GDPR – Something restrictive this way comes
While the Beast from the East batters our land, it’s a different storm worrying photographers : the new General Data Protection Regulations, or GDPR.
There are a lot of loops that self-employed photographers, like me, have to jump through. One of those loops, the Data Protection Act, is changing shape and name. The General Data Protection Regulations, or GDPR, come into effect on the 25th May. However, the General Data Protection Bill (which turns it into British law) does not get it’s second reading until 5th March 2018, so it is not sure it will be implemented at the same time.
How will GDPR affect photographers?
I should start by saying that I am not a legal expert and this is how I am interpreting the state of play at the moment after lots of reading and contacting the Information Commissioner’s Office (ICO). There is plenty of other information for small businesses out there about the changes in the law, but not much clear information about photography. So this post is purely about that.
Is my work purely art?
Under the current Data Protection Act exemptions exist for photographers for images taken as art and for journalism.
Speaking with the Information Commissioner’s Office they said, “The GDPR allows member states to introduce exemptions/derogations. These will be set out in the Data Protection Bill – it’s likely there will be a similar exemption for personal data processed for the purposes of “journalism, literature and art” but as the Bill has not yet been approved and adopted by Parliament, we can’t yet confirm what those exemptions will be. ”
Out with the Old
Under the old Data Protection Act 1998, there was definite provision for art and journalism.
“32. Journalism, literature and art.
(1)Personal data which are processed only for the special purposes are exempt from any provision to which this subsection relates if—
(a)the processing is undertaken with a view to the publication by any person of any journalistic, literary or artistic material,
(b)the data controller reasonably believes that, having regard in particular to the special importance of the public interest in freedom of expression, publication would be in the public interest, and
(c)the data controller reasonably believes that, in all the circumstances, compliance with that provision is incompatible with the special purposes.”
In with the new
The proposed GDP Bill is worded differently.
“Journalistic, academic, artistic and literary purposes
24 (1) In this paragraph, “the special purposes” means one or more of the
(a) the purposes of journalism;
(b) academic purposes;
(c) artistic purposes;
(d) literary purposes.
Schedule 2 — Exemptions etc from the GDPR
Part 5 — Exemptions etc based on Article 85(2) for reasons of freedom of expression and information
(2) Sub-paragraph (3) applies to the processing of personal data carried out for
the special purposes if—
(a) the processing is being carried out with a view to the publication by
a person of journalistic, academic, artistic or literary material, and
(b) the controller reasonably believes that the publication of the material would be in the public interest.
(3) The listed GDPR provisions do not apply to the extent that the controller reasonably believes that the application of those provisions would be incompatible with the special purposes.”
Am I exempt?
That’s a lot of legalese, but I interpret that as, if produced for purely artistic purposes, photography will continue to be exempt from data protection laws.
So, an amateur street photographer taking candid shots in the street will be exempt from the the Regulations. The arts are free of constraint, according to the EU Charter of Fundamental Rights.
(I should point out that the current government are making noises about removing us from the EU Charter of Fundamental Rights. So things may change in the future. Our current freedoms of expression may change or disappear altogether.)
If I am reading the law correctly, and I reiterate I am not a lawyer, photographs would only be able to be used without the law applying if used for journalistic/academic/artistic or literary purposes.
So, if I took a photograph of you on the street and published it as art, then it would be exempt. I would be carrying out my freedom of expression. But, I do need to limit the use of that photograph to just that purpose. If I were to use your image for advertising, or I sold you copies in return for you letting me use your image, then that becomes data and the GDPR rules come into force.
Carrying out the ICO’s online test, I have to be registered for my work. I would be hard pushed to see any circumstances where a professional photographer would be exempt.
The exemption is unlikely to hold if you enter into a contract with the subject. Therefore, wedding photographers should ask the couples to make their guests aware of who the photographer is and individuals should have the option of not being photographed. That makes life really difficult for documentary photographers. Permission should certainly be sought before wedding shoots are used for publicity.
A contract does not necessarily mean the exchange of money. Just promising to send a copy of a photograph to someone in return for letting you take their photograph is a contract. Then the photographer should get a model release form signed.
Be extra aware of photographing children. Always seek written parental permission before using a picture, sharing it on Facebook or Instagram, even in private groups. If you attend a youth event and promis photographs of the children for a club or organisation, then that is entering into a contract. The new regulations are –quite rightly– very strict regarding children’s data.
Are street photographs of people biometric data?
This is a regularly debated topic and the answer from the ICO is no.
“In relation to street portraits of individuals; these will not be ‘biometric’ data.” Even so, I would be cautious about uploading to public sites photographs that contain people’s names or other information that may be sensitive.
Occasional Professionals Beware!
Most professional photographers will be prepared for GDPR. Some won’t.
Those who should worry are all the ‘semi-professional’ or ‘semi-amateur’ photographers who just shoot the occasional event, or sell the odd print. These are often not even registered as self-employed and are not insured. They are unlikely to comply with the current Data Protection Act. The new fine for failing to comply, which includes registration, is jumping up from a few thousand pounds to €10 million.
The ICO have been quite good at giving guidance instead of fines to date, but the new laws are stricter. One complaint from a parent whose child’s photo was shared without permission, or you sending an unsolicited email to a former client without their permission, could start an avalanche of penalties. Will HMRC or DWP look at people investigated by the ICO? Will they jump on those who try making an untaxed income from selling photographs? Will they also be studying the lists of people who are registered with the ICO to see if they are registered as self employed?
Now is a good time to either legitimise your business or step away from it altogether.
For those businesses and individuals who use photographers, searching the ICO database is a good guide to whether the photographer is a legitimate and trustworthy business.