6

It has been established that identifiable photos of individuals are Personally identifiable information. They MAY even be Special Category Data. It seems to me that ones photo is the most personal and the most identifiable form of data available.

Many sites not only collect and process photos, they publicly distribute them. These range from major multinationals, through international academic organisations to small clubs. I am probably on all 3 of these, and have not knowingly given any consent for my face to be distributed around the world.

What is the legal situation with this? Is it just that this has not yet been challenged so is not proven illegal? Is there some exception for this sort of data? Is there something I am missing?

Improve this question

2 Answers 2

Reset to default
4

What many people miss in relation to GDPR is the other five lawful bases for processing - there's a lot of discussion about consent, but this is only one lawful basis of six.

The full list from Article 6 :

  1. Processing shall be lawful only if and to the extent that at least one of the following applies:

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

(c) processing is necessary for compliance with a legal obligation to which the controller is subject;

(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Arguable bases would include performance of a contract or public interest, though there's also room to argue whether legitimate interests of the controller are, or are not, overriden by the subject's fundamental rights and freedoms.

The short answer is it's not just about consent, and press and social media sites are likely to have covered themselves with their contract or with a public interest argument.

Improve this answer
3

They're not necessarily legal

It may well be that many of the smaller sites don't actually have a legal right to use these photos. GDPR is a new law that's not yet widely enforced, especially in minor cases. Many active organizations did implement GDPR policies and obtained (for example) legal consent from their members regarding allowable use, however, many (especially smaller and less active organizations) did not.

While a news site or a search engine would have some basis for using these photos, a commercial organization (i.e. like the UK club/pub in one of your links) using photos in what's essentially advertising would not have anything other than consent as the legal basis of using these photos. Maybe they have asked the consent of all the people seen in their galleries - there's no way for others to know that. I've seen all kinds of organizations (e.g. a school publishing photos that include their students) now asking explicit consent according to GDPR to enable publishing these photos, naturally including the option to decline.

The enforcement is very loose

The main factor in this is the GDPR (non-)enforcement process by the appropriate local agencies. In essence, unless you have a really large scale or public visibility (e.g. Facebook), enforcement is based on addressing complaints by those whose rights were violated, and even then usually only if they've attempted to resolve this issue with the data controller and they didn't react accordingly. So for some academic organization or small club it's not causing really any problems unless (until!) one of the people in these pictures complains. Often, the result of such a complaint is the owner simply taking down all the photos from the site.

Ask them

There's a simple way to determine this experimentally - if you're in EU, you may simply ask any organization who distributes photos with your face about their handling of your PII, and they're required to answer you under what lawful basis, in their opinion, they're doing this. It may well be that they'll answer "oooh, we actually can't, we'll take them down if you don't like them". It may also well be that if they haven't thought about GDPR (yet) that they'll be unable or unwilling to answer reasonably, in which case nothing will happen unless/until you involve the local regulatory agency.

Improve this answer
4
  • So the answer is "Ask Google", but in a slightly different way to usual?
    – Dave
    Commented Feb 19, 2019 at 10:53
  • @Dave no, the point is that the exact answer will be different for different websites, but there's a specific legal process on finding out the proper answer for your particular situation. E.g. datarequests.org/blog/sample-letter-gdpr-access-request is a good description.
    – Peteris
    Commented Feb 19, 2019 at 12:20
  • Perhaps I am not clear. The 1st example I give of a website that is hosting images of people (probably including me) is google image search. A solution that you propose is to ask them under what basis they are distributing this information. This is asking google. I think your answer is great, I am clarifying what specific action you are advocating.
    – Dave
    Commented Feb 19, 2019 at 12:49
  • @Dave, ah, I was thinking about the sites found by google image search, where the images are originally hosted, as the question was about "most photos on the web" and "many sites". Search engines are a very peculiar GDPR case , that'd be a very specific question, separate from "normal" sites. For the second link - instead of Flickr, asking International Society for Computational Biology, who presumably is publishing these photos. For the third link, which is most illustrative of what I mean - if I showed up on their photo gallery, I should contact "Lola Lo Reading" directly with my concerns.
    – Peteris
    Commented Feb 19, 2019 at 14:43

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .