Actually I am little bit worried about the issue with GDPR. (you can find the english version in the internet)
In this article I will concentrate on GDPR in the context of Streetphotography and not on the other german laws like ‘Kunsturhebergesetz’.
There are some interesting publications from laywers in the internet (just google for it…), where you can find opinions in case of the GDPR especially for professional photographers. In this article I’d like to take a closer look on GDPR for amateur street photographers.
Important note: I am no expert on this issue! So if you are seeking for professional advice please contact a lawyer. In the following I will only describe my personal opinions about GDPR.
Are amateur photographers affected by GDPR?
In Art. 2 Para. 1 GDPR is written, that the regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system. That means, that unlike the case of ‘Kunsturhebergesetz’ not the act of publishing is significant, but the point of taking the photo with your electronic device like digital camera or smartphone.
It is important for amateur photographers what is written in Art. 2 Para. 2c) GDPR: This Regulation does not apply to the processing of personal data:
…
(c) by a natural person in the course of a purely personal or household activity.
It will be interesting how the juries in a trail will judge this point. Because if I am an amateur photographer – and so I am logically a private person – and I am taking a photo with my private camera on the street and no other person will ever see the photo, then the photo will never leave my personal sphere. In my opinion the case of Art. 2 Para. 2c) GDPR is given.
Only in the moment, the picture will leave my private sphere, e.g. if I will publish the photo, then Art. 2 Para. 2 GDPR could be affected. That means there will be no difference to ‘Kunsturhebergesetz’.
Biometry or Identification of shown Persons
According to Art. 3 Nr. 1 GDPR ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’). That means, that because of the picture somebody could match the shown person with the identity of the person. So if I will take a photo from back of a person, nobody could match the identity (except the person shows his name on the back…).
So a picture like this, is not critical:
Because of that, pictures will be critical, if the face of a person will be shown. Presumable the person on the following picture will could not be identified (at most the tattoos could be a problem):
So it will be interesting, if a face of a person is on the picture. In this case an identification will be possible by a biometrical process.
Then take a look into Art. 4 Nr. 14 GDPR: ‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.
I don’t want to talk about procedures like Elastic-Graph-Matching or other methods in detail. But as an acid test you can use Facebook: If the face detection of Facebook will match, then the identification with biometrical systems is possible.
A note because of an article from ‘Spiegel Online’: The protection of GDPR is only given in the case of persons, not in the case of animals! So if you like to show your cat in the internet, even if you are a professional photographer, feel free to go on.
Twilight area: it will be interesting, how powerful automatic face detection will be in the future. Is it possible to detect persons with big sunglasses? Or persons only shown in profile? I think, that in this cases conflicts are possible.
Now an example for a photo with a person in profile:
permission by the person which is shown
In the case that personal data in the meaning of GDPR is given, because the face can be recognized and the person can be identified, then according to Art. 6 Para. 1a) GDPR you will need a permission by the person which is shown in the picture.
I didn’t found a note in GDPR, at which point the permission must be given. So in my opinion a ‘healing’ permission could also be given afterwards.
According to Art. 7 Para. 3 GDPR a written permission by the shown person could be cancelled by the person afterwards.
Results of missing permission
If there is no permission, although personal data was processed, then the affected person could demand the deletion of the picture.
The amateur photographer has to pay for any legal costs of the affected person in this case. But in my opinion the judges will only accept a trail, if out-of trail agreements have failed before.
Of course it could be very expensive if the supervisory authorities will impose a penalty, which could be up to 20 million Euro.
What does that all mean in practice?
Basically in the case of missing permission the ‘Kunsturhebergesetz’ was relevant so far. If there was no permission according to this law, some street photographers referred to artistic freedom in this case which means the photo will be legal. Because of a recent statement from the ministry of interior of Germany (can be found with Google) the authorities in Germany are the meaning, that ‘Kunsturhebergesetz’ is furthermore the main law. In the end there will be no significant change in practicing Streetphotography. Only storing and processing picture could be more complex because of data protection.
It will be also interesting, how the juries in Germany will interpreting the enabling act in Art. 85 Para. 2 GDPR. The question is, if the ‘Kunsturhebergesetz’ is furthermore the special law with priority over GDPR.
UPDATE: Meanwhile there are some statements from the EU and the Governement in Germany, that the ‘Kunsturhebergesetz’ is further the special law for private photographers and not the GDPR. But if you are a private photographer and you have a blog, you have to follow GDPR in terms of the data handling of your blog (e.g. comments etc.). If you are looking for news about GDPR just google it or you will find a good overview at https://www.fotorecht-seiler.eu/dsgvo-fotografie-kug-update/ (in German).
Laywers specialized on Warnings
It seems to me, that lawyers specialized on warnings are german phenomenon. Some authors in the internet have the opinion, that there will be waves of warnings by lawyers in case of GDPR.
I don’t think so. Because also a lawyer which is specialized on warnings needs a legal-protection-cause. That means he needs a affected person, which gives him mandate. So if there is no accuser there will be no trail.
Interesting notice: Also a lawyer specialized on warnings is storing data in his data systems about a photographer in case of warning. That means according to GDPR that he also needs a permission of the photographer he is accusing. So in my opinion the amateur photographer could demand in reverse the deletion of his data from the lawyer!
The issue will remain interesting …