Transfers we've talked about, processes we've talked about. You're probably unlikely to need to appoint a data protection officer, but do watch the video on that, that sets out the criteria for that. Probably unlikely to have to carry out a DPI, a data privacy impact assessment. It's too late! But again, go watch the video on that, just in case.

And yeah, pretty much everything else that I've said about GDPR will apply to you. But these are the specific points that I just wanted to pick up for you guys. So, I hope that has in some way put your mind at rest. I think as I say if you're sensible about things, the chances are you're not going to go too far wrong. I mean the whole thing with GDPR, if you're sensible and you're not doing anything that is impacting on somebody's privacy, then you're going to be fine. So just a sense check really.

And in terms of the marketing, in terms of using the images in your own marketing, then the consent really is the same as the consent for any other type of marketing. So, just re-watch my training, I did a two-hour training that was very much focused all on consent for marketing purposes, so go have a watch of that.

All right, I think I'm going to leave it there. Thanks so much for watching, all of you photographers, there are lots of you in the group. But please do feel free to share the group ... Excuse me, I've not got any water ... But please do feel free to share the group with other photographers, or photography groups that you're in. And if any of you, I have researched whether photography bodies have done a GDPR for photographers fact sheet or something like that, and I haven't been able to find anything. So, dear me, it's past midnight, the body's shutting down. If you do come across something like that from an official body, rather than just a blog from a photographer, not that they're all wrong, but some of them are, then I'd be really interested in seeing that. So do let me know.

So there you go, I hope that helps, and with that, I'm going to go to bed. Goodbye.